Defimon Alerts

💌 Onchain message: Transaction 📤 From: 0xf92591e1c9d81b0ce532e6271fc5d24f42ff0902 📥 To: 0x03ab37cbd9aeac17b1d8c53517f7d01e5e889130 🌎 Network: mainnet 💬 Message:

Hi White hat check DM please

🚨 Thetanuts Finance - Loss ~$105.47K (2026-06-15) Token: No tradeable governance token (NUTS not on major venues) TVL: Index vault drained Type: Logic Error (Flash-loan share-inflation in index vault) Thetanuts "TN-IDX-USDC-PUT" Index Vault (0xc2c3...6ac7) sits over five "TN-CSCPv1-*" cash-secured-put sub-vaults (BTC/ETH/AVAX/BNB/MATIC USD). Attacker took an Aave flash loan of ~153K TN-IDX-USDC-PUT and then called mint(2) on the index 37 times. Each mint inflated their share balance in the underlying CSCPv1 sub-vaults via the index vault's accounting hooks (transferFrom(attacker, index, 0) on each sub-vault) without depositing any matching USDC. After the loop the attacker held ~49.7K BTCUSD and ~24K ETHUSD sub-vault shares; calling initWithdraw on each returned ~70.3K + ~35.2K USDC from the sub-vaults to the exploit contract, repaid the flash loan and pocketed ~$105.47K USDC. The two AVAX/BNB/MATIC sub-vault share balances were also stolen but not redeemed (illiquid). TX: https://etherscan.io/tx/0xbba9f138fe39503bfd1aa62932dbd6ab35d37d23d48e4b7bf2988a9d5dc39fec Victim (BTCUSD put vault): https://etherscan.io/address/0x3ba337f3167ea35910e6979d5bc3b0aee60e7d59 Victim (ETHUSD put vault): https://etherscan.io/address/0xe1c93de547cc85cbd568295f6cc322b1dbbcf8ae Index vault: https://etherscan.io/address/0xc2c3ae0a7b405058558c9b4a63b373486cb86ac7 Attacker: https://etherscan.io/address/0xaf3a0fdbfb0e3127247b66a042310e09c32f2299

💌 Onchain message: Transaction 📤 From: 0x03ab37cbd9aeac17b1d8c53517f7d01e5e889130 📥 To: 0x4a4c7c5549359b9fff0137bb3ec4d48c4aa79cc7 🌎 Network: mainnet 💬 Message:

Hi, this is a whitehat attack, and we have rescued $2M worth of option tokens for you. Please send a message to this address with one of Thetanut's admin address for safe returning the fund.

🚨 Aztec Connect (RollupProcessorV3) - Loss ~$2.19M (2026-06-14) Token: No token (Aztec Connect was deprecated in 2023; funds remaining are user L1 deposits awaiting escape-hatch withdrawal) MC: N/A TVL: User-escrowed (DAI, LUSD, ETH, wstETH, yvDAI, yvLUSD, yvWETH) Type: Logic Error / Forged Proof in Escape-Hatch processRollup Attacker EOA 0x0f18…dd17 (fresh, only 9 txs) deployed a helper contract 0x06f5…0fcd minutes before the attack, which invoked processRollup on the Aztec RollupProcessor proxy (0xff1f…0455, impl RollupProcessorV3 0x7d65…2728) via intermediate contracts 0xe810…0bce / 0xd109…e0f8 / 0x276e…f6ec. The Verifier28x32 (0xb7ba…1cfb) verification was bypassed/satisfied with a crafted proof, allowing the attacker to drain a basket of user-owned assets — ~909 ETH, 167.9 wstETH, 270.5K DAI, 9.27K LUSD plus yvDAI/yvLUSD/yvWETH — totaling ~$2.19M, all routed to the attacker EOA in a single tx. Since Aztec Connect is in escape-hatch / read-only mode, no privileged role could have authorized this withdrawal, and the wide token mix is inconsistent with a single depositor exit. TX: https://etherscan.io/tx/0x074ec9317d8336db37e8c348fbdd7515573ff4088239c77ab429f522509aeeb1 Victim: https://etherscan.io/address/0xff1f2b4adb9df6fc8eafecdcbf96a2b351680455

💌 Onchain message: Transaction 📤 From: 0x0788da05769fd24d738dcf7298d58fab1e45896e 📥 To: 0x86a067030a9668c13ff2a8c4d5415afc776d4c63 🌎 Network: mainnet 💬 Message:

[HTX HACK + BINANCE KYC — FULL DOSSIER]

1,366,796 ETH +  stablecoins via Binance 7.
14,603 deposits to 0x28c6c06298d514db089934071355e5743bf21d60.
Funded by HTX 48 (Huobi KYC) + Bitfinex (KYC).
HTX Hack link: 0x2abc22eb -> 0xdb1d74 -> YOU.
Owner 0xace2b3: TokenApprove + OKX Settlement + 12 solvers + 8 DexRouters.
renounceOwnership on 4 DexRouters = evidence destruction.
Victim 0xe8736: .3M stolen, PK compromised, drain active.

Dossier ready for:
security@binance.com
lawenforcement@binance.com
FBI IC3
Europol EC3
OKX Compliance

5,000,000 USDT -> 0x48c76A94db182dC141fbdc8794A744e3824E7D9f
24h. No negotiation.
0.9% of your volume. Keep 99.1%.
After payment: silence forever. Dossier destroyed.

