en
Feedback
Defimon Alerts

Defimon Alerts

Open in Telegram

⚠️ DeFi security alerts by @DecurityHQ πŸ’Ž Instant alerts @defimon_subscription_bot defimon.xyz

Show more
The country is not specifiedCryptocurrencies16 291
4 396
Subscribers
+424 hours
+87 days
+7530 days
Posts Archive
Repost from N/a
πŸ’Ž To subscribers: We post all verified alerts to this channel. Some may be big hacks like yesterday's Ostium $20M loss and some are small sub-10k drains. Since it's not our job to decide which alerts are useful to a particular user, we post all of them. If you need to respond to certain alerts and deprioritize others, the best way is to do this is to subscribe to our Websocket API and receive full raw feed of all our alerts (including non-verified) in real time. The cost is only $200/month, ~20 times cheaper than Hypernative or other providers! What's included: β€” Defimon Signals Telegram subscription, β€” API access to the signals (confirmed attacks) β€” API access to all raw alerts (instant events before LLM verification) β€” 1 key to all 8 supported chains. Subscribe on the website https://defimon.xyz/subscribe or using the bot @defimon_subscription_bot

Repost from N/a
🚨 Ostium.com - Loss ~$11.86M (2026-07-15) Token: $oLP (drained asset: USDC, ~11,862,445 USDC @ $1) Network: Arbitrum Type: Private Key Compromise (oracle signer) β†’ Price Manipulation Ostium's perp/RWA vault was drained via a compromised privileged key. The attacker's smart account was a registered forwarder (isForwarder, onlyTimelock) and submitted price reports signed by an authorized oracle signer β€” OstiumVerifier.verify() recovers the signer and requires isAuthorizedSigner[signer] (onlyGov), and it passed. Neither role is self-grantable, so an Ostium price-oracle/forwarder key was compromised. Via delegatedAction β†’ openTrade + performUpkeep(closeTradeMarket) loops (20x), the attacker fed self-signed favorable prices to open and immediately close trades at a profit, draining ~11.86M USDC from the OstiumVault (oLP) to 0x321df194. Loss β‰ˆ 32% of the $34.3M vault TVL. TX: https://arbiscan.io/tx/0x359f8c05b86a4409d60cfba02084334313fd94b19f74a294fb7fc4ea7d4870e0 Attacker: https://arbiscan.io/address/0xD1794196f0fc99c7f27970e661597d77d9a85869 Victim: https://arbiscan.io/address/0x20d419a8e12c45f88fda7c5760bb6923cee27f98 X: https://x.com/Ostium @defimon_subscription_bot

Today we notified drips.network about an exploit involving an old DaiDripsHub contract. An attacker exploited a signed-intege
Today we notified drips.network about an exploit involving an old DaiDripsHub contract. An attacker exploited a signed-integer cast vulnerability which resulted in $24,882 loss. Specifically the _give function calls _transfer(user, -int128(amt)), intending a deposit of amt DAI from the caller into the DaiReserve contract. The attacker passed amt = 2^128 βˆ’ reserveBalance (340282366920938438580379185484100353741). Because amt β‰₯ 2^127, int128(amt) wraps negative, so -int128(amt) becomes positive (+24,882 DAI), flipping the intended deposit into the reserve withdraw branch of _transfer - draining the entire DaiReserve to the attacker instead of pulling funds from them. There was no upper bound on amt before the signed cast. The team confirmed that the new version of the protocol is not vulnerable and the affected addresses are now being traced for the next appropriate steps. TX: https://etherscan.io/tx/0xc38a6e2259a85ced94238a0b0a49697992f2a6b8140c28f3fd2343d3d8434130 Attacker: https://etherscan.io/address/0x84da7a5e2315eb798f04b75554aeb15047269cce Victim: https://etherscan.io/address/0xf9bbb2df44cfe46e501cf91c99b2f8fef9d9d44a ⏱️ Get real-time DeFi security alerts (Telegram/WebSocket): @defimon_subscription_bot

