Adshares Wrapper On-Chain Whitehat Message Is Settlement Traffic, Not The Exploit

On Ethereum at 2026-05-16 18:15:23 UTC, transaction 0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464 was an on-chain plaintext settlement message related to Adshares Wrapper, not the drain transaction itself. The trace shows a single zero-value CALL from 0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f to EOA 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, with ASCII calldata offering whitehat terms and requesting return of 90% of previously drained assets. No contract code executes, no logs are emitted, and funds_flow.json records no token, approval, or ETH transfers, so the financial impact of this transaction itself is 0.

Root Cause

This transaction does not expose a root-cause vulnerability because it never reaches the suspected Adshares Wrapper contract 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A. The only trace entry is a top-level message call to an externally owned account, so there is no callable contract function, no state transition inside the wrapper, and no on-chain evidence here for how the earlier drain was performed.

Vulnerable Contract

No vulnerable contract is exercised in this transaction. The incident brief names Adshares Wrapper at 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A, but trace_callTracer.json shows that address is never called. The only callee is EOA 0x63e22ce9bde9bb8892a447258abfcaa4142f001b.

Vulnerable Function

Not applicable. The input payload begins with ASCII bytes 0x546f2074 ("To t"), not a Solidity function selector, and decoded_calls.json leaves the call unresolved.

Vulnerable Code

Not applicable for this transaction. No contract bytecode is entered, so there is no vulnerable function body to quote from the verified Adshares Wrapper source.

Why It’s Vulnerable

Expected behavior for an exploit transaction would be a call path that enters the affected protocol contract, executes one or more functions, and produces asset movement or other state changes that can be tied to a concrete code flaw. Actual behavior here is just off-chain-readable text embedded in calldata and delivered to an EOA, with no nested calls and no balance-changing events.

That distinction matters because any attempt to assign an exploit root cause from this transaction alone would be unsupported. This queue item can only support the narrow conclusion that a party controlling 0xb6fe3854... posted settlement terms to 0x63e22c... after an earlier incident.

Attack Execution

High-Level Flow

1. A sender EOA submits a zero-value Ethereum transaction.
2. The transaction targets EOA 0x63e22c..., not the Adshares Wrapper contract.
3. The calldata carries a plaintext message describing whitehat settlement terms.
4. The EVM records the call successfully and exits without any nested calls.
5. No tokens, ETH, or protocol state move in this transaction.

Detailed Call Trace

• Depth 0: 0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f → 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, CALL, value 0
  • input starts with 0x546f2074
  • selectors.json and decoded_calls.json do not resolve this as a Solidity function
  • no child calls

The calldata decodes to plain ASCII text beginning with “To the address that interacted with Adshares Wrapper contract…”. The message offers to treat the prior drain as a whitehat disclosure if 90% of the assets are returned within 72 hours.

Financial Impact

The direct financial impact of transaction 0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464 is 0.

funds_flow.json shows:

• no ERC-20 transfers
• no approvals
• no ETH transfers
• no attacker gains

The only economic effect is gas expenditure by the sender: 53,576 gas at 0x9e74e680 wei, or 0.00013154066571776 ETH. Any actual exploit losses belong to a separate earlier transaction that is not evidenced by this call trace.

Evidence

• Transaction hash: 0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464
• Chain: Ethereum
• Block number: 25109461
• Block timestamp: 2026-05-16 18:15:23 UTC
• Receipt status: 1
• Sender: 0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f
• Recipient: 0x63e22ce9bde9bb8892a447258abfcaa4142f001b
• Suspected affected contract from the brief: 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A
• Trace shape: one top-level CALL, no nested calls
• Receipt logs: 0
• Funds flow summary: No attacker gains detected
• Unresolved selector bytes: 0x546f2074, which correspond to ASCII text rather than ABI-encoded function dispatch

Related URLs

• https://etherscan.io/tx/0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464
• https://twitter.com/defimonalerts/status/2055713779514532175