SlowMist
SlowMist|May 07, 2026 03:22
🚨SlowMist TI Alert🚨 💸 Loss: ~1,291.16 ETH + ~1,268,771 USDC + ~206,282 USDT + ~16.94 WBTC @trustedvolumes 🔍 Root Cause: In fillOrder function (selector 0x4112e1c2) of RFQ Implementation, signature validation checks _allowedSigners[msg.sender][signer] using caller (taker) instead of order's maker as key, allowing registration via registerAllowedOrderSigner for attack contract and execution of forged orders for any maker. 📌 Attacker EOA: 0xc3ebddea4f69df717a8f5c89e7cf20c1c0389100 📌 Victim Contract: 0x9ba0cf1588e1dfa905ec948f7fe5104dd40eda31 📌 Vulnerable Contract: 0x88eb28009351fb414a5746f5d8ca91cdc02760d8 Attacker drained assets from custodial contract with unlimited approvals via 4 forged RFQ orders.(SlowMist)
+4
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads