https://www.darknavy.org/web3/exploits/ Recent content in Exploit Analysis Reports on DARKNAVY https://www.darknavy.org/images/white_logo.png https://www.darknavy.org/images/white_logo.png Hugo -- 0.160.1 en Mon, 13 Apr 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/hyperbridge-ismp-forged-proof-dot-mint/ Mon, 13 Apr 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/hyperbridge-ismp-forged-proof-dot-mint/ On April 13, 2026 at 03:55:23 UTC, a helper contract deployed by the attacker used Hyperbridge's Ethereum-side ISMP message path to deliver a forged governance-style `PostRequest` into `TokenGateway`. The exploit is best classified as an access-control failure at the proof-validation boundary: `Hand... https://www.darknavy.org/web3/exploits/subquery-settings-access-control-staking-drain/ Sun, 12 Apr 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/subquery-settings-access-control-staking-drain/ On April 12, 2026, SubQuery Network, a staking protocol on Base, (block 44,590,469) suffered an access-control exploit that drained approximately **218.29M SQT** (about **$131.2K**) from the protocol's Staking contract. The attacker deployed two ephemeral contracts, abused the absence of any owner o... https://www.darknavy.org/web3/exploits/denaria-finance-virtual-amm-manipulation/ Sun, 05 Apr 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/denaria-finance-virtual-amm-manipulation/ On April 5, 2026, Denaria Finance, a perpetual DEX on Linea, (block 30,067,821) suffered a virtual AMM manipulation attack that drained approximately **165,618 USDC** from the protocol's Vault. The attacker flash-loaned 60,000 USDC from Aave V3, deployed pairs of ephemeral LP and Trader contracts, a... https://www.darknavy.org/web3/exploits/infinitysix-twap-stale-price/ Tue, 31 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/infinitysix-twap-stale-price/ Two compounding flaws in InfinitySix's (`$i6`) BSC staking contract were chained to extract **273,802 USDT** in block 89,703,286. The contract credits referral bonuses to a sponsor's withdrawable balance immediately upon the referral's `invest()` call; separately, its TWAP oracle enforces a 1-minute... https://www.darknavy.org/web3/exploits/lml-apower-reward-claim-price-manipulation/ Tue, 31 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/lml-apower-reward-claim-price-manipulation/ On March 31, 2026 at 20:39:02 UTC, the attacker used flash-loaned capital on BNB Chain to manipulate the LML/USDT market, then batch-triggered reward claims for pre-seeded accounts through APower and immediately sold the resulting LML back into the distorted pool. The primary issue is a price-manipu... https://www.darknavy.org/web3/exploits/whalebit-ces-igt-staking-oracle-manipulation/ Tue, 31 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/whalebit-ces-igt-staking-oracle-manipulation/ On March 31, 2026 at 22:56:21 UTC (Polygon block `84938872`), an attacker exploited WhaleBit's unverified staking system through a **same-transaction spot-oracle manipulation** funded by a flash loan. The attacker EOA `0xe66b37de57b65691b9f4ac48de2c2b7be53c5c6f` used helper contract `0xb5a8d7a37d60a... https://www.darknavy.org/web3/exploits/vtswaphook-pricing-error/ Sat, 28 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/vtswaphook-pricing-error/ On 2026-03-28, the VTSwapHook contract (`0xbf4b4a83708474528a93c123f817e7f2a0637a88`) deployed on Arbitrum was exploited through a **logic error** in its custom pricing formula. The hook implements a nonlinear (logarithm-based) price curve but approximates execution price using a simple midpoint ave... https://www.darknavy.org/web3/exploits/est-bnbdeposit-claim-manipulation/ Fri, 27 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/est-bnbdeposit-claim-manipulation/ On 2026-03-27, the EST / BNBDeposit system on BNB Smart Chain was exploited through a **flash-loan-assisted reward-accounting flaw** in `BNBDeposit`, amplified by **fee-exempt routing and pair-state manipulation** in EST. The attacker borrowed `250,000 WBNB`, built a temporary claim-bearing share in... https://www.darknavy.org/web3/exploits/cyrus-price-manipulation/ Sun, 22 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/cyrus-price-manipulation/ On March 22, 2026, the CyrusTreasury protocol on BNB Chain was exploited