### 🚨 TWEET 1 (THE DISCLOSURE) URGENT: ON-CHAIN FORENSIC DISCLOSURE regarding @Hydration_Net I am releasing a fully documented, evidence-backed forensic analysis regarding the $8.3M anomaly. This is not speculation. This is not a theory. All my findings are supported by: * On-chain events * Exact block numbers * SQL query results (Internal Audit) * Verifiable execution traces What I document here is ROOT-LEVEL PRIVILEGED EXECUTION resulting in value extraction. Not an external hack. Forensic breakdown follows 👇 @zachxbt @coffeebreak_YT

TWEET 7/7 — KYC BREAKPOINT Anonymity collapses at the exit. Coordinator & funding wallet exposed: 0x30C9223D9e3d23E0aF1073A38e0834B055bf68ed • Historically funded from Poloniex main vaults (KYC-enforced CEX) • Also linked to BtcTurk:Deprecated funding Identity, IP & withdrawal records exist. This connects the full chain: - 0x0802 runtime tunnel bypasses governance - Intentional invisibility via empty batch/router logs - Repeating operator callers (controlled execution) - Non-economic block-level value shifts - Laundering layer (forward contracts selfdestruct) - Moonbeam & Mayan exits No longer DeFi speculation. Traceable real-world individual. CC: @Poloniex @BtcTurk @HTX_Global @Immunefi @zachxbt This is deterministic on-chain evidence. Not FUD. #HydrationPapers #DeFiSecurity

TWEET 6/7 — LAUNDERING LAYER Observed laundering patterns: - Forward-only contracts using GOLD-style logic (0xb59f313dCf8C8107AdFfEAbD0c041C896C64dfCA) - destination.transfer(msg.value); - Repeated initialize calls rotating destinations - Final SELFDESTRUCT using 0xFF Observed exit routes: - Moonbeam - Mayan Swift Purpose: - Break transaction continuity - Destroy on-chain context - Obfuscate the custody chain This is textbook financial layering. CC: @MoonbeamNetwork @MayanFinance @PeckShieldAlert @CertiK

TWEET 5/7 — OPERATOR SIGNATURE 0802 usage is highly concentrated. Top callers from precompile_0802_bot_signature: - 0x1b02e051683b5cfac5929c25e84adb26ecf87b38 — 6680 calls - 0x02639ec01313c8775fae74f2dad1118c8a8a86da — 5834 calls - 0x7472a3d0891df2401d981a5954d07e364f05060f — 2270 calls - 0x531a654d1696ed52e7275a8cede955e82620f99a — 994 calls Random users do not produce this distribution. This is operator infrastructure. CC: @BlockChain_CK @Polkadot @zachxbt

TWEET 4/7 — BLOCK-LEVEL VALUE SHIFT From aggregation query: precompile_0802_block_balance Example block: Block 11237078 Value 326283508026443400 At this block: - No swap event - No borrow event - No oracle update - No mint event This value appears only inside 0802 traces. Accounting state changed without economic action. This is not trading. This is not DeFi. This is state relocation. CC: @coffeebreak_YT @Polkadot @chainalysis

TWEET 3/7 — THE HIDDEN TUNNEL The extraction mechanism is a runtime precompiled contract: 0x0000000000000000000000000000000000000802 Detection method used in logs: WHERE args::text ILIKE ‘02%’ Live results captured minutes before execution: 11240414 11240085 11240078 11239350 11239087 Critical facts: - Not visible in Utility.batch_all - Not visible in router swap events - Only visible at runtime log level This is why batch and router density queries return empty. The tunnel bypasses them entirely. CC: @PeckShieldAlert @Polkadot @CertiK

TWEET 2/7 — FUND ORIGIN Funds are not initiated by users. Top callers interacting with the critical path: - 0x531a654d1696ed52e7275a8cede955e82620f99a - 0x1b02e051683b5cfac5929c25e84adb26ecf87b38 - 0x00f283c7a97ecb60dd905cdab52febceec04dc0f These addresses are runtime-level system modules, not EOAs. This alone disproves the narratives of salaries, normal operations, or user-driven flows. The system is moving system funds. CC: @Web3foundation @Polkadot @PeckShieldAlert

⌛️ TWEET 1/7 — SCOPE & CLAIM THE HYDRATION PAPERS — A SYSTEM-LEVEL FORENSIC DISCLOSURE This is not a bug. This is not market volatility. This is not user behavior. This thread documents a deterministic, system-level value extraction architecture operating inside Hydration. Using raw on-chain logs, SQL aggregation, and runtime traces, I will prove: - A hidden runtime tunnel: 0x0000000000000000000000000000000000000802 - System modules acting as operators - Block-level value relocation without swaps - Router and batch invisibility by design - Cross-chain exits via Moonbeam and Mayan - A KYC-bound Poloniex-funded coordinator wallet Everything below is verifiable on-chain. CC: @Web3foundation @Polkadot @PolkadotGov @immunefi

