Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Juicebox V3 (via its REVLoans borrowing extension) was exploited through a borrowFrom Spoof Attack. The vulnerability stemmed from insufficient validation in the borrowFrom function, particularly the caller-supplied "source" parameter (a REVLoanSource struct with .terminal and .token). This allowed forging an accounting context; when currency matched the destination, the protocol skipped the oracle and used attacker-controlled decimals/balances, enabling borrowing at an inflated share price. The attack used two transactions (one to seed fake accounting, one to drain against a legitimate terminal), draining approximately 21.77 ETH (worth ~$52,000). Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 52,000.
- chain
- —
- protocol
- Juicebox V3
- bug_class
- oracle
- date_occurred
- 2026-04-20
- loss_usd
- $52,000
- source_id
- sm:juicebox-v3::2026-04-20