ShapeShift FOX Colony (Colony Network)

Method: executeMetaTransaction → resolver-repoint via setTarget → delegatecall drain. Root cause: Colony's executeMetaTransaction performs a self-CALL (the meta-tx is routed back through the colony's own address). EtherRouter's canCall function auto-trusts msg.sender == address(this), so a meta-signed call from the contract to itself passes the access check trivially. The attacker meta-signed setTarget(...) to repoint the colony's resolver to an attacker-controlled contract, then delegatecalled a drain handler through the now-attacker-controlled resolver. The vulnerability is not exotic — it is the textbook 'caller-controlled delegatecall target via a writable resolver pointer' pattern, structurally visible in the deployed dispatcher. Per Blockaid, every Colony-Network colony exposing executeMetaTransaction on top of EtherRouter is exposed to the same primitive on any chain. Narrative: ShapeShift's FOX Colony — a community initiative for FOX token holders — was drained on Arbitrum for ~$132.7K in USDC and FOX tokens via a Colony-Network resolver-repoint primitive. Initial wave ~$132.7K confirmed; the same primitive applies to every Colony-Network colony exposing executeMetaTransaction on top of EtherRouter on any chain. Notes: Canonical tx: arbiscan.io/tx/0xdda5...207d. Community alert. Same primitive affects every Colony-Network colony exposing executeMetaTransaction. Attack tx: 0xdda5bcab8eb28458de171ad3780bd1b1028e9231192d73522b0cda36ab46207d.