Statement on the Ploutos Money Incident We’re aware of the recent exploit affecting Ploutos across multiple chains. Public onchain data indicates that a configuration change to the protocol’s oracle was followed by rapid borrowing activity in the next block, with funds subsequently bridged to Ethereum mainnet. Attribution remains under investigation. To clarify our role: Our engagement with Ploutos was a targeted 1:1 codebase verification of their Aave v3.0.2 fork. The objective was to confirm that their contracts matched the audited Aave repository, without modifications. That verification was completed successfully. The engagement did not include deployment validation, oracle configuration review, governance parameter checks, or post deployment changes. Those operational controls remained under the protocol’s administration. The exploit appears to have been triggered by a configuration change introduced after deployment. Configuration management and governance controls are distinct from codebase equivalence and require separate validation. This incident reinforces several broader lessons for the ecosystem: • Oracle updates must be treated as high impact infrastructure changes • Governance transactions are observable and monitored in real time • Cross chain deployments increase blast radius when configuration drift occurs • Timelocks, simulation checks, and runtime safeguards are essential for critical updates We are reviewing the full onchain timeline and will share a structured technical analysis once complete.

Hemi expands its #DeFi reach with a powerful new partner. @ploutos_money brings additional USDC rewards and points to Hemi, expanding the network's DeFi ecosystem with onchain lending and leveraged farming. Learn more: hemi.xyz/blog/ploutos-deploy… Start earning today: app.ploutos.money/?marketNam…