THE EVIDENCE THEY TRIED TO BURY: REPORT ID 64277 I played by the rules. I followed responsible disclosure. I gave them every chance to fix it. THE TRUTH: * REPORT ID 64277: A CRITICAL vulnerability allowing INFINITE MINTING and 100% TVL RISK was formally reported. THE BACKDOOR: I proved the use of a privileged system precompile (0x...0802) running in Dev-Mode on Mainnet. THE RESPONSE: Hydration dismissed a total collapse risk as "EXPECTED BEHAVIOR" and closed the report without a reward. THE SILENCE: Despite the escalation and proof of on-chain finality, the mediation remains a wall of silence. How is a backdoor that bypasses all governance and puts millions at risk "expected"? Transparency is the only security. The community deserves to know the internal mechanics of this "inside job." @Immunefi @Polkadot & @MoonbeamNetwork @ZachXBT @giottodefilippi @BillLaboon @giottodf

🚨 UPDATE: PANIC MODE ACTIVATED. MINUTES AFTER OUR EXPOSURE, 3 EMERGENCY REFERENDA (266-267-268) WERE LAUNCHED. THE GOAL: 1. Authorize OTC Sales (Ref 267) 2. Register EURC for Exit Liquidity (Ref 268) THE EVIDENCE: The EXACT SAME 3 wallets (Whale 0x2621... & Bots 0x7617...) are instantly approving ALL proposals. See the logs: They vote on Ref 267 and 268 within seconds of each other. This is not governance. This is a rubber-stamp operation to clear the exit path before the public wakes up. #Hydration #Polkadot #ExitScam #DeFiSecurity @zachxbt

HYDRATION PAPERS&MOONBEAMBRİG TWEET 2: THE DESTINATION 🚨 DATA MATCH CONFIRMED: THE DESTINATION. FORENSIC ANALYSIS OF THE LOGS HAS DECODED THE HARD-CODED DESTINATION ADDRESS. RAW HEX DATA: 0x6d6f646C70792f7472737279... DECODED STRING: = modlpy/trsry (MODULE POLKADOT TREASURY -> MOONBEAM) VERIFICATION: Cross-referencing Subscan and Moonscan data confirms this address is the native Moonbeam Treasury interface. CONCLUSION: The funds are being systematically bridged out of the chain to the Moonbeam ecosystem via this hidden interface. The evidence is immutable. #Moonbeam #Polkadot #CryptoSecurity #TheShadowResearcher

HYDRATION PAPERS&MOONBEAMBRİG TWEET 1: THE LIVE SIPHON 🚨 LIVE ON-CHAIN ANOMALY DETECTED. BLOCKS 11,222,549 REVEAL AN UNDISCLOSED AUTOMATED FUND FLOW. WE HAVE INTERCEPTED A HIGH-FREQUENCY EXTRACTION LOOP ACTIVE RIGHT NOW: THE FLOW: 1. SOURCE: modlcurreser (System Currency Module) injects funds into a generic INTERMEDIARY wallet (0xecC1...). 2. MECHANISM: The Intermediary immediately executes Utility.batch_all to split funds between: A) Router Liquidity Injection B) Cross-Chain Exit Vectors This is not a standard treasury operation. This is an automated extraction mechanism utilizing intermediary mules to obfuscate the source. #Polkadot #Hydration #OnChainForensics #DeFiSecurity

I had a hunch 8 months ago, when they where asking the treasury for 5 million dots, and all the community approved that… (permanence DAO didn’t) you know who uses hydration… the community of bots and a few people, that ask went into their pockets, we did dig and found some anomalies, we got grifted from within. Nexus DAO, along with most DAOs voted Aye, they all came from same original DAO, CD. total collusion, also few members control the votes. Some people is blind, also the voting weight they have probably came from some of those funds, seems hydration delegated their voting power to that dao, so they could pump and vote for their proposal… quite rotten. I don’t trust anyone from that DAO, or hydration either.

