Aftermath Finance, the fully on-chain perpetual futures exchange on the Sui blockchain, has confirmed it was exploited for approximately $1.14 million after attackers identified a vulnerability that allowed negative builder code fees to be set on its perps protocol — a misconfiguration the team described bluntly as “wrongly” permitted in the contract logic.
The disclosure came in a series of X posts late Tuesday from the Aftermath team and co-founder airtx, who said the team is currently in a “war room” with on-chain security firm Blockaid working on recovery. The protocol’s perps trading has been paused; spot trading, the cross-protocol smart router, the afSUI liquid staking derivative, and Aftermath’s AMM pools remain operational and unaffected.
What Was Exploited
The attack vector centered on builder code fees—a mechanism on Aftermath Perps that rebates a portion of trading fees back to integrating front-ends or order-routing services. The contract logic, by Aftermath’s own admission, “allowed negative builder code fees” to be set, meaning a value below zero could be configured.
A negative fee is, in effect, a payout from the protocol to whoever sets it—turning what should be a discount mechanism into an extraction vector. The attacker exploited this to drain approximately $1.14 million from the perps market before the team paused the protocol.
In its statements, Aftermath was direct about scope:
- “ONLY PERPS WAS EXPLOITED.”
- “All our other packages/products remain safe.”
- “The only vulnerability its our perps protocol which allowed negative builder code fees to be set.”
The Sui wallet address associated with the attacker—0x1a65086c85114c1a3f8dc74140115c6e18438d48d33a21fd112311561112d41e—is being tracked publicly via Suivision, the Sui block explorer, and the team has now shifted from containment to recovery.
Aftermath’s Architecture and Why This Matters
Aftermath Perps is one of Sui’s flagship DeFi products, known for being the only major perpetuals exchange on the chain that runs a fully on-chain central limit order book (CLOB). Per Aftermath’s documentation, every order, cancellation, trade, and liquidation executes transparently on Sui’s validators—a design choice the team has marketed against the hybrid off-chain matching model used by competitors like Bluefin.
That fully on-chain approach was made possible by Sui’s parallel execution model, low latency, and storage rebates—and Aftermath co-founder airtx has previously argued the design unlocks “thicker books” because anyone can permissionlessly access the order book.
The architectural distinction matters here because the exploit was not a failure of the on-chain matching engine, the order book design, or Sui’s underlying consensus. It was a misconfiguration in fee logic — the kind of bug that can affect any protocol regardless of how its core engine is designed.
Blockaid in the Loop
The involvement of Blockaid—the on-chain security platform trusted by MetaMask, Coinbase, and other major wallets for real-time fraud detection—is notable. Blockaid was active in the same week, issuing a separate ongoing-exploit warning for ZetaChain’s GatewayEVM contract, urging users to revoke approvals immediately.
For Aftermath, Blockaid’s role is post-incident: helping with attack-vector analysis, attacker-wallet tracing, and recovery coordination. The firm has not yet issued a public statement on the Aftermath incident.
A Brutal Month for Sui DeFi
The Aftermath exploit lands in what is shaping up to be a punishing stretch for Sui-native DeFi. Earlier in April, Volo lost roughly $3.5 million in a vault exploit (with about 60% recovered), and just two days ago, Scallop — Sui’s leading lending protocol — disclosed a $142,000 flash loan exploit on a deprecated sSUI rewards contract.
Across the broader DeFi sector, April 2026 has already seen more than $606 million in losses, making it one of the worst months on record for crypto exploits since February 2025. Kelp DAO’s $292 million rsETH exploit is the largest, followed by Drift Protocol’s $285 million social engineering attack and exploits across Mantra Chain, Lista DAO, and others.
Sui’s ecosystem has been a particular target: between Cetus Protocol’s $223 million hack last May, Volo, Scallop, and now Aftermath, the chain has accumulated an uncomfortable concentration of exploit headlines despite its Move language safety guarantees and parallel execution model. As one analyst observed after Scallop, “Audited does not mean safe.”