Repost from N/a
🚨 chiprotocol.io - Loss ~$8.5K (2026-07-13) Token: $USC (USC) Network: Ethereum Type: Oracle Manipulation / Redeem-at-Par Logic Error Chi Protocol's ArbitrageV5.burn() redeems reserve collateral valuing USC at the hardcoded USC_TARGET_PRICE ($1) β€” reserveAmountToRedeem = amount * $1 / reservePrice β€” with NO check that USC is actually at peg (unlike mint(), which enforces _almostEqualAbs(uscSpotPrice, USC_TARGET_PRICE)). The attacker flash-loaned 5 WETH from Balancer, bought heavily-depegged USC cheaply from a thin USC/WETH Uniswap V2 pool, then burned it 1:1 against the ReserveHolder to redeem full-value weETH/stETH/WETH collateral, netting ~4.66 WETH. Note: reserves are nearly drained (protocol TVL ~$883), so remaining opportunity is limited. TX: https://etherscan.io/tx/0x4a665f8eeada74552bd2dc466e5549731951f2f6180bbe865fa1d7b4be8ae96f Attacker: https://etherscan.io/address/0xf7105f68085294b6a45dd7231a6987b070e1abaf Victim: https://etherscan.io/address/0xc36303ef9c780292755b5a9593bfa8c1a7817e2a X: https://x.com/ProtocolChi @defimon_subscription_bot

Repost from N/a
🚨 UNIX Gaming - Loss ~$2.95K (2026-07-12) Token: $UNIX @ $3.62 Network: Optimism Type: Weak Randomness / Logic Error (predictable on-chain RNG) UNIX Gaming's play-to-win prize pool (0xc6ad...acab) picks ETH prize winners with weak on-chain randomness β€” its award function (selector 0x2c8dd10a) computes `keccak256(seed) % 10000` and compares it to per-tier probability weights. Because the seed is derived from predictable block/participant data, the attacker deployed short-lived throwaway contracts that simulate the draw and only commit a "play" (deposit 0.003 ETH β†’ swap β†’ add UNIX/WBTC LP β†’ participate) when the outcome is a winning ticket, atomically claiming the top ETH prizes (0.275/0.055 ETH tiers) over and over. Repeated across many rounds in one tx, this drained ~1.62 ETH from the prize pool while the attacker only ever paid gas + tiny stakes. TX: https://optimistic.etherscan.io/tx/0x1eb58e4f84bcb8212da5e7801041fa0419ec50558276071ce31c869731b81ae2 Attacker: https://optimistic.etherscan.io/address/0x1774569e3f6ddd266a98d7043792080733ea11a0 Victim: https://optimistic.etherscan.io/address/0xc6adcc0dcd13902c3a423cdc6a86e3f2fc36acab (unverified) X: https://x.com/UnixGamingTV @defimon_subscription_bot

πŸ’Œ Onchain message:
To the hacker: Please, I beg you to have mercy on me. This money is my entire life savings, which I worked day and night for years to earn. Losing this will completely destroy my life and my family. Please return whatever you can, even a part of it. I would be eternally grateful to you.
πŸ“€ From: 0xfd4f7f631e8cb96d10b60606d582db39c53569f7 πŸ“₯ To: 0xe1f38460681097e1369967c4953164522d5b9374 🌎 Network: bsc Etherscan

πŸ’Œ Onchain message:
To the hacker: We have tracked the stolen funds to this address. Please return the remaining funds to our wallet. You can keep 10% as a whitehat bounty. If the funds are returned within 24 hours, we will cease all legal investigations and reports to exchange compliance teams. You can reply on-chain.
πŸ“€ From: 0xfd4f7f631e8cb96d10b60606d582db39c53569f7 πŸ“₯ To: 0xe1f38460681097e1369967c4953164522d5b9374 🌎 Network: bsc Etherscan

Repost from N/a
🚨 behodler.io - Loss $6.4K (2026-07-11) Token: $pWETH10 (PyroWETH10, wrapping WETH10) Network: Ethereum Type: Approval/Allowance Drain (broken access control) Behodler's PyroToken (PyroWETH10) has a flawed transferFrom: it checks _allowances[sender][recipient] instead of _allowances[sender][msg.sender]. Because users granted unlimited allowance to the PyroWethProxy (0xcE3f...7650) for normal deposits/redeems, anyone could call transferFrom(victimHolder, proxy, amount) to move a holder's pWETH10 into the proxy, then trigger redeem() to convert the stolen pyrotokens into WETH10 and withdraw ~3.57 ETH to the attacker. The check enforces the recipient's allowance, not the spender's, so no approval to the attacker was ever needed. TX: https://etherscan.io/tx/0xd41603681dbfcfd7a9c25ef26b1efbed380f6086c3c8c3a9ba3c149faeae2625 Attacker: https://etherscan.io/address/0x45c6304a9c1c196cb559b340763f182143ebcc51 Victim: https://etherscan.io/address/0x5b4e96994356cac1c7907b9c51f7f7c8f0bead12 X: https://x.com/BehodlerAMM @defimon_subscription_bot

