A sybil farming assault on WUSD.fi and GLOVE drained roughly $200K from Uniswap V3 liquidity swimming pools on Ethereum. No audit caught the reward mechanic flaw.
Any individual found out the maths earlier than the protocol did. On Could 25, a single attacker walked away with roughly $200K from two Uniswap V3 swimming pools tied to the WUSD.fi and GLOVE protocol on Ethereum. Not a bug within the contract code precisely. Extra a case of a reward mechanism that by no means requested who it was rewarding.
Blockchain safety researcher exvulsec flagged the incident on X, laying out the total on-chain path. The attacker used a flash mortgage, cycled by recent wallets, and dumped harvested GLOVE tokens into the liquidity swimming pools earlier than anybody caught it.
The Mechanic No one Stress-Examined
Inside WUSD.fi’s contract sits a operate referred to as WUSD._englove. Based on exvulsec on X, any recent pockets wrapping at the very least 100 WUSD whereas holding beneath 2 GLOVE may name Glove.mintCreditless and obtain as much as 2 GLOVE tokens. No id verify. No fee restrict. Nothing.
The attacker deployed EIP-7702 helper contracts, pulled a Morpho USDT flash mortgage, then ran repeated wrap and unwrap cycles throughout recent pockets addresses. Every new tackle certified once more. GLOVE stored minting.
Harvested GLOVE went straight into Uniswap V3. The GLO-USDC pool misplaced 11,702 USDC in observable drains. The GLO-USDT pool shed 8,079 USDT. Each figures confirmed through Etherscan at time of reporting.
What the Neighborhood Clocked
SecureAI on X put it plainly: the exploit was not the contract itself. It was the reward mechanism design. Audits have a tendency to take a look at code logic. They not often stress-test financial incentive paths the best way an attacker will.
Chinese language-language crypto account aegixe_cn on X referred to as it one other incentive abuse assault and warned customers to know a protocol’s mechanics earlier than placing cash in. That form of reminder lands in a different way when $200K has already left the pool. DeFi exploits have been stacking up this 12 months, with Could alone seeing a number of liquidity-layer incidents throughout Ethereum.
No oracle manipulation. No reentrancy. Only a minting operate handing out tokens to anybody who confirmed up with a recent tackle. The assault stored going so long as new addresses stored qualifying. And so they did, a part of a sample that has value DeFi almost $770M in 2026. Per the filings.