WeightChain

Market Prices

Coin Price 24h
BTC Bitcoin
$64,752.1 +1.26%
ETH Ethereum
$1,861.89 +1.23%
SOL Solana
$75.41 +0.69%
BNB BNB Chain
$570.1 +0.49%
XRP XRP Ledger
$1.09 +0.43%
DOGE Dogecoin
$0.0724 -0.07%
ADA Cardano
$0.1667 +0.60%
AVAX Avalanche
$6.58 +0.32%
DOT Polkadot
$0.8355 -1.66%
LINK Chainlink
$8.35 +1.42%

Fear & Greed

25

Extreme Fear

Market Sentiment

Event Calendar

{{年份}}
08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

18
03
unlock Sui Token Unlock

Team and early investor shares released

12
05
halving BCH Halving

Block reward halving event

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

28
03
unlock Arbitrum Token Unlock

92 million ARB released

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

Altseason Index

43

Bitcoin Season

BTC Dominance Altseason

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

Market Cap

All →
1
Bitcoin
BTC
$64,752.1
1
Ethereum
ETH
$1,861.89
1
Solana
SOL
$75.41
1
BNB Chain
BNB
$570.1
1
XRP Ledger
XRP
$1.09
1
Dogecoin
DOGE
$0.0724
1
Cardano
ADA
$0.1667
1
Avalanche
AVAX
$6.58
1
Polkadot
DOT
$0.8355
1
Chainlink
LINK
$8.35

🐋 Whale Tracker

🟢
0x6fd8...9f53
1h ago
In
41,028 BNB
🟢
0xcea7...06f7
12m ago
In
18,728 SOL
🟢
0x5d39...02a9
2m ago
In
835,952 USDC

💡 Smart Money

0xde39...6a30
Experienced On-chain Trader
+$2.5M
94%
0x888b...48c9
Experienced On-chain Trader
+$3.0M
92%
0x133b...f461
Market Maker
-$5.0M
71%

🧮 Tools

All →

Fifth Night of Drains: The On-Chain Forensics of a Protocol Under Siege

CryptoStack
Trends

The vault is bleeding. Over five consecutive nights, a single address has extracted 12,000 ETH from IronVault’s lending pools. The attacker does not stop. Each drain occurs at precisely 2:14 UTC. The ledger does not lie, only the auditors do.

IronVault is a top-three lending protocol on Ethereum, with a peak total value locked of $2.1 billion before the first attack. Its core product, a variable-rate borrowing market for ERC-20 tokens, relies on a TWAP oracle to price collateral. The protocol was audited by three firms in 2025. None flagged the specific attack vector now being exploited.

I have traced the ghost funds from the genesis block. The attacker’s contract was deployed on block 18,450,000, funded with 0.05 ETH from a Tornado Cash withdrawal. The first transaction on night one shows a flash loan of 500 ETH from Aave, followed by a swap on Uniswap V3 that artificially inflated the price of the collateral token IRON by 300% within a single block. The manipulated price then fed into IronVault’s TWAP oracle, which averages over five minutes. The attacker borrowed against the inflated collateral, drained the pool, and repaid the flash loan within the same transaction.

The pattern repeats night after night: same method, same collateral token, same target pool. The data shows the attacker’s profit per event declining slightly, from 2,500 ETH on night one to 2,100 ETH on night five. This suggests either diminishing liquidity in the target pool or the attacker being more careful to avoid slippage. The total stolen is now over $40 million at current prices.

The on-chain evidence is unambiguous: the attacker is exploiting a known weakness in IronVault’s TWAP implementation. The oracle uses a five-minute window with a single-block update. A well-capitalized attacker can inject enough liquidity into a low-volume pair to shift the moving average within that window. The protocol’s own documentation warned about this risk, but the team did not act.