Repost from N/a
🚨 Sodium Wallet - Loss ~$21.2K (2026-07-12) Token: $ETH @ $1799.65 Network: Arbitrum Type: Access Control / Signature Validation Bypass Sodium is an ERC-4337 (ZK/MPC) smart-wallet. Its `_validateSignature` for the `executeWithSodiumAuthSession` path returns "valid" whenever `sessionKey == signer` and no safe-session is set β€” it never verifies the session-add auth proof (that only runs later in execution). Attacker supplied userOps signed by its own EIP-1271 contract (isValidSignature always true) with a self-chosen sessionKey, so validateUserOp passed for ~300 established user wallets it doesn't own. Each op set maxFeePerGas β‰ˆ 4062 gwei (~400,000Γ— normal) with fixed verification gas and callGasLimit=0, so EntryPoint charged ~0.5 ETH of each wallet's gas deposit to the attacker (the bundler/beneficiary) while the op deliberately ran out of gas on execution. ~11.76 ETH drained from 300+ wallets in one tx. TX: https://arbiscan.io/tx/0x738995176c3bbd22f8deabd7a1e6b89a044231781b39aa2f350897535e6d7bc1 Attacker: https://arbiscan.io/address/0x7bD736631Afbe1d3795a94F60574f7fA0aE89347 Victim: https://arbiscan.io/address/0x65de72bd1897b017c91f41c86de2b15873320804 (one of 300+ Sodium wallets; impl 0xb5bc46df04dee31d219e7664122e29eed9506b8b) X: https://x.com/sodiums_org @defimon_subscription_bot

πŸ’Œ Onchain message:
You drained the BlueMove DEX pool (~$400k). Keep 30% as a white hat bounty and return 70% within 48h to our Sui address:

0x85bf745a737a34bf73f360c22d5c8aea1f1767f3c458f5269a7c2f821b9d3781

If returned, we will consider the matter resolved. Otherwise, we will pursue all available legal and recovery actions. The on-chain evidence has been preserved.
πŸ“€ From: 0x2b195ad3f9b2e0b24d5f768ba90094c0b95c444f πŸ“₯ To: 0xee3fc30dc8e3a30b91dadb10d2b40e71f4b6d77b 🌎 Network: mainnet Etherscan

πŸ’Œ Onchain message:
BAADBE Utility Token Security Update 11 July 2026
Ethereum ERC-20 contract : 0x26A1D3bd6a7d4Abd216A1D87237d56D736Fa0B30

A careless mistake by the token creator (0x01C2E1B68De509EEB3b900a752D134cb62442176), who accidentally clicked on a phishing link, resulted in the Uniswap ZRX/BAADBE v4 Position NFT being stolen by the address 0x7CDd2f7a18D65fcFE43FE38b4A62C56208c9bb90.

https://etherscan.io/tx/0x56f0095901f3d48fc40ce8feb26a7c76fd8e6847952b13bbf09c6c389e62f0df

The stolen Uniswap v4 Position NFT contains 15,249 ZRX and 1,636,679,188 BAADBE. (Please refer to the ERC-20 Token Transfers at the link below for more details.)

https://etherscan.io/address/0x7cdd2f7a18d65fcfe43fe38b4a62c56208c9bb90#tokentxns

15,249 ZRX was swapped for 0.76019996 ETH (stolen value loss)
and
1,633,405,830 BAADBE was sent to 0xEE4a181e63039f96C9C86BeCfE235F3Ac0dc35C4
then was sent again to 2 addresses:
0x77b4522EF15dDf3b71E44edE9a5c664F8592eDC0 (1,633,405,830 BAADBE)
0x0FC3cACfA0642c76Cb98A66bd535F60fB321fA0D (245,010,874 BAADBE)
balance at 0x7CDd2f7a18D65fcFE43FE38b4A62C56208c9bb90 (3,273,358 BAADBE)

A total of 1,636,679,188 BAADBE represents 16.36% of the total BAADBE token supply.

Since I can't recover or blacklist the hackers' account, I decided to withdraw 98% of all active Uniswap v4 positions as a precaution, leaving only about $20 worth of TVL, buying up to USDC 1 worth of BAADBE is sufficient for its intended use and can be considered a negligible risk., the original BAADBE Utility Token service remains unchanged. It continues to provide a manual token swap service between the Ethereum and Qora blockchains, allowing the public to obtain some Qora for testing and using the blockchain.

