Leviathan Updates

Crypto’s $60 Million Weekend: A Field Guide to Losing Other People’s Money

user

4 min read
Share
Crypto’s $60 Million Weekend: A Field Guide to Losing Other People’s Money

If you wanted to steal $60 million this weekend, crypto offered several convenient options. You could exploit an aggregator’s router on Base. You could drain a DeFi protocol through infinite approvals. You could allegedly be the son of a government contractor with access to seized Bitcoin wallets. Or you could hack a Saga EVM chain, (though the details on that one remain sparse).

Let’s walk through them.

The SwapNet Problem: $16.8 Million and a Lesson in Approvals

The biggest single incident was SwapNet’s router on Base, which got hit for approximately $16.8 million through what’s called an “arbitrary call vulnerability”. If you’re unfamiliar with the term, here’s the short version: the router was designed to execute swaps on users’ behalf, which means it needed permission to move tokens around. Some users gave it permanent permission rather than one-time approval, because clicking “approve” repeatedly is annoying and gas fees add up.

The attacker found a way to make the router do things it wasn’t supposed to do with those permissions. Specifically, they convinced it to send about $10.5 million in USDC their way, which they promptly swapped for 3,655 ETH and bridged to Ethereum mainnet. Matcha Meta confirmed the incident; affected users are being urged to revoke their approvals, which is good advice that arrives slightly too late.

The fundamental issue here isn’t particularly novel.

It’s the same problem that’s plagued DeFi since the beginning: the tension between user experience and security.

One-time approvals are safer but require constant re-approval. Infinite approvals are convenient until someone figures out how to exploit the contract you approved.

Aperture Finance: Infinite Approvals Strike Again

Speaking of infinite approvals, Aperture Finance had a rough weekend. The DeFi protocol lost around $4 million, though estimates vary, through what appears to be a related vulnerability class. One particularly unlucky address reportedly lost $10 million in a single hit.

The Aperture incident is part of a broader pattern.

Permit2, account abstraction, and various other “improvements” to the approval flow keep creating new attack surfaces. The industry is trying to solve the UX problem of constant re-approval, but each solution introduces its own risks.

It’s an ongoing arms race between user convenience and adversarial creativity.

The Government’s Money (Sort Of): $40 Million and a Family Business

The wildest theft from the past few days doesn’t involve smart contracts at all. ZachXBT, the blockchain investigator who has made a career of following money through pseudonymous wallets, published research linking approximately $40 million in stolen cryptocurrency to the son of a U.S. Marshals Service contractor.

Here’s the setup: when the federal government seizes cryptocurrency, from Silk Road operators, exchange fraudsters, Bitfinex hackers, someone has to actually hold it. That someone is often a private contractor. In this case, a company called CMMDS (or CMDSS, depending on the document) held custody of seized crypto for the Marshals Service.

According to ZachXBT’s on-chain analysis, funds started moving from government seizure addresses in March 2024. Investigators were flummoxed, as this Bitcoin was supposed to have been in custody of the US government.

However, the trail led to John Dagita, who is allegedly connected to CMMDS and whose father owns or owned the company. The investigation apparently began when someone recorded a Telegram video of “John (Lick)” showing off cryptocurrency holdings. From there, ZachXBT traced backward through the blockchain until the path led to government wallets.

The U.S. Marshals Service has confirmed they’re investigating.

If the allegations are accurate, this is both a custody failure and a reminder that “not your keys, not your crypto” applies to governments too.

Saga EVM: The Hack We Know Least About

Saga EVM also got hacked this weekend. By feeding malformed IBC messages through a precompile bridge helper contract, they tricked the system into minting unbacked Saga Dollars ($D), redeemed them for real assets ($7M of USDC was bridged out and converted to 2,000 ETH via Uniswap V4, 1inch, CowSwap, etc.).

Saga Dollar depegged briefly to ~$0.75 and the chainlet’s TVL dropped sharply from ~$37M to ~$16M, but the team halted the instance at block 6,593,800. Saga coordinated blacklisting of the attacker wallet, worked with exchanges, bridges, and security partners like Sherlock and Cosmos Labs on patches for the shared Ethermint vuln, and added safeguards while forensics continue on archive nodes and traces.

Four incidents. Roughly $60 million. One weekend.

The interesting thing isn’t that these hacks happened, hacks have been happening since smart contracts were invented, and they’ll keep happening until someone figures out how to write perfect code (never) or users stop granting permissions to contracts (also never). The interesting thing is the variety.

You have infrastructure-level exploits (SwapNet), protocol-specific vulnerabilities (Aperture), alleged insider theft from government custody (the Marshals incident), and Saga Dollars infinite mint. Each represents a different failure mode. Each requires different preventive measures. And each demonstrates that the attack surface in crypto is the entire system of custody, permissions, bridges, and human judgment that surrounds it.

This is the cost of permissionless innovation. Anyone can build, anyone can use, and anyone can exploit.

The $60 million lost this weekend is, in some sense, the tuition the industry pays for running experiments in production. Whether the lessons are worth the price depends on who you ask, and whether their wallet got drained.

Read more