PANews reported on January 7th that, according to an official announcement from Fusion (by IPOR), its Fusion USDC optimizer Vault, deployed on Arbitrum, suffered a smart contract attack on January 6th, resulting in a loss of $336,000 USDC. The attacker exploited a missing validation vulnerability in the "fuse" logic of an older version of Vault, and used the EIP-7702 mechanism to manipulate administrator privileges, successfully injecting malicious logic modules and initiating a withdrawal, transferring funds to Tornado.Cash.

This vulnerability only affected an older Vault deployed 490 days ago; other vaults were unaffected. IPOR stated that the DAO's finances will compensate users for their losses, and they are collaborating with security teams such as SEAL, Hexagate, and Blockaid to track down the funds. The incident has been confirmed to be triggered by a combination of a logical error and EIP-7702 privilege abuse; a complete technical recap has been released.