DeFi exploiter targets lending protocols with oracle tricks

A serial hacker is targeting DeFi lending protocols, with approximately $3.5 million stolen so far. In the latest incident, they exploited an oracle misconfiguration in lending platform Ploutos Money, leading to a loss of almost $400,000.

Crypto security firm CertiK noted that the project appears to have deleted its website and social media presence.

Read more: YieldBlox lending pool hit by $10M hack on Stellar

According to analysis by blockchain auditor BlockSec, Ploutos Money used Chainlink’s bitcoin (BTC)/USD feed as an oracle for USDC price. “The attacker was able to borrow 187 ether (ETH) by posting only eight USDC as collateral,” the post explains.

BlockSec also points to the timing of the exploit, just one block after the misconfiguration was confirmed. While the firm suggests “the attacker closely monitored and acted on the configuration change,” many of the replies to CertiK and BlockSec’s posts suspect insider involvement.

Pseudonymous blockchain investigator Tanuki42 linked the exploiter to at least four other hacks, including two million-dollar losses for Moonwell.

Last week, Moonwell was left with $1.8 million of bad debt when a misconfigured oracle returned a cbETH price of $1.12 instead of approximately $2,200. The code change which caused the loss had been co-authored by Claude Opus 4.6, alongside a Moonwell contributor.

Read more: DeFi, meet Claude: Moonwell’s ‘vibe-coded’ oracle in $1.8M blowup

The (bad) luck of the draw

Also today, in an apparently unconnected attack, Ethereum-based “private ZK lottery,” FOOM CASH, lost $1.6 million when its “broken ZK verifier” was compromised.

According to blockchain security firm QuillAudits, the project lost $1.3 million on Ethereum and $316,000 on Base. The firm’s analysis explains that the project’s use of its ZK verifier was flawed.

In setting two constants to the same value, “anyone can compute it [the verification equation], no secret needed.”

A similar attack affected Veil.Cash, a privacy protocol on Base, last week. However, losses were small at only 4.5 ETH, of which 2 ETH were recovered by white hats Decurity.

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.