Onchain monitoring and incident response is crucial for DeFi Since 2022 we have been working on defimon.xyz to detect DeFi exploits by analyzing transactions in real-time. There is a constant stream of DeFi exploits that are barely noticed. You can get access to these instant alerts by subscribing to the exploits feed for just 50$/mo. For protocol teams we offer a Websocket subscription to act on the alerts automatically. Native Telegram subscription: t.me/ m9BMRKlMuW5iMGFi Tribute mini-app: t.me/tribute/app?startapp=sC… Contact: t.me/DecurityHQ

💬 Onchain Message: [HTX HACK BINANCE KYC — FULL DOSSIER] 1,366,796 ETH stablecoins via Binance 7. 14,603 deposits to 0x28c6c06298d514db089934071355e5743bf21d60. Funded by HTX 48 (Huobi KYC) Bitfinex (KYC). HTX Hack link: 0x2abc22eb -> 0xdb1d74 -> YOU. Owner 0xace2b3: TokenApprove OKX Settlement 12 solvers 8 DexRouters. renounceOwnership on 4 DexRouters = evidence destruction. Victim 0xe8736: .3M stolen, PK compromised, drain active. Dossier ready for: security@binance.com lawenforcement@binance.com FBI IC3 Europol EC3 OKX Compliance 5,000,000 USDT -> 0x48c76A94db182dC141fbdc8794A744e3824E7D9f 24h. No negotiation. 0.9% of your volume. Keep 99.1%. After payment: silence forever. Dossier destroyed. etherscan.io/tx/0xc0fc81ad8d…

ℹ️ We've launched a WebSockets subscription to the onchain attack alerts. DeFi teams can wire our streams into their agents for an automatic incident response: `/ws/attacks` - a raw stream of zero-delay alerts with minimal false positives `/ws/confirmed_attacks` - LLM reviewed alerts with confirmed attacks Docs: defimon.xyz/docs/websocket_a… Get access: @DecurityHQ

🚨 NovaBox (NovaChain) - Loss ~$107K (2026-06-09) Token: $NOVA @ $0.00012 (illiquid, untradeable) MC: ~$0 Type: Logic Error (dividend snapshot exploit) NovaBox is a NOVA/ETH "investment" dividend pool. Vulnerability is in `addToList`: when a new account is added to the dividend list, `last4EthDivPoints[sender]` is never initialized, so the new participant can immediately claim against the full historical `total4EthDivPoints`. Attacker flash-loaned 427.5 WETH from Aave, called `depositTokens` with a dust 0.001 NOVA allowance (which sets last*DivPoints baseline but does NOT add to list because contributionsEth=0), then sent 427.5 ETH via the fallback (which distributes 4% to ETH investors lifting total4EthDivPoints, THEN sets contributionsEth=380.475 ETH and calls addToList). On `withdrawEth(380.475 ETH)`, `updateAccount` paid out 145.82 ETH of accumulated dividends to the attacker plus the 89% principal. Net ~56.7 ETH (~$93K) profit after repaying the flashloan. Vulnerable funcs: Contract.sol L242-253 (addToList), L272-318 (fallback), L321-349 (withdrawEth). TX: etherscan.io/tx/0x0cfa357e9e… Victim: etherscan.io/address/0xbc419… Token: etherscan.io/address/0x72fbc…

🚨 Token of Power (Aragon DAO) — Loss ~$1.58M (2026-06-09) Token: $TOP @ no public price (DAO token, illiquid post-dump) MC: n/a (totalSupply now ~1e28 TOP after malicious mint, BPool pair is the only venue and is drained) Victim pool: Balancer BPool TOP/WETH (≈944 WETH ≈ $1.58M extracted) Type: Governance Takeover / Unauthorized Mint Inflation (Aragon DAO) The attacker (0xff8e…9fa2) used an exploit contract (0x25c6…9a21) calling drain() which forwarded an EVMScript through Aragon's TokenManager.forward() → Voting.newVote() and voted yes with executesIfDecided=true, auto-executing the script in the same tx. The executed script called TokenManager.mint() → MiniMeToken.generateTokens(receiver, 1e28 TOP) on the "Token of Power" DAO (0x0ebd…edb6), then dumped the freshly minted supply in 37× BPool.swapExactAmountIn() loops against the Balancer TOP/WETH pool (0x0fa3…7329), siphoning 944.24 WETH. Root cause: voting power / ACL on CREATE_VOTES MINT_ROLE was lopsided enough that a single voter could pass and execute a mint vote in one block (classic Aragon governance-mint inflation attack). TX: etherscan.io/tx/0x967aa34c69… Victim (Balancer pool): etherscan.io/address/0x0fa3e… TOP token: etherscan.io/address/0x0ebd5… Aragon Kernel: etherscan.io/address/0xbf478…