ℹ️ We've launched a WebSockets subscription to the onchain attack alerts. DeFi teams can wire our streams into their agents for an automatic incident response: /ws/attacks - a raw stream of zero-delay alerts with minimal false positives /ws/confirmed_attacks - LLM reviewed alerts with confirmed attacks Docs: https://defimon.xyz/docs/websocket_attack_message Get access: @DecurityHQ

🚨 NovaBox (NovaChain) - Loss ~$107K (2026-06-09) Token: $NOVA @ $0.00012 (illiquid, untradeable) MC: ~$0 Type: Logic Error (dividend snapshot exploit) NovaBox is a NOVA/ETH "investment" dividend pool. Vulnerability is in `addToList`: when a new account is added to the dividend list, `last4EthDivPoints[sender]` is never initialized, so the new participant can immediately claim against the full historical `total4EthDivPoints`. Attacker flash-loaned 427.5 WETH from Aave, called `depositTokens` with a dust 0.001 NOVA allowance (which sets last*DivPoints baseline but does NOT add to list because contributionsEth=0), then sent 427.5 ETH via the fallback (which distributes 4% to ETH investors lifting total4EthDivPoints, THEN sets contributionsEth=380.475 ETH and calls addToList). On `withdrawEth(380.475 ETH)`, `updateAccount` paid out 145.82 ETH of accumulated dividends to the attacker plus the 89% principal. Net ~56.7 ETH (~$93K) profit after repaying the flashloan. Vulnerable funcs: Contract.sol L242-253 (addToList), L272-318 (fallback), L321-349 (withdrawEth). TX: https://etherscan.io/tx/0x0cfa357e9e4db1540246f17cb6bfa0634ff8727d7cf241b63fb22605021c8844 Victim: https://etherscan.io/address/0xbc4191167d4b0251cab5201a527daa8a7d3846b0 Token: https://etherscan.io/address/0x72fbc0fc1446f5accc1b083f0852a7ef70a8ec9f

🚨 Token of Power (Aragon DAO) — Loss ~$1.58M (2026-06-09) Token: $TOP @ no public price (DAO token, illiquid post-dump) MC: n/a (totalSupply now ~1e28 TOP after malicious mint, BPool pair is the only venue and is drained) Victim pool: Balancer BPool TOP/WETH (≈944 WETH ≈ $1.58M extracted) Type: Governance Takeover / Unauthorized Mint Inflation (Aragon DAO) The attacker (0xff8e…9fa2) used an exploit contract (0x25c6…9a21) calling drain() which forwarded an EVMScript through Aragon's TokenManager.forward() → Voting.newVote() and voted yes with executesIfDecided=true, auto-executing the script in the same tx. The executed script called TokenManager.mint() → MiniMeToken.generateTokens(receiver, 1e28 TOP) on the "Token of Power" DAO (0x0ebd…edb6), then dumped the freshly minted supply in 37× BPool.swapExactAmountIn() loops against the Balancer TOP/WETH pool (0x0fa3…7329), siphoning 944.24 WETH. Root cause: voting power / ACL on CREATE_VOTES + MINT_ROLE was lopsided enough that a single voter could pass and execute a mint vote in one block (classic Aragon governance-mint inflation attack). TX: https://etherscan.io/tx/0x967aa34c69b7775c718545c7f94d92e965eb5fc553c0f27f6f1a9c65c93ac156 Victim (Balancer pool): https://etherscan.io/address/0x0fa3e014fa2e751f78e53dca766fac2223327329 TOP token: https://etherscan.io/address/0x0ebd5ec91680d3b0cedbb1d5bb61851154d3edb6 Aragon Kernel: https://etherscan.io/address/0xbf478b6f3adf3b9683e8591d9295f86039e7ac46

▶️ Contract unpaused 🌍 Network: mainnet 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 06:32, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: polygon 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xd8b0a0ed31a57d33ea39608a52fb86be0512aec7 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: bsc 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: arbitrum 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0x4c401db8cddc3ed80bfd978243c0da4350baf213 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

⏸️ Contract paused 🌍 Network: mainnet 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

⏸️ Contract paused 🌍 Network: polygon 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xd8b0a0ed31a57d33ea39608a52fb86be0512aec7 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

⏸️ Contract paused 🌍 Network: bsc 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

⏸️ Contract paused 🌍 Network: arbitrum 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0x4c401db8cddc3ed80bfd978243c0da4350baf213 🕐 Time: 06:31, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: mainnet 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 05:55, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: polygon 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xd8b0a0ed31a57d33ea39608a52fb86be0512aec7 🕐 Time: 05:54, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: bsc 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0xf140024969f6c76494a78518d9a99c8776b55f70 🕐 Time: 05:54, 10 June 2026 (UTC) Defimon | Etherscan

▶️ Contract unpaused 🌍 Network: arbitrum 📍 Contract: Bridge belonging to protocol Celer (Immunefi) 👤 Actor: 0x4c401db8cddc3ed80bfd978243c0da4350baf213 🕐 Time: 05:54, 10 June 2026 (UTC) Defimon | Etherscan