VERDICT —OUT OF SCOPE
Root cause is phishing — victims signed malicious transactions or approvals off-protocol. Contract logic was not the failure surface; user-side wallet hygiene was. Pre-deployment audit cannot catch this class.
▰ METHOD
PHISHING
PHISHING
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
Sentinel founder Serpent tweeted that the first search result of the NFT trading platform X2Y2 on the Google search page was a scam website. It used the loopholes in Google ads to make the real website and the scam URL look exactly the same, and about 100 ETH had been stolen. . At present, the fake website has been removed after being reported by community members and exposed by the media. Users can directly enter x2y2.io to enter the official website. Attack method (per SlowMist): Phishing Attack. Reported loss: 100 ETH.
Primary source
https://twitter.com/Serpent/status/1523833573815373824 ↗Sourced from
slowmist
Technical record
- chain
- —
- protocol
- X2Y2
- bug_class
- phishing
- date_occurred
- 2022-05-11
- loss_usd
- —
- source_id
- sm:x2y2::2022-05-11
Related — same bug class· phishing