THREAD (3/3) FINAL VERDICT: HYDRATION DOCS. I PROVED: 1. COORDINATED BOT ARMIES. 2. POISONED ORACLES. 3. GHOST WALLET PUMPING OMNIPOOL. 4. A $4 MILLION DOT STASH WAITING IN A SHADY CONTRACT. THIS IS NOT DEFI. THIS IS THE SYSTEMATIC DRAINING OF COMMUNITY ASSETS. THE EVIDENCE IS UNCHANGING. THE INVESTIGATION IS COMPLETE. THE HYDRATION FILE IS CLOSED FOR ME, COMPILED AND THROWN AT YOUR FEET. KEEP SLEEPING. EVERY MINUTE THAT PASSES WITHOUT A RESPONSE FROM EVERY INSTITUTION TAGGED IN MY CHAIN-BASED INVESTIGATION MEANS THEY ARE ALSO COMPLICIT. EITHER YOU ACT TODAY, OR YOU CONTINUE TO HOLD THE ENTIRE ECOSYSTEM RESPONSIBLE. INVESTIGATIVE DISCLOSURE BY: The_Shadow_Researcher SUPPORT THE TRUTH: 0x972a06dF7E5b1Ebf9F9c3Eea429EE677F3f14d0d CC: @Polkadot @Hydration_Net @ZachXBT @PolkadotGov @Giottodf @peckshield @CertiK @MoonbeamNetwork @TheBlock__ @CoinDesk

THREAD (2/3) THE MECHANISM: OMNIPOOL DRAIN. THE ASSETS MOVE FROM mdlrouter DIRECTLY INTO modlomnipool. THIS CREATES A "LIQUIDITY ILLUSION," ARTIFICIALLY SHIFTING POOL RATIOS. THE RESULT? A SUBSIDIARY CONTRACT (0x0263...) HAS ACCUMULATED OVER 2.4 MILLION DOT (~$3.8M) THROUGH THIS MANIPULATED PRICE IMPACT.

TWEET 1: THE GHOST RETURNS THREAD (1/3) THE GHOST WALLET IS ACTIVE. BLOCKS 11,211,145 REVEAL A LIVE LIQUIDITY EXTRACTION LOOP. THE "GHOST WALLET" (0xC5B7...) WE PREVIOUSLY IDENTIFIED IS CURRENTLY PUMPING ASSETS INTO THE SYSTEM ROUTER. THESE ARE NOT USER TRADES. THESE ARE SYSTEM-LEVEL TRANSFERS EXECUTED IN MINUTES.

THREAD (5/5) FINAL ASSESSMENT TIMELINE-CONSISTENT. ON-CHAIN VERIFIABLE. THIS IS NOT A BUG. THIS PATTERN SHOWS: 1. PRE-POSITIONED SHADOW FLEET (0xAa7e) 2. UNDOCUMENTED MINTING (0xf3ba) 3. REMOTE TRIGGER MECHANISM (ISMP) 4. VALUATION MANIPULATION ($1.22) ABSENT EXPLICIT GOVERNANCE APPROVAL AND PUBLIC DOCUMENTATION, THIS IS NOT DESIGN. IT IS EXTRACTION. THE EVIDENCE IS IMMUTABLE. #DeFiSecurity #OnChainForensics #Hydration #Polkadot CC: @Polkadot @Hydration_Net @ZachXBT @PolkadotGov @Giottodf @PeckShieldAlert

THREAD (4/5) THE VALUATION EXPANSION WHAT DID THE REMOTE TRIGGER DO? AT BLOCK #11,155,822, THE "ISMP TRIGGER" EXECUTED THE AaveManagerCallDispatched COMMAND. THE RESULT (SEE IMAGE): IT UPDATED THE SECOND SHADOW ORACLE (0x11c1...) INSTANTLY. • PREVIOUS STATE: ~$0.99 • NEW STATE: $1.22 (122564140) IMPACT: A 22% ARTIFICIAL INCREASE IN COLLATERAL VALUE IN A SINGLE BLOCK. THIS ALLOWS ATTACKERS TO BORROW MASSIVE REAL ASSETS AGAINST INFLATED, SYNTHETIC NUMBERS. THIS IS NOT A MARKET MOVE. THIS IS A CONTROLLED ECONOMIC LEVER. CC: @Polkadot @Hydration_Net @ZachXBT @PolkadotGov @Giottodf @peckshield @CertiK

THREAD (3/5) THE REMOTE TRIGGER (CROSS-CHAIN) 3 DAYS AGO (BLOCK #11,155,822), THE SYSTEM STATE WAS ALTERED. NOT VIA A USER TRANSACTION. NOT VIA A GOVERNANCE VOTE. BUT VIA A CROSS-CHAIN SYSTEM CALL (ISMP): IsmpParachain.update_parachain_consensus THE PROTOCOL WAS STEERED FROM OUTSIDE THE CHAIN. A "REMOTE CONTROL" MECHANISM WAS USED TO FORCE A STATE UPDATE. PERFECT DISGUISE. ZERO FOOTPRINT. CC: @Polkadot @Hydration_Net @ZachXBT @PolkadotGov @Giottodf @PeckShieldAlert