through a price manipulation attack against its `withdrawUSDTFromAny` function, which is called internally by `exit()`. The vulnerable contract (`CyrusTreasury`, `0xb042ea7b35826e6e537a63bb9fc9fb06b50ae10b`) reads the live Panc... https://www.darknavy.org/web3/exploits/escrow-overflow/ Sun, 22 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/escrow-overflow/ An unverified escrow-like contract at `0xf0a105d93eec8781e15222ad754fcf1264568c97` on Ethereum Mainnet was fully drained in block 24,707,679 (timestamp 2026-03-22 UTC) through an **integer overflow** in its deposit function `0x317de4f6`. The deposit function accumulates entry amounts into a running ... https://www.darknavy.org/web3/exploits/dtrinity-dlend-index-manipulation/ Wed, 18 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/dtrinity-dlend-index-manipulation/ On 2026-03-18, the dTRINITY dLEND lending protocol (an Aave v3 fork deployed on Ethereum mainnet) was exploited through a **flash loan abuse combined with a logic error** in the flash loan repayment accounting. An attacker manipulated the cbBTC reserve's liquidity index from ~1.0 RAY to 6,226,622 RA... https://www.darknavy.org/web3/exploits/ktoken-redeem-logic-flaw/ Tue, 17 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/ktoken-redeem-logic-flaw/ On 2026-03-17 (block 30488585), a lending protocol deployed on Polygon zkEVM (chain ID 1101) was attacked through a logic error in its Compound-fork KToken implementation. The vulnerability is in internal function `0x3dff` (`redeemFresh`): when `redeemUnderlying()` is called, the function (1) comput... https://www.darknavy.org/web3/exploits/usdc-permit-phishing-drain/ Mon, 16 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/usdc-permit-phishing-drain/ **Transaction**: `0xfd7417af8433e3d9bcbed3f965307c800a24eb4e98f42cebfab6ca6064f5a642` **Chain**: Ethereum Mainnet (Chain ID 1) **Block**: 24671606 **Date**: 2026-03-16 17:38:59 UTC **Incident Name**: `usdc-permit-phishing-drain` https://www.darknavy.org/web3/exploits/venus-lending-exploit/ Sun, 15 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/venus-lending-exploit/ On BNB Smart Chain, an attacker exploited Venus Protocol's vTHE (THENA/THE) market by combining three pre-obtained approvals with a classic exchange-rate inflation technique. The attacker held ERC-20 `transferFrom` allowances for the THE token from six victim addresses and a Comptroller `approvedDel... https://www.darknavy.org/web3/exploits/am-burn-reserve-manipulation/ Thu, 12 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/am-burn-reserve-manipulation/ On March 12, 2026 (BSC block 86066209), attacker EOA `0x0b9a1391269e95162bfec8785e663258c209333b` exploited a combination of the AM token's fee-on-transfer burn mechanism and Moolah lending protocol's collateralized borrowing to extract approximately **131,572 USDT** in profit. https://www.darknavy.org/web3/exploits/cow-protocol-solver-exploit/ Thu, 12 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/cow-protocol-solver-exploit/ On March 12, 2026 (block 24,643,151), a victim address (`0x98b9d979`) lost approximately $50.4 million worth of Aave-wrapped USDT (aEthUSDT) on Ethereum mainnet through a two-transaction attack. In the primary transaction, a registered CoW Protocol solver (`0x3980daa7`) submitted a settlement execut... https://www.darknavy.org/web3/exploits/dbxen-erc2771-confusion/ Thu, 12 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/dbxen-erc2771-confusion/ The DBXen protocol on BNB Chain was exploited at block 86,063,902 through an ERC2771 meta-transaction context confusion vulnerability in the `burnBatch()` function. The attacker abused the inconsistency between `_msgSender()` (used in the `gasWrapper` modifier) and `msg.sender` (passed as the `user`... https://www.darknavy.org/web3/exploits/gamma-lending-exploit/ Wed, 11 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/gamma-lending-exploit/ On March 11, 2026, the Gamma Protocol (a Compound-fork lending platform formerly known as Planet Finance) on BNB Chain was exploited for approximately **7,882 USDT** via a logic flaw in the publicly-callable `updateUserDiscount()` function. The attacker leveraged a flash-loaned USDT position to repe... https://www.darknavy.org/web3/exploits/planet-finance-lending/ Wed, 11 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/planet-finance-lending/ On 2026-03-11, a failed attempt was made to exploit Planet Finance, a Compound-fork lending protocol on BNB Smart Chain, via an oracle price manipulation attack. Transaction `0x330ccbfa...