On January 26, a security research organization disclosed that it had detected a series of suspicious on-chain transactions targeting contract instances deployed by two creators. The incident simultaneously affected multiple main chains, including Ethereum, Arbitrum, Base, and BSC, with total assets involved exceeding USD 17 million. The related transactions were completed within a short time frame and exhibited clear characteristics of automated execution.
Contract Characteristics and Risk Exposure
Based on publicly available information, the affected contracts had not open-sourced their code and exhibited highly permissioned design characteristics. Analysis indicates that these contracts may have supported Arbitrary Call functionality, allowing external executors to bypass intended business constraints under specific conditions. In the absence of adequate audits and transparency, such designs significantly amplify systemic risk.
Attack Path Analysis
Rather than exploiting traditional vulnerabilities or complex reentrancy logic, the attacker leveraged legacy Token Approvals that had been granted in the past. With authorization already in place, the attacker executed transferFrom instructions to rapidly transfer and drain tokens held by the contracts. This process highlights the critical importance of approval lifecycle management and underscores the long-term risks posed by approvals that are not revoked in a timely manner.
Amplification Effects Under Multi-Chain Deployment
Notably, similar contract structures had been deployed across multiple main-chain environments. Once systemic flaws exist in contract logic, attack methods can be quickly replicated across different chains, resulting in synchronized cross-chain losses. In this incident, the two contract deployer addresses suffered losses of approximately USD 3.67 million and USD 13.41 million respectively, demonstrating how multi-chain deployment can significantly amplify the impact of a single design flaw.
Address Roles and Responsibility Boundaries
The affected addresses indicate that the contract deployers simultaneously assumed dual roles in asset custody and contract control. Under such a model, deployment itself constitutes a persistent risk exposure. Any weaknesses in private key management, approval strategies, or contract permission configurations can directly expose on-chain assets to execution-layer threats.
Implications for On-Chain Risk Identification and Compliance Monitoring
This incident demonstrates that closed-source contracts, long-lived Token Approvals, and replicated multi-chain deployments have become a high-frequency combination of risk signals in current on-chain risk identification. From the perspective of regulatory research and compliance monitoring, continuous tracking of approval relationship changes, contract permission structures, and cross-chain asset flow paths can help identify potential anomalies at an early stage. On-chain risk monitoring systems, including Trustformer KYT, are built around such structural signals, providing reference perspectives for understanding and addressing increasingly complex on-chain risks.