IPOR’s Fusion PlasmaVault Hit by $336K Exploit via EIP-7702 Flaw

Blockchain security monitors have highlighted suspicious transactions in relation to the Fusion Plasma Vault contract, part of the IPOR (Inter Protocol Offered Rate) ecosystem.

This event was first identified by SlowMist’s MistEye solution, which picked up on some suspicious activity related to this contract. Blockchain security company CertiK also later issued alerts pointing to unusual transactions.

Researchers identified that the technical flaw enabled a malicious user to transfer money while displaying a normal transaction process. The incident highlights the risks hidden in complex smart contracts.

This problem arose from a contract written using EIP-7702, which is a functionality that allows an externally owned account to delegate control to a smart-contract-controlled account. Here, the delegate contract allowed arbitrary external calls, giving the attacker freedom to run malicious code.

Around $267,000 moved in one transaction

In the case that came to light on January 6, 2026, during the withdrawal process, an exploit contract illicitly took advantage of the vulnerability and drained the assets worth almost $267,000.

These funds were initially routed to an outside wallet (0x9b1b…), and later bridged from the Arbitrum platform to Ethereum, eventually being deposited on the Tornado Cash platform. Although the utilization of such platforms is not prohibited, the matter makes tracing rather difficult.

What went wrong

IPOR’s post-mortem shows the incident happened because two problems came together. The affected PlasmaVault was an older vault that did not properly check “fuses,” which are logic modules used during withdrawals. At the same time, an administrator account was using an EIP-7702 delegation setup.

The delegated contract allowed arbitrary external calls. This made it possible for an attacker to act as if they were the administrator, add a malicious fuse, and trigger a withdrawal that ran harmful code. In simple terms, the vault trusted unsafe logic and ended up executing instructions that moved funds out.

IPOR said this exact setup only existed in this legacy vault. Newer Fusion vaults already include stricter validation rules that would prevent this type of attack.

While on-chain data shows about $267,000 was drained initially, IPOR later confirmed total losses of around $336,000 USDC. The team is working with security firms, including Security Alliance, to trace and recover the funds. Affected users will be reimbursed from the DAO treasury, and no other Fusion vaults were impacted.

Industry context and regulatory response

Using privacy tools like Tornado Cash to move stolen crypto is not new. In 2025, the 10 largest hacks saw roughly $2.2 billion in losses, with several involving mixers, according to data from PeckShield.

A recent example involved a compromised multisig wallet. The attacker stole $27.3 million, withdrew 1,000 ETH ($3.24 million) from Aave, and laundered it through Tornado Cash. So far, they have deposited 6,300 ETH ($19.4 million) and hold a leveraged position of $20.5 million in ETH.

Regulators are taking notice. In South Korea, authorities are proposing bank-level liability rules for exchanges after a $32 million hack at Upbit. Exchanges may be required to compensate users for losses, and fines for hacked platforms could reach 10% of losses.

Lessons for DeFi users

What the PlasmaVault hack illustrates is that the attackers are now targeting vulnerabilities in the code of the smart contract itself rather than the user account. Small bugs in code can result in significant losses. Transferring money between chains makes it difficult to follow the money trail with the help of tools such as Tornado Cash.

For everyday DeFi users, the case serves as a reminder to take security alerts seriously and remain cautious around new features and upgrades. Unusual on-chain activity can often be the first warning sign.

Also Read: Crypto Hacker Makes $1 Million Trading Bitcoin

Follow The Crypto Times on Google News to Stay Updated!