IPOR Labs suffered a $336,000 exploit targeting its USDC Fusion Optimizer vault on Arbitrum, with the attack exploiting a combination of legacy contract vulnerabilities and Ethereum’s newly implemented EIP-7702 delegation mechanism.
The DeFi protocol confirmed that all affected depositors will receive full refunds from its treasury, which represents less than 1% of the total funds secured by its Fusion platform.
Security firms Hexagate and Blockaid alerted the IPOR team on January 6th to suspicious transactions draining funds through a malicious “fuse” contract configuration.
The attacker bridged stolen assets to Ethereum before depositing them into Tornado Cash, according to blockchain security firm CertiK, which tracked approximately $330,000 moving through the mixer as it monitored the exploit’s execution across multiple blockchain networks.
Perfect Storm of Legacy Code and New Protocol Features
According to the post-mortem, the exploit required two independent factors converging on IPOR’s oldest vault architecture, deployed 490 days ago.
The legacy contract’s configureInstantWithdrawalFuses function lacked validation for “fuses” (logic modules that execute within the vault’s context), assuming only authorized administrators could add safe components via restricted access controls.
An administrator account holding vault management permissions used EIP-7702 to delegate execution to an implementation contract containing an “arbitrary call” function at line 208.
This delegation feature, part of Ethereum’s Pectra upgrade, allowed the attacker to hijack the administrator’s identity and inject a malicious fuse that appeared legitimate to the vault’s security checks.
The attacker exploited the vulnerable delegated contract to force the admin account to call vault functions with full privileges.
During an instantWithdraw operation, the malicious fuse transferred USDC directly to attacker-controlled addresses before the team could respond, executing the drain through multiple coordinated transactions that bypassed standard security monitoring systems.
Newer Vaults Remain Secure
IPOR emphasized that all vaults deployed after the initial batch feature explicit fuse validation, preventing arbitrary code execution during withdrawal operations.
The compromised EIP-7702 delegate contract served as a bundling utility for reward compounding on exactly two vaults, with only the exploited legacy vault lacking strict validation safeguards that became standard in subsequent deployments.
The protocol confirmed that no other Fusion vaults face similar vulnerabilities due to the updated security architecture, which implements comprehensive fuse verification.
IPOR DAO will patch the $336,000 shortfall from treasury reserves while collaborating with blockchain security firm SEAL and relevant authorities to track and recover stolen funds through forensic analysis and exchange cooperation.
Rising Exploit Sophistication Despite December Decline
The IPOR incident adds to early January security challenges following a 60% month-over-month decline in December crypto hack losses to $76 million, down from November’s $194.2 million, according to blockchain security firm PeckShield.
The firm documented 26 major exploits in December, including a $50 million address-poisoning scam in which victims mistakenly copied fraudulent addresses and a $27.3 million private-key leak targeting multi-signature wallets.
Cross-chain attacks have intensified in early 2026, with blockchain investigator ZachXBT recently flagging coordinated exploits draining hundreds of EVM-compatible wallets, resulting in losses typically under $2,000 per address but totaling over $107,000.
At that time, security experts warned that the activity appeared automated, urged users to revoke smart contract approvals, and monitor transactions closely for unauthorized access attempts.
Another recent critical hack was the Trust Wallet’s Christmas Day breach, which compromised roughly 2,596 wallets through a supply-chain attack that targeted npm packages used by crypto developers.
The incident stemmed from leaked GitHub secrets that allowed attackers to upload malicious versions of browser extensions that extracted recovery phrases, resulting in approximately $7 million in losses across the Ethereum, Bitcoin, and Solana networks while bypassing Chrome Web Store security reviews.
Just yesterday, a series of user-targeted hacks occurred, many of which were likely the result of the Ledger breach that exposed basic user information, leading to mass phishing and social engineering campaigns that some users have fallen for.
As crypto continues to go mainstream, Mitchell Amador, CEO of security platform Immunefi, warned that attackers increasingly target operational vulnerabilities rather than smart contract code.
“The threat landscape is shifting from onchain code vulnerabilities to operational security and treasury-level attacks,” Amador stated. “As code hardens, attackers target the human element.“
The post IPOR Labs Loses $336K in Arbitrum Vault Exploit, Vows Full Refund appeared first on Cryptonews.