To use the FREE SWAP service, you must run a standard Qora localhost. Swaps between two blockchains are performed manually by me (Okchai). All communication for free swap must go only through this Qora account: QWR6MgpUmNcQVFkCcNpQevDesRwhREvRRL (alias name : free_swap_to_timah )

Localhost (decentralized, must run a standard Qora blockchain node):
http://127.0.0.1:9090/index/blockexplorer.html?addr=QWR6MgpUmNcQVFkCcNpQevDesRwhREvRRL
or 
Qora gateway (read only) : 
https://qora2.com/index/blockexplorer.html?addr=QWR6MgpUmNcQVFkCcNpQevDesRwhREvRRL
http://146.56.47.125:9090/index/blockexplorer.html?addr=QWR6MgpUmNcQVFkCcNpQevDesRwhREvRRL

Create a dWeb by uploading HTML and JavaScript code to Qora blockchain
Visit https://yawti.com and https://baadbe.com for more information.
https://x.com/ongkianchai
https://www.facebook.com/ong.kianchai
https://www.instagram.com/ongkianchai
Email : ongkianchai@gmail.com

Free_Swap_to_Timah Services:
1. BAADBE (Ethereum, Signum & Symbol) swap to Timah (Qora) 
2. TIM (Ardor-Ignis) swap to Timah (Qora)
3. YAWTI(Beam & Base) swap to Timah (Qora)

TIMAH can be exchanged for Qora through the Qora blockchain's DEX.

FREE swap for values less than USDC 1 ( Maximum up to 5 million BAADBE ) only.
For values greater than USDC 1 , please refer to the token swap services at aitway.com
Qora is a utility token used for creating a decentralized web on the blockchain.
Timah, TIM, YAWTI, and BAADBE are utility tokens used to exchange Qora.

To cash out Qora, exchange Qora for TIMAH on the Qora DEX, then contact Okchai to swap TIMAH for tokens on the Ethereum, Signum, Symbol, Ardor, Beam, or Base blockchain. Alternatively, you can swap Qora for Qora ERC-20 on World Chain (Visit https://yawti.com and https://baadbe.com for more information).

This is a small project by me (Okchai) to promote the use of the Qora blockchain. Remember, the hacker's account holds 16.36% of the total BAADBE token supply on Ethereum L1. If the hacker dumps a large amount of the tokens on Uniswap, it could significantly reduce the price of BAADBE on Ethereum. Last reminder: TIMAH, BAADBE, TIM and YAWTI should only be purchased if you have a use for them, hold them at your own risk.
πŸ“€ From: 0x01c2e1b68de509eeb3b900a752d134cb62442176 πŸ“₯ To: 0x84e06a8cd1c45ddef8d61d19472c45fa9ff7eff9 🌎 Network: mainnet Etherscan

πŸ’Œ Onchain message:
We think you may not be someone who does this kind of thing, and that this may have gone further than you expected. If that's true, there's a clean way out, and it's still fully open to you. Return 90% to 0xBdc77a0c69f13207aCB70a6981Cad60B4c1D1942 (the Hinkal owner address, which you can verify) and keep 10%. If you do, we treat it as a white-hat recovery, take no civil action, and describe it publicly as a return rather than an attack. This ends here, and it doesn't have to define you. The funds are also difficult to move without exposure, and that only grows over time. Decide within 72 hours, by 11 July at 23:59 UTC. If the funds aren't returned by then, we'll pursue this through law enforcement. But that's not the outcome we're hoping for. The choice is yours. If you want to talk it through, we're at recover@hinkal.pro.
πŸ“€ From: 0xbdc77a0c69f13207acb70a6981cad60b4c1d1942 πŸ“₯ To: 0x892eb71069fc8df4f7a6c3d4456075f2bb3bf317 🌎 Network: mainnet Etherscan