🚨 Ambient.finance (CrocSwapDex) - Loss ~$110K (2026-06-07) Type: Logic Error / Accounting bug (surplus collateral) Attacker took a Balancer flash loan (50 WETH 1 USDC), then repeatedly cycled userCmd calls through CrocSwapDex routing 14 times into HotProxy swaps (cmd 1) and WarmPath LP mint/burn (cmd 2) on the USDC/ETH pool, abusing the surplus-collateral accounting (DEPOSIT_SURPLUS 0x49 / DISBURSE_SURPLUS 0x4a in ColdPath). The final ColdPath disburseSurplus withdrew 83.72 ETH from the dex; combined with extracted USDC, the attacker walked away with ~33.7 ETH (~$55K net after bribing the half to Titan Builder). TX: etherscan.io/tx/0xb2fc668c42… Victim: etherscan.io/address/0xaaaaa… 💎 t.me/send?start=SBRXqBWSqaOv…

💬 Onchain Message: URGENT SECURITY ALERT / 紧急安全提醒: Your proxy contract appears to be poisoned by a suspicious upgrade/controller contract. 你的代理合约疑似已被恶意升级/控制合约投毒。 Proxy / 代理地址: 0x5eF850919739772622ae6968C9d05fCBD326BD12 Suspicious contract / 可疑合约: 0xb648Ef46F790e17533a126E2469C70f7e729eD4f Evidence tx / 证据交易: 0x3ee3515c8bd758cdaad206f63f4f5d0da571f5f0308eb8d66cd722c6d17fd441 Risk / 风险: The controller may upgrade implementation, overwrite storage, delegatecall arbitrary logic, or drain assets. 该控制合约可能升级实现、任意写 storage、执行任意 delegatecall，或转走资产。 Suggested action / 建议: Pause immediately, revoke permissions, inspect implementation/admin slots, migrate funds, and rotate ownership/admin keys. 请立即暂停协议、撤销授权、检查 implementation/admin slot、迁移资金，并更换 owner/admin 权限。 bscscan.com/tx/0x45299bffcb6…

💬 Onchain Message: AML Crypto is tracking these funds. Return 90% to the original sender and keep 10% as a white-hat reward. Contact investigations@amlcrypto.io. etherscan.io/tx/0x0d364ecff7…

🚨 BYToken (BY) - Loss ~$84K (2026-06-04) Token: $BY @ $0.01375 MC: n/a Type: Logic Error (auto-burn shrinks AMM reserve) BYToken implements an _autoBurn (BYToken.sol:168) that periodically calls _burn(pool, remaining) followed by IUniswapV2Pair(pool).sync(). Over time this drained the PancakeSwap BY/WBNB pair's BY reserve down to ~1 wei while WBNB reserve remained ~77,000 WBNB, leaving the pool with a wildly skewed x*y=k state. The attacker flash-borrowed 422,497 WBNB from Moolah, swapped 1-wei BY → WBNB repeatedly via Pancake router — each tiny input drained ~half of the remaining WBNB (since reserve0≈1) — then dumped the accumulated BY back to clear the pool. Net profit ~146.6 BNB (~$84K), with ~7 BNB tipped to the builder. TX: bscscan.com/tx/0xe31c681eee7… Victim: bscscan.com/address/0x1f358e… (PancakeSwap BY/WBNB pair) Token: bscscan.com/address/0x6f50cf…

💬 Onchain Message: Due to a bug, our bot accidentally tipped ~167 ETH. Txs: 0x5d60df0d8638a7fc0750764ac8580a290c0d8b554eed08993a6b967d62dcac79; 0x9c0b875f93e3d7ad055f48fe605713fa5e29eff12da54aef422022e1d5a7f6a4; Builder tx: 0xb7a54e71e4b7cde14ba080fda140dc3655e7defa9f2b555c9cec7eabea2cb90d; Would you be open to keeping a % as a bounty and returning the rest? Please contact us in tg: @no_peace_duck etherscan.io/tx/0x6ac8e46f40…

💬 Onchain Message: Hi - 32.3 ETH claimable from Euler post-exploit redistribution. Call claim() from this wallet. Verify forgotteneth.com. -researcher etherscan.io/tx/0x467711fc22…