` was initiated by attacker EOA `0x2eb7c45f` but **reverted** with status `0x0`, consuming 38,751,495 of 40,000,... https://www.darknavy.org/web3/exploits/wukong-staking-reentrancy/ Wed, 11 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/wukong-staking-reentrancy/ On 2026-03-11, the WUKONG staking protocol on BNB Chain was exploited via a classic reentrancy attack against its `unstake()` function in the `StakingUpgradeableV10` implementation. The vulnerability arises because `unstake()` sends BNB to the caller (via a low-level `call`) **before** updating the ... https://www.darknavy.org/web3/exploits/alkemi-self-liquidation/ Tue, 10 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/alkemi-self-liquidation/ On March 10, 2026, an attacker exploited the `liquidateBorrow` function of the Alkemi Earn Public lending protocol on Ethereum mainnet (block 24,626,979) to self-liquidate their own solvent position. The root cause is a compound vulnerability: `liquidateBorrow` lacks both a self-liquidation guard (`... https://www.darknavy.org/web3/exploits/gondi-purchasebundler-drain/ Mon, 09 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/gondi-purchasebundler-drain/ On 2026-03-09, the `PurchaseBundler` contract (`0xc10472ac`) deployed on Ethereum (block 24618641) was exploited through an access control bypass in its `executeSell` function. The attacker (`0x8d171c74`) used a purpose-built contract (`0xe95e3cfc`) to call `executeSell` 81 times, successfully drain... https://www.darknavy.org/web3/exploits/molt-evm-weak-spawner-access-control/ Sun, 08 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/molt-evm-weak-spawner-access-control/ On 2026-03-08 at 20:36 UTC (Base block 43093167), an attacker exploited a trivially bypassable `onlySpawnerToken` modifier on the MoltEVM token contract (`0x225da3d879d379ff6510c1cc27ac8535353f501f`) to mint 100,000,000 mEVM tokens at zero cost. The modifier requires only that the caller is a contra... https://www.darknavy.org/web3/exploits/solv-bro-double-mint/ Thu, 05 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/solv-bro-double-mint/ On March 5, 2026, Solv Protocol's Bitcoin Reserve Offering on Ethereum was exploited through a callback-driven logic error in the BRO wrapper at `0x15f7c1ac69f0c102e4f390e45306bd917f21cfcf`, accessed through the beacon proxy at `0x014e6f6ba7a9f4c9a51a0aa3189b5c0a21006869`. The vulnerable full-value ... https://www.darknavy.org/web3/exploits/base-multi-contract-exploit/ Wed, 04 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/base-multi-contract-exploit/ **Transaction:** `0xe94a5ed54d0a9aa317c997607d7d1ea9828ad47626d7794b0e4020ff49cdf9a0` **Chain:** Base (Chain ID: 8453) **Block:** 42832267 **Date of Analysis:** 2026-03-04 **Debate Round:** 1 https://www.darknavy.org/web3/exploits/inugami-staking-reward-debt-drain/ Tue, 03 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/inugami-staking-reward-debt-drain/ On March 3, 2026, the Inugami staking contract on BNB Chain (`0x2001144a0485b0b3748a167848cdd73837345d73`) was exploited via a logic error in reward-debt initialization. The attacker staked a small amount of LP, sent 1 wei WBNB to reactivate the reward window, and then claimed legacy rewards that sh... https://www.darknavy.org/web3/exploits/uniswap-v4-hook-swap-drain/ Tue, 03 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/uniswap-v4-hook-swap-drain/ On March 3, 2026 (block 24,575,085), the UniswapV4Router04 contract at `0x00000000000044a361ae3cac094c9d1b14eece97` on Ethereum mainnet was exploited via an authorization bypass vulnerability in its `swap(bytes,uint256)` function. The root cause is a hardcoded calldata offset in an inline assembly a... https://www.darknavy.org/web3/exploits/sdola-llamalend-oracle-manipulation/ Mon, 02 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/sdola-llamalend-oracle-manipulation/ On March 2, 2026 at 03:00:11 UTC (block 24566937), an attacker exploited an oracle misconfiguration in the Curve LlamaLend sDOLA/crvUSD market on Ethereum. The root cause was the `CryptoFromPoolVaultWAgg` oracle contract (`0x88822ee5`) calling `sDOLA.convertToAssets()` as a spot price feed, which co... https://www.darknavy.org/web3/exploits/bubu2-fee-token-staking-drain/ Sun, 01 Mar 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/bubu2-fee-token-staking-drain/ On March 1, 2026, the BUBU2/WBNB PancakeSwap pair on BNB Chain (block 83,955,808) was drained by flash-loan sandwiching a permissionlessly-triggerable burn mechanism inside the BUBU2 token contract. https://www.darknavy.org/web3/exploits/movie-token-burn-manipulation/ Sat, 28 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/movie-token-burn-manipulation/ On 2026-02-28 (BSC block 85677691), the Movie Token ($MT) project was exploited for approximately **381.75 WBNB (~$242K USD)** in a single transaction. The attacker abused the MT token's `extractFromPoolForLpMining` function, which burns tokens directly from the PancakeSwap MT/WBNB LP pair's balance... https://www.darknavy.org/web3/exploits/aave-fork-undercollateralized-borrow/ Thu, 26 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/aave-fork-undercollateralized-borrow/ On February 26, 2026, an attacker exploited a misconfigured Aave V3 fork lending pool on Ethereum mainnet (block 24,538,897). The root cause was a deployment-time oracle misconfiguration in the `AaveOracle` contract at `0x9dce7a180c34203fee8ce8ca62f244feeb67bd30`, where the constructor arguments con... https://www.darknavy.org/web3/exploits/hpay-staking-forceexit-drain/ Wed, 25 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/hpay-staking-forceexit-drain/ On February 25, 2026, the HPAY staking contract on BNB Chain (BSC) was exploited via a logic error in the unverified staking implementation at `0xbe189fe9f84ca531cd979630e1f14757b88dd80d`, accessed through the TransparentUpgradeableProxy at `0x6e30c17d2554dca5a1ac178939764c6bf61ab95a`. The `forceExi... https://www.darknavy.org/web3/exploits/sto-deflationary-burn-drain/ Mon, 23 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/sto-deflationary-burn-drain/ On February 23, 2026, the STO Protocol token on BNB Chain was exploited via a logic error in its deflationary sell-burn mechanism. The STO token's `_executePendingSellBurn()` function burns previously sold tokens from the PancakeSwap pair and calls `sync()` to update reserves mid-transfer, allowing ... https://www.darknavy.org/web3/exploits/tara-dodo-cooppool-exploit/ Sun, 22 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/tara-dodo-cooppool-exploit/ An attacker on Ethereum mainnet (block 24,513,601) drained the TARA cross-chain bridge by exploiting a compromised bridge validator key. The vulnerability is an **access control failure**: the TARA light client contract (`0xcdf14446`) accepted ECDSA-signed bridge state submissions from any registere... https://www.darknavy.org/web3/exploits/veil-cash-groth16-forgery/ Fri, 20 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/veil-cash-groth16-forgery/ On February 20, 2026, the Veil Cash privacy protocol on Base was exploited for 2.9 ETH (~$5.69K) through a zero-knowledge proof forgery attack. The root cause is a misconfigured Groth16 SNARK verifier contract at `0x1e65c075989189e607ddafa30fa1a0001c376cfd` where the delta verification key parameter... https://www.darknavy.org/web3/exploits/fee-token-skim-exploit/ Mon, 16 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/fee-token-skim-exploit/ On BSC (BNB Smart Chain) block 81,556,796 (2026-02-16 12:51:23 UTC), an attacker exploited a fee-on-transfer token's built-in auto-liquidity mechanism to drain value from its PancakeSwap V2 liquidity pair. The vulnerable component is VictimToken (`0x02739be625f7a1cb196f42dceee630c394dd9faa`), an ERC... https://www.darknavy.org/web3/exploits/uniswap-router-approval-abuse/ Fri, 13 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/uniswap-router-approval-abuse/ A custom, unverified swap router contract at `0xc87c815c03b6cd45880cbd51a90d0a56ecfba9da` on Ethereum mainnet contains a critical access control flaw that allows any caller to execute token swaps using another user's token approvals. On February 13, 2026 at 17:06:47 UTC (block 24,449,245), an attack... https://www.darknavy.org/web3/exploits/erc1155-bonding-curve-reentrancy/ Sun, 08 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/erc1155-bonding-curve-reentrancy/ On 2026-02-08 12:06:47 UTC (block 24,411,960), tx `0x7b3878969c2f44dae5e47d7c03616d5f17dfc46ea59ea75f135c468709a59ce7` on Ethereum drained four Decent.xyz "Crescendo" ERC1155 bonding curve contracts of nearly all their ETH reserves via reentrancy through the native ETH refund path in `buy()` and the... https://www.darknavy.org/web3/exploits/usde-safe-module-flashloan/ Sat, 07 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/usde-safe-module-flashloan/ On 2026-02-07 (Ethereum mainnet, block 24,406,366), an attacker used a Balancer Vault flash loan callback to trigger a Gnosis Safe module at `0xf5e48ff26c60f3d2bdc0b38a570ce6373a927e19`, which executed `execTransactionFromModule` on the Safe `0x635fa9b57a9888ffe624323e547fdfbad1a74606` with a `DELEG... https://www.darknavy.org/web3/exploits/neutrl-nusd-internal-balance/ Wed, 04 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/neutrl-nusd-internal-balance/ On Ethereum mainnet, transaction `0x047fcfa2cfb51879f19769dd25e2768be42985f9c2d8f483f2a0c18703834061` (2026-02-04 13:49:23 UTC) used a Morpho flash loan to route through Pendle’s NUSD Standardized Yield (SY) integration and drain NUSD, then swap to USDC. The attacker’s EOA `0x1f36068728b86ae4d65249f... https://www.darknavy.org/web3/exploits/reusd-singleadapterrouter-withdraw/ Wed, 04 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/reusd-singleadapterrouter-withdraw/ On 2026-02-04 13:46:59 UTC (block 24,383,881), tx `0xee2b216b7d649513dc8ba102e130d3d86d189b393a0d5f387e479be3dbda799d` on Ethereum deployed helper contracts and invoked `depositWithCalldataMultiToken` and `withdrawWithCalldataMultiToken` on SingleAdapterRouter (Vault_reUSD) at `0x169a5effcae91ab33bc... https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/ Sun, 01 Feb 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/eywa-portalv2-axelar/ On 2026-02-01 18:38:23 UTC (block 24,363,854), tx `0x37d9b911ef710be851a2e08e1cfc61c2544db0f208faeade29ee98cc7506ccc2` on Ethereum called `expressExecute` on ReceiverAxelar (`0xb2185950f5a0a46687ac331916508aada202e063`) with `sourceChain="berachain"` and `sourceAddress=0x5eEdDcE72530e4fC96d43E3d70Fe... https://www.darknavy.org/web3/exploits/gyro-finance-ccip-escrow/ Fri, 30 Jan 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/gyro-finance-ccip-escrow/ On Ethereum mainnet, Gyro Finance's GYD bridge escrow was exploited on January 30, 2026. The attacker used a crafted CCIP message to make the escrow contract approve unlimited GYD allowance, then drained the escrow via `transferFrom`. https://www.darknavy.org/web3/exploits/xpl/ Wed, 28 Jan 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/xpl/ The transaction `0x9779341b2b80ba679c83423c93ecfc2ebcec82f9f94c02624f83d8a647ee2e49` on BNB Smart Chain exploited XPlayer's node distribution burn path to manipulate the XPL/USDT PancakeSwap pool and drain USDT. The attacker used a flash-loan style contract to burn XPL out of the pool, forcing reser... https://www.darknavy.org/web3/exploits/makina-oracle-manipulation/ Tue, 20 Jan 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/makina-oracle-manipulation/ The attacker used flash‑loaned USDC (Morpho + Aave) to temporarily skew spot‑based on‑chain state (Curve pools and oracle inputs, including the ERC4626 convertToAssets path used in pricing). In the same transaction, they invoked accountForPosition and updateTotalAum, locking an inflated AUM into las... https://www.darknavy.org/web3/exploits/futureswap/ Sat, 10 Jan 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/futureswap/ On 2026-01-10 08:30:35 UTC (Arbitrum block 419,829,771), tx `0xe1e6aa5332deaf0fa0a3584113c17bedc906148730cbbc73efae16306121687b` deployed an attacker contract that drained approximately 394,743 USDC.e from FutureSwap's unverified perpetual exchange contract at `0xf7ca7384cc6619866749955065f17bedd3ed... https://www.darknavy.org/web3/exploits/tmx-tribe/ Mon, 05 Jan 2026 00:00:00 +0000 https://www.darknavy.org/web3/exploits/tmx-tribe/ The unverified contracts of TMXTribe were exploited by a series of attack transactions exploiting a vulnerability in the accounting logic. The root cause is that the AUM calculation (used to price TLP) ignores USDG liabilities, so USDG minting inflates AUM and enables high‑price redemptions.