Crypto Security Firm CertiK Reports New Oracle-Based Exploit - Crypto Economy

A serial hacker is targeting DeFi lending protocols through oracle misconfigurations, with total losses reaching approximately $3.5 million so far. The latest incident impacted Ploutos Money, which lost nearly $400,000 following an apparent price oracle error.

Blockchain security firm CertiK reported that the protocol was exploited for 187.36 ETH (around $388,000) due to a misconfigured oracle. Shortly after the attack, Ploutos’ website and social media accounts were deleted.

According to analysis from blockchain auditor BlockSec, Ploutos Money incorrectly used Chainlink’s BTC/USD price feed as the oracle reference for USDC. This configuration flaw enabled the attacker to manipulate collateral valuation. The exploit occurred just one block after the configuration change was confirmed. The attacker was able to borrow 187 ETH while posting only eight USDC as collateral.

Pseudonymous on-chain investigator Tanuki42 linked the same exploiter to at least four other hacks, including two million-dollar incidents affecting Moonwell. Last week, Moonwell was left with $1.8 million in bad debt after a misconfigured oracle returned a cbETH price of $1.12 instead of approximately $2,200.

A similar exploit impacted Veil.Cash, a privacy protocol on Base, last week. However, losses were limited to approximately 4.5 ETH, of which 2 ETH were recovered by white-hat security team Decurity.

Source: Reports from CertiK

Disclaimer: Crypto Economy Flash News is prepared using official and publicly available sources verified by our editorial team. Its purpose is to provide rapid updates on relevant developments within the crypto and blockchain sector.

This information does not constitute financial advice or an investment recommendation. Readers should verify official channels before making related decisions.