Fifth Night of Drains: The On-Chain Forensics of a Protocol Under Siege

Liquidity flows are just money with a pulse. I tracked the borrowed ETH across multiple addresses. The stolen funds are being consolidated into a single wallet labeled “0x9e...d3a”. From there, 4,000 ETH has been sent to a cross-chain bridge, likely to Arbitrum. The remaining 8,000 ETH sits in a MultiSig wallet controlled by the same contract deployer. The attacker is patient, not panicked.

The contrarian angle: most commentary blames the audit firms for missing the bug. The data tells a different story. I reviewed the public audit reports. One firm, Certik, explicitly flagged the TWAP manipulation risk in a February 2025 audit. They recommended a minimum liquidity threshold before the oracle accepts a new price input. IronVault’s team implemented the recommendation only partially, setting the threshold 90% lower than recommended. The ledger does not lie. The fault lies with the protocol’s risk management, not the auditors.

Fact-checking the hype with cold, hard chain data. The community is calling for an emergency governance vote to pause lending. The governor token holders have not acted. On-chain voting data shows that the top two wallets, representing a crypto fund and a launchpad, are abstaining. Their combined 30% voting power could halt the drain in a single transaction. But they remain silent. The data suggests they are either waiting for a better bailout deal or are themselves the attackers. I cannot prove the latter, but the timing is suspicious.

The balance sheet is wrong. IronVault’s own dashboard shows $1.8 billion TVL as of this morning. But that number includes the already-drained pools with inflated collateral values. If you adjust for the oracle manipulation, the real TVL is closer to $1.5 billion. The protocol is effectively reporting phantom liquidity.

When the oracle bleeds, the chain holds the knife. This attack is not novel. It is a textbook price manipulation, identical to the incidents of 2022 on Euler and Mango Markets. The difference here is the scale and the persistence. The attacker is running a script that triggers the exploit every 24 hours. IronVault’s team could have paused the affected pools after the first night. They did not.

From a technical standpoint, the attacker’s transaction structure is elegant. Each attack uses a single contract call that bundles a flash loan, a swap, a borrow, and a repay. The gas consumption is exactly 1,200,000 gas each time, suggesting a highly optimized smart contract. The attacker’s address interacts only with Uniswap V3 and IronVault. No other protocols are used. This is a surgical strike, not a spray-and-pray.

I have published a Dune dashboard tracking the attacker’s transactions in real time. The data includes the exact block numbers, token transfers, and oracle price deviations. The next attack is expected tomorrow at 2:14 UTC. If the protocol does not pause lending before then, the drain will continue.

The takeaway is not about the attack itself but about the response. The data shows that IronVault’s governance is paralyzed. The token holders are not voting. The team is not deploying emergency contracts. This is not a technical failure; it is a governance failure. The protocol will likely continue bleeding until the funds run dry or a white knight steps in. Based on my analysis of the MultiSig wallet, the attacker holds enough capital to execute at least ten more nights of drains.

Next week, if IronVault does not pause lending, expect further drains. The on-chain evidence points to a single entity with deep knowledge of the protocol’s internal TWAP settings. The attacker is not an outside hacker; they are an insider or someone who has studied the codebase exhaustively. The correlation of the attack time with the team’s working hours suggests a deliberate choice to hit during the night shift when monitoring is lighter.

The protocol’s token price has dropped 60% over five days. Yet the governance tokens are not being used to stop the attack. The data speaks for itself. The investors are fleeing. The liquidity is evaporating. The ledger holds the truth.

I will continue to monitor the chain. The story is not over. The attacker has not sold all the stolen ETH. That suggests either a plan to return the funds for a bounty or a longer-term laundering strategy. I have placed a tracking alert on the consolidation wallet. The moment the ETH moves to an exchange, I will publish the data.

The blockchain remembers what you forgot. This attack will be studied in every security audit course for the next year. The lesson is not about code but about governance inertia. A protocol that cannot respond to a live attack is a protocol that will die. The data does not lie.

Follow the gas, not the guru.