IOR Labs Loses $336K in Arbitrum Vault Exploit, Gets Full Refund

Perfect legacy code and new protocol features

According to the postmortem, the exploit required two independent scenarios that converged on IPOR's ancient vault architecture, built 490 days ago.

Assuming that only authorized administrators can add secure components through restricted access controls, the legacy contract configuration did not validate the InstantWithdrawalFuses function for “fuses” (logic modules that execute in the Vault context).

At issue 208, an administrator account with Vault administration permissions used EIP-7702 to execute an execution contract containing the “random call” function.

This proxy feature, part of the Ethereum Pectra update, allowed an attacker to hijack the administrator's identity and insert a malicious fuse that appears legitimate to the treasury's security checks.

The attacker exploited the vulnerable delegation contract to force the administrator account to call Vault functions with full privileges.

During a real-time extraction operation, before the team could react, the malicious fuse forwarded the USDC directly to an attacker-controlled address.

New safes are safe.

IPOR emphasized that all vaults deploy clear fuse authentication after the first batch, preventing arbitrary code execution during extraction.

The compromised EIP-7702 proxy served as a summary utility for rewards on exactly two vaults, only the exploitable legacy vault lacked the strict authentication protections standard in subsequent deployments.

The protocol has ensured that no other Fusion vaults have experienced similar vulnerabilities due to the improved security architecture that implements General Fusion authentication.

IPOR DAO will cover a $336,000 shortfall from treasury reserves by partnering with blockchain security firm SEAL and relevant authorities to track and recover stolen funds through forensic analysis and exchange cooperation.

Despite December's decline, the sophistication of exploitation is increasing.

The IPOR incident followed a 60% month-on-month decline in December, adding to security concerns in early January.

The firm documented 26 major exploits in December, including a $50 million address poisoning scam in which victims mistakenly copied spoofed addresses and a $27.3 million private key leak targeting multi-signature wallets.

Cross-chain attacks intensified in early 2026, blockchain researcher ZachXBT recently pointed out coordinated exploits that took out hundreds of EVM-compatible wallets, resulting in losses of less than $2,000 per address but more than $107,000.

At the time, security experts warned that the activity would be automated, urged users to disable smart contract approvals and closely monitor transactions for unauthorized access attempts.

Another recent critical hack was Trust Wallet's Christmas Day breach, which targeted approximately 2,596 wallets along the supply chain and targeted npm packages used by crypto developers.

The incident, which came from leaked GitHub secrets, allowed attackers to upload malicious versions of a browser extension that extracted recovery phrases, bypassing the Chrome Web Store's security assessments, causing nearly $7 million in losses to the Ethereum, Bitcoin, and Solana networks.

Just yesterday, a series of user-targeted hacks occurred, many of which resulted in ledger breaches that exposed basic user information and led to mass phishing and social engineering campaigns that some users fell victim to.

As crypto continues to go mainstream, Mitchell Amador, CEO of security platform Imunefi, warned that attackers are increasingly targeting transaction vulnerabilities rather than smart contract code.

“The threat landscape is shifting from onchain code vulnerabilities to functional security and treasury-level attacks,” Amador said. “As the Code Gets Harder, Attackers Are Targeting the Human Body.”