A serial hacker is concentrating on DeFi lending protocols, with roughly $3.5 million stolen to date. Within the newest incident, they exploited an oracle misconfiguration in lending platform Ploutos Cash, resulting in a lack of virtually $400,000.
Crypto safety agency CertiK famous that the mission seems to have deleted its web site and social media presence.
In accordance with evaluation by blockchain auditor BlockSec, Ploutos Cash used Chainlink’s bitcoin (BTC)/USD feed as an oracle for USDC value. “The attacker was able to borrow 187 ether (ETH) by posting only eight USDC as collateral,” the submit explains.
BlockSec additionally factors to the timing of the exploit, only one block after the misconfiguration was confirmed. Whereas the agency suggests “the attacker closely monitored and acted on the configuration change,” lots of the replies to CertiK and BlockSec’s posts suspect insider involvement.
Pseudonymous blockchain investigator Tanuki42 linked the exploiter to not less than 4 different hacks, together with two million-dollar losses for Moonwell.
Final week, Moonwell was left with $1.8 million of dangerous debt when a misconfigured oracle returned a cbETH value of $1.12 as a substitute of roughly $2,200. The code change which brought about the loss had been co-authored by Claude Opus 4.6, alongside a Moonwell contributor.
The (dangerous) luck of the draw
Additionally in the present day, in an apparently unconnected assault, Ethereum-based “private ZK lottery,” FOOM CASH, misplaced $1.6 million when its “broken ZK verifier” was compromised.
In accordance with blockchain safety agency QuillAudits, the mission misplaced $1.3 million on Ethereum and $316,000 on Base. The agency’s evaluation explains that the mission’s use of its ZK verifier was flawed.
In setting two constants to the identical worth, “anyone can compute it [the verification equation], no secret needed.”
An identical assault affected Veil.Money, a privateness protocol on Base, final week. Nonetheless, losses had been small at solely 4.5 ETH, of which 2 ETH had been recovered by white hats Decurity.
