🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x947cb49334e6571ccbfef1f1f1178d8469d65ec7 (LRTConfig) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0xb21b7Db6d1dAd2a7b057ba5c2E9BA2891fb2e80d

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x598dbcb99711e5577ff76ef4577417197b939dfa (LRTConverter) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0x64B7764e73a83eb1d921B43Eb87Bc5E0eFDbD712

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x036676389e48133b63a802f8635ad39e752d375d (LRTDepositPool) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0xB1238B191b5280378635B27cE4f37e57187Cf19c

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x349a73444b1a310bae67ef67973022020d70020d (LRTOracle) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0x81E1112966F2E6115b5B3d2EFd94cDe8AE57E793

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0xc66830e2667bc740c0bed9a71f18b14b8c8184ba (LRTUnstakingVault) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0x47a368d5eB1015F78bE791a2877fB25Db9c6E282

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x62de59c08eb5dae4b7e6f7a8cad3006d6965ec16 (LRTWithdrawalManager) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0xd559EDbD5f09eFdCc22265Ce436dbe00c564D59F

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0xa1290d69c65a6fe4df752f95823fae25cb99e5a7 (RSETH) belonging to protocol Kelp DAO (Immunefi)
▶️ New address: 0xC9Ef97549e28390003DE53279B7D3d39DCE81637

💌 Onchain message: Transaction

📤 From: 0x4f184251c40056fe7b8abbf040f8f30803357799
📥 To: 0xcb80784ef74c98a89b6ab8d96ebe890859600819
🌎 Network: mainnet

💬 Message:

I’ve just sent you safeguards.eth. You can use it to help avoid phishing scams in the future—ENS helps solve that issue.

A primary name links an ENS name to an address, allowing apps to display a verified name and profile when the address is viewed. Each address can have only one primary name per network.

Vulnerability fixed.

🚨 Ethan (ETN) Staking - $5.77K

Token: $ETN @ $0.93
MC: Unknown (Pool TVL: ~$47K)

Type: Reward Calculation Flaw

Unverified staking contract allows immediate ROI claim after staking. Attacker flash loaned USDT, swapped to ETN, then used multiple helper contracts to repeatedly stake→claimRoi→unstake in a single tx, draining staking rewards.

TX: https://bscscan.com/tx/0x980e7c067bc71f8ecb9fcdc9b7825a831ee2071d39f5b32faa4c5f5d67902efb
Victim: https://bscscan.com/address/0x3F5e5dCdC737f751881ef60Ed3bcDF82f3de5466 (unverified)

☝️This is how upgraded AI analysis of the exploit transactions for the premium channel looks like

Previously we used o3-mini only on the transaction traces to explain the flow. The workflow is now agentic - the agent can pull the data from Etherscan, Coingecko, use various tools in order to find out the root cause of the vulnerability and provide a valuable signal about the affected project identity, its market cap and token ticker.

💌 Onchain message: Transaction

📤 From: 0x3d3383adec1d1072699ce578373ca76c57169876
📥 To: 0xd0a115ea64b59f951b70276fcb65b4946465e3a9
🌎 Network: bsc

💬 Message:

It's clever to put an EIP-7702 delegation to drain me, but I'm faster than you, asshole, you're so stupid that you didn't see that I had a contract deployed with money

💌 Onchain message: Transaction

📤 From: 0x7a280703aa3044e6c3a6b4af3ce397d9f11c3f99
📥 To: 0x80d4da55d4afcc89c6e353e8d371b4c799c14838
🌎 Network: base

💬 Message:

Dear Ser, I’m reaching out regarding the 99 ETH from earlier today. Your exploit was technically brilliant, and I genuinely admire your expertise. But I’m in deep trouble—this is company capital. My job is on the line, and as a father of two, I am terrified of what happens next if I can’t get this back. Could we treat this as a white-hat save? Please return the funds to my Safe address. If you can help, I’ll do my best to advocate for a bounty for your help in identifying this vulnerability. Please, I need to save my family’s livelihood.

💌 Onchain message: Transaction

📤 From: 0xf51009ff4c7065c6400f47cdde3e35740fdec5a5
📥 To: 0xa78dae0b171af44eac0101097f35f55bbc7707a1
🌎 Network: mainnet

💬 Message:

Hey, I’m the one who publicly reported the funds you took.

I’m sure you never expected to walk away with $50M from this kind of attack.

You and I both know laundering $50M will be extremely difficult, especially since this wasn’t something you prepared for.

Why not take a bounty and return the funds to the victim?

I’m not here to plead or threaten you. This is simply about reducing risk, stress, and exposure.

If you choose to run, that’s your decision, but understand that the trail won’t disappear.

💌 Onchain message: Transaction

📤 From: 0xf51009ff4c7065c6400f47cdde3e35740fdec5a5
📥 To: 0x00d90075b0530fd59afc69b2d2d73701d4915116
🌎 Network: mainnet

💬 Message:

Hey, I’m the one who publicly reported the funds you took.

I’m sure you never expected to walk away with $50M from this kind of attack.

You and I both know laundering $50M will be extremely difficult, especially since this wasn’t something you prepared for.

Why not take a bounty and return the funds to the victim?

I’m not here to plead or threaten you. This is simply about reducing risk, stress, and exposure.

If you choose to run, that’s your decision—but understand that the trail won’t disappear.

Since USPD hack we have started tracking CPIMP activity more closely.

So far we have alerted the following protocols:
- Angle protocol
- Limewire
- ZyfAI
- Morpheus AI
- Elephant protocol

It's scary that new proxies are being backdoored every day, months after the initial discovery of this malicious campaign. Incidents like USPD will continue to happen without proper visibility. At least Etherscan started to display ">1 Implementation" warning at the top of the page.

💌 Onchain message: Transaction

📤 From: 0x58938790b2e1a2b5404bf2e6fc854a11c2a6e983
📥 To: 0x3262e5c1f7ccca4fea0779aefe61fc1d7715ece8
🌎 Network: mainnet

💬 Message:

Alright, because of your attack, I have lost my job. Can you tell me how you managed to steal my private key? I would like to clear up my confusion.

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0xcf9c49b0962edb01cdaa5326299ba85d72405258 (NFTDriver) belonging to protocol Drips (Immunefi)
▶️ New address: 0x566ECff89fD28B374F40E64D0B838Fa2175Fc99E

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x1212975c0642b07f696080ec1916998441c2b774 (ImmutableSplitsDriver) belonging to protocol Drips (Immunefi)
▶️ New address: 0x6E276c2975C1d9Ea776C6fEbE3437ADd4A769131

🆕 Proxy upgrade: proxy_implementation_upgraded
🌎 Network: mainnet
🅿️ Proxy: 0x770023d55d09a9c110694827f1a6b32d5c2b373e (RepoDriver) belonging to protocol Drips (Immunefi)
▶️ New address: 0x65C75c75A2cDdd98152cAD40ebbbfEc988bcFdd9

💌 Onchain message: Transaction

📤 From: 0x1555fe70c4cc5e5e6a60422cbc4507500113e29d
📥 To: 0xaac627ba8969b913f2492e04829cfb956d122508
🌎 Network: mainnet

💬 Message:

Check Blockscan chat on your address

https://chat.blockscan.com

 or email : Japanesewhitehat@proton.me 

And get back your funds