Key Highlights
- ShapeShift’s FOX Colony lost around $132.7K in USDC and FOX tokens in an Arbitrum exploit.
- Blockaid linked the attack to a vulnerability in the executeMetaTransaction function.
- Other Colony Network deployments using the same architecture may also be vulnerable.
ShapeShift’s FOX Colony, a community initiative for FOX token holders, was exploited on Arbitrum, resulting in the loss of around $132.7K in USDC and FOX tokens.
The incident was flagged by blockchain security firm Blockaid today, triggering a community alert. According to an X post by Blockaid, the attacker managed to drain funds from the Colony’s smart contracts on Arbitrum. The stolen assets mainly consisted of USDC stablecoins and FOX governance tokens.
Such exploits mostly comprise smart contract vulnerabilities, compromised keys, or sophisticated phishing that escapes standard security measures.
Root cause of the exploit
According to Blockaid’s analysis, the vulnerability is routed from a flaw where Colony executes the MetaTransaction function, which interacts with a self-call. The router can call function-automatically trusted calls, where msg.sender equals the contract’s own address.
The attacker attacked this by meta-signing a set target transaction, repointed the colony’s resolver to a malicious contract, and thereafter used a delegate call to drain the funds. Blockaid alerted that every colony-network colony exposing executeMeta Transaction on top of EtherRouter, over any chain, is possibly vulnerable to the same attack vector.
FOX Colony is ShapeShift’s community governance and participation program, permitting FOX token holders to stake, vote, and engage in ecosystem activities. The exploit targeted one of these colony contracts on Arbitrum.
The exploiter’s address associated with the primary drain is 0xeed236Afb6967f74099a0a6bf078BC6b865fbf28. As per the reports, another related exploit on similar instances withdrew an additional $50k soon after.
As of now, ShapeShift hasn’t released any official statement regarding the recovery plans, compensation for affected users, or immediate mitigation steps. The core ShapeShift exchange platform is still operational, but optimism regarding the Colony program may be impacted.
Arbitrum network vulnerability
Another DeFi protocol on the Arbitrum network, named Aurellion Labs, was compromised yesterday. Aurellion Labs faced a hacker attack worth about $455,003 USDC, as revealed by blockchain security company SlowMist.
The hack occurred when the attacker with the address 0x9f4…d5ca exploited the unprotected initialize(address) function of the SafeOwnable Facet of the diamond proxy contract of the protocol.
As there was no storage slot updating in the _initialized variable, the hacker managed to reinitialize the contract, take ownership, and inject malicious code using diamondCut functionality. This helped drain the approved USDC from several victim wallets.
Users advised to keep themselves updated
Individuals using services in the Colony projects are recommended not to engage with any suspicious contracts, revoke approvals when necessary, and keep themselves updated with official communications regarding their safety.
Despite being relatively small compared to some of the latest events, this exploit, worth $132,700, is another demonstration of the existing security threats associated with smart contracts. In the meantime, the ongoing incident raises awareness about the importance of auditing systems for possible exploits and vulnerabilities.
The response of the project team to this exploit will be under careful observation by the entire Arbitrum and ShapeShift communities.
Also Read: Bitwise Goes On-Chain With Jupiter Lend’s First Institutional Market
