Same family as the Multicall-yvETH drain above. Victims had previously granted token approvals to 0x2990A16D2C37163f26F86d7af219064Ba5CD5605 — an unverified contract whose bytecode is not visible on Etherscan. The contract's owner exercised those stale approvals to drain ~$229K. The fact that the contract is unverified is itself the warning sign: users had no way to audit what they were approving. TenArmor's mitigation guidance is correct and is the only available defense — revoke ALL approvals on 0x2990A16D… immediately if you ever interacted with it. Pre-deployment audit cannot prevent this class because the victim's approval is the consent surface, not a contract bug.
Method: Stale approval drain on unverified contract. Root cause: Same family as the Multicall-yvETH drain above. Victims had previously granted token approvals to 0x2990A16D2C37163f26F86d7af219064Ba5CD5605 — an unverified contract whose bytecode is not visible on Etherscan. The contract's owner exercised those stale approvals to drain ~$229K. The fact that the contract is unverified is itself the warning sign: users had no way to audit what they were approving. TenArmor's mitigation guidance is correct and is the only available defense — revoke ALL approvals on 0x2990A16D… immediately if you ever interacted with it. Pre-deployment audit cannot prevent this class because the victim's approval is the consent surface, not a contract bug. Notes: TenArmor advised users to revoke approvals on 0x2990A16D2C37163f26F86d7af219064Ba5CD5605. Attack tx: 0x57709a498f27c7219b634ae20e7d2cbf9ab8dd6aca7b3845fabf93b57760b576. First flagged by TenArmor TenMonitor.
- chain
- ethereum
- protocol
- Unverified Contract 0x2990A16D
- bug_class
- phishing
- date_occurred
- 2026-04-27
- loss_usd
- $229,000
- source_id
- tenarmor:ethereum:0x57709a498f27c7219b634ae20e7d2cbf9ab8dd6aca7b3845fabf93b57760b576