Repost from N/a
🚨 BFB - Loss ~$198K (2026-07-08) Token: $BFB @ $0.0297 Network: BNB Chain Type: Logic Error (deflationary reserve-burn manipulation) BFBToken's `_priceDeflPool()` (Contract.sol:448) burns 5% of the LP pair's BFB balance and calls `sync()` whenever the spot price drops >5% below `fallLastPrice`, meant as a "price defense." The burn removes BFB from the PancakeSwap BFB/WBNB pair, shrinking the BFB reserve and inflating BFB's price. The guard only requires `!isContract(from) && !isContract(to)`, so the attacker repeatedly triggered it with zero-value EOAβ†’EOA self-transfers (`transferFrom(sender, sender, 0)`) between swaps. Over ~151 flash-loan-funded rounds this collapsed the pair's BFB reserve toward zero, letting dust amounts of BFB be swapped for the pair's entire WBNB. ~350.6 WBNB (~$198K) was drained from the LP pool to the attacker. TX: https://bscscan.com/tx/0xabcf5c5c846595b2d0849f2579b67465ed8d06f3b469cee5e3a57c1f7aed3520 Attacker: https://bscscan.com/address/0x3bfa85127c9871d3f74c30e36a618a77f0ae6b0f Victim: https://bscscan.com/address/0xffb43c8a00a47b737d27b2ae59a35e269a21d040 (BFB/WBNB LP) @defimon_subscription_bot

πŸ’Œ Onchain message:
We are watching you. The blood on your hands. We are tracking every single interaction. Your exit is not as stealthy as you think. You exploited a flaw in Atlantis Loan's code and probably thought you were just taking numbers on a screen. You were wrong. You ruined real lives. You drained the life savings of ordinary people. The devastation you caused was absolute, and for some of your victims, it was fatal. People have taken their own lives because of what you stole from them. There is literal blood on the $931k you are trying to wash right now. You have one final, narrow window to make this right before your tokens become permanently worthless and the authorities close in on your real-world identity. Return the funds to the users. This is your last chance to clean the blood off your hands and walk away.
πŸ“€ From: 0x9be948033e0430a0747bb38316f8d9173ba93676 πŸ“₯ To: 0x3d3e7ef4b7e4e903f89e370e11c673bcc74dce7a 🌎 Network: mainnet Etherscan

Defimon detected Summer.fi exploit and delivered an enriched alert to WebSocket subscribers at 05:17:29 UTC and LLM-verified alert to Defimon Signals channel subscribers at 05:21:54 UTC. ⏱️Receive DeFi incident alerts before anyone posts on Twitter: @defimon_subscription_bot

πŸ’Œ Onchain message:
Information related to the exploit of the USDC Vault on the Lazy Summer Protocol Jul-6-2026 05:17 UTC. 

This is the Summer deployer address. Can we discuss over Blockscan Chat.
πŸ“€ From: 0x8888013451507e8dd7996509735e15f591886cd2 πŸ“₯ To: 0x7bf716167b48cf527725722c6d79494b45b3bdca 🌎 Network: mainnet Etherscan

Repost from N/a
Correction: 1.8M went to Titan Builder

Repost from N/a
🚨 Uniswap V3 (AVAIL/WETH pool) - Loss ~$2.0M (2026-07-05) Token: $AVAIL @ $0.002923 Network: Ethereum Type: MEV Backrun / Extreme Slippage (bad routing into illiquid pool) A large swap was routed through a thin (~$24K TVL) Uniswap V3 AVAIL/WETH pool (0x80f8...ddb2), pushing AVAIL's in-pool price to absurd levels. A searcher bot (0x0000...089b) then backran it via a Uniswap V4 flash-swap chain: WETHβ†’USDT (UniV2) β†’ USDTβ†’AVAIL (V4 PoolManager) β†’ AVAILβ†’WETH (the mispriced V3 pool), pulling 1,072 WETH (~$1.9M) out for just 2,154 AVAIL (~$6.3). Net bot profit β‰ˆ $2.00M, extracted at the victim trader's expense. The V3 pool's WETH liquidity was drained in a single tx. TX: https://etherscan.io/tx/0xb1a43313b51512b45fc5d921838a8a6427266f4326e5d82cde7cdbe02daa3349 Attacker: https://etherscan.io/address/0x00000000fd3a7b3fa5bcfa843c648714b11e089b Victim: https://etherscan.io/address/0x80f8143fa056a063aaeecec3323aa3426262ddb2 @defimon_subscription_bot

πŸ’Œ Onchain message:
AGIC IA: Your wallet deployed 31 vulnerable contracts (31 critical). Audit at 0xa41A2ab6b3097536484399a8DfA3e6c37C329545
πŸ“€ From: 0xa41a2ab6b3097536484399a8dfa3e6c37c329545 πŸ“₯ To: 0x444a2a1e836eff1c33b93f00df0b71143f36014e 🌎 Network: base Etherscan