💬 Onchain Message: Hi - 324 ETH redeemable via Opyn v2 Controller (0x4ccc2339f87f6c59c6893e1a678c2266ca58dc72). You hold oWETHUSDC/WETH-22JUL22-1400C oTokens. Call operate(Redeem,...) - URGENT, pool only has ~379 ETH and others draining. Verify forgotteneth.com. -researcher etherscan.io/tx/0xbc90c19937…

We warned about @dxsale rug pull risk 3 years ago: blog.decurity.io/dx-protocol…

💬 Onchain Message: CRITICAL ALERT: THESIS TOKEN (THESIS) - VULNERABILITY ID #THESIS-PERMIT2-REENTRANCY. PERMIT_2 infinite allowance override allows total liquidity drain via reentrancy in _update() hook. PoC compiled - 11th vulnerable DERC20 template deployment confirmed - identical vulnerability across all deployments (DEAL, HALO, SHH, BRAIN, ZER0, BASEMATE, HERMES SYNTH, MEMORIDE, PROTEAN, SIGNAAGENT, THESIS). Send 58.00 XMR to 82subHXjv8pK2SStUkoyc9iEodJMAh12yMQiEnap6JmQYA1C5TFXM5rhFgbARgThJEdHpV9oqh2PJaTezy5xjSTcKYfgGyh or mass exploit execution across all eleven pools public disclosure of all vulnerable contracts. Contact Session: 05351c54f3a444ab0f0f938f9291dce60b51086d077498efb5f8b79e6e714c3010 basescan.org/tx/0xd208586c16…

💬 Onchain Message: This message is directed at the individual responsible for the recent vsdCRV exploit. Law enforcement and on-chain tracking firms are involved in this matter, and significant identification data have been gathered. Stake DAO Association offers you the opportunity to return 35.021 ETH to 0x5DA07af8913A4EAf09E5F569c20138b658906c17 on Ethereum, and keep the remainder as a 20% white-hat bounty. At reception of the funds, Stake DAO Association will drop civil charges and pursuits. This offer is valid for 72 hours (until June 4th 2026, 5:00:00 PM UTC). Should you want to reach out, you can do it via Blockscan Chat to this address, which natively verifies wallet ownership. etherscan.io/tx/0xccdfaf6b8c…

💬 Onchain Message: Hi, Could we discuss the return of funds and the associated bounty through Blockscan Chat? Alternatively, you can contact us at security@afiprotocol.xyz, and we'll be happy to continue the conversation there. etherscan.io/tx/0x16052b4018…

💬 Onchain Message: To the individual responsible for the Alephium bridge exploit: We are prepared to treat this incident as a white hat disclosure under the following terms: 1. Return 90% of the drained assets to: 0x238640C0F74A95485e986Fa26D434fF7B216D058 within 72 hours of this message. 2. You may retain 10% of the returned assets as a white hat bounty. Upon receipt of the 90%, Alephium will consider the matter resolved and will publicly acknowledge your cooperation. Contact bridge-exploit@alephium.org with a message signed by one of the addresses involved in the exploit for further communication. We would prefer to resolve this matter quickly and cooperatively for the benefit of affected users. Alephium Team etherscan.io/tx/0xdcc8f9c9fe…

🚨 LegendaryMoneyMon (MON) - Loss ~$85.5K (2026-05-28) Token: $MON (Moneymon) — swapped out to USDT MC: micro-cap (500K MON total supply, illiquid PancakeV3 pool) Type: Broken Signature Verification / Uninitialized Admin LegendaryMoneyMonNft.cliamRewred() relies on verify() which checks recoverSigner(...) == admin. The contract's admin is set to address(0), so ecrecover returning 0 on any malformed signature passes the check. Attacker called cliamRewred with a junk signature (v=27, r=s=0), drained 24,306 MON from the NFT reward contract, and swapped them via PancakeV3 SwapRouter for ~85,519 USDT. TX: bscscan.com/tx/0x15c835c0706… Victim: bscscan.com/address/0x92d606… Token: bscscan.com/address/0xa1c1a7…

💬 Onchain Message: We have detected movement of funds from your Bitcoin wallet. Contact us at telegram @trustedvolumes, email tvbugbounty@proton.me and return the rest of the funds to 0xb6F28eD0f919A12822fE78F6d610e5e09A6Fe450 etherscan.io/tx/0xcb1223b2ca…