IPOR Protocol Suffers $336K Exploit, DAO to Reimburse Users

IPOR Protocol confirmed a smart contract exploit on its USDC Fusion Optimizer vault deployed on Arbitrum. The January 6th attack resulted in $336,000 in stolen USDC. The IPOR DAO has committed to covering all losses from its treasury.

🚨 Security Update: IPOR USDC Fusion Optimizer on Arbitrum Vault Exploit

The IPOR team was alerted on January 6th by @hexagate_ and @blockaid_ regarding a malicious transaction. Following a swift investigation, we have identified an exploit resulting in a loss of $336K USDC.… https://t.co/brS0MfQ7Mu

— Fusion (by IPOR) (@ipor_io) January 7, 2026

Security firms Hexagate and Blockaid first detected the malicious transaction. They immediately alerted the IPOR team to the suspicious activity. Darren Camas, who leads IPOR Fusion development, acknowledged the breach on X.

Initial estimates placed the affected assets at $369,000. Subsequent investigation revised this figure down to $336,000 USDC. The loss represents less than one percent of total funds secured by the Fusion protocol.

The vulnerability stemmed from a legacy vault configuration. Newer vaults remain unaffected by this specific attack vector. IPOR confirmed all other Fusion vaults continue operating securely.

IPOR Exploit Root Cause Traced to EIP-7702 Vulnerability

Blockchain security firm SlowMist‘s MistEye monitoring system identified the technical root cause. The exploit targeted an underlying contract delegated through EIP-7702. This Ethereum improvement proposal enables externally owned accounts to delegate to smart contracts.

🚨SlowMist TI Alert🚨

MistEye has detected potential suspicious activities related to @ipor_io. The root cause is that the underlying contract delegated by the EOA account controlled by the project team through EIP-7702 contains a vulnerability that allows arbitrary external… pic.twitter.com/hAxh4LRpkv

— SlowMist (@SlowMist_Team) January 7, 2026

The vulnerable contract contained a flaw allowing arbitrary external calls. Attackers exploited this weakness to create and configure a malicious fuse contract. They then used this contract to drain funds from the PlasmaVault.

SlowMist noted the attack exploited Pectra incompatibility issues. These problems specifically affected the oldest vault construction in the IPOR system. The firm urged users to remain vigilant against similar vulnerabilities.

A Coinwaft journalist asked Darren Camas, who leads IPOR Fusion development, whether there was a specific timeline for user reimbursements following the incident.

Camas said the funds are secured and that the team is currently running tests to ensure vault balance restitution is executed correctly before reopening access. He added that the identified attack vectors have been removed and that reimbursements are expected to take place today.

Users seeking further updates were advised to join the IPOR Discord for official communications.

Funds are secured, team is writing tests to make sure vault balance restitution is successful and then will reopen, as attack vectors have been removed

Should happen today

For more information you can join the IPOR discord

— Darren Camas | IPOR Labs (@DarrenCamas) January 7, 2026

IPOR has engaged SEAL_Org for recovery assistance. The team is collaborating with multiple security entities to track the stolen funds. All affected depositors will receive full reimbursement from the DAO treasury.

Whale Wallet Drainer Moves $19.4M Through Tornado Cash

Meanwhile, a separate cybercriminal continues laundering funds from a December wallet compromise. PeckShield reported the attacker has moved $19.4 million through Tornado Cash. The original theft totaled $27.3 million from a compromised multisig wallet.

The drainer withdrew an additional 1,000 ETH worth $3.24 million from Aave. These funds were subsequently routed through the cryptocurrency mixer. Total deposits to Tornado Cash have reached 6,300 ETH across multiple transactions.

#PeckShieldAlert The multisig drainer who stole $27.3M from a compromised wallet has withdrawn 1K $ETH ($3.24M) from #Aave and laundered it via #TornadoCash.

They have deposited a total of 6,300 $ETH ($19.4M) to #TornadoCash so far

The drainer, who controls the compromised… pic.twitter.com/zYjuY9jGw7

— PeckShieldAlert (@PeckShieldAlert) January 6, 2026

The attacker maintains control of the victim’s compromised wallet. This wallet holds a significant leveraged position worth $9.75 million. The position includes $20.5 million in ETH collateral against $10.7 million in DAI debt.

Approximately $2 million in liquid assets remains unlaundered. The attacker has moved swiftly since the December 18th incident. Blockchain analysts continue monitoring the wallet for additional movements.

Following this breach, the cryptocurrency community faces mounting concerns over smart contract security. The IPOR exploit adds to a growing list of DeFi vulnerabilities discovered in early 2025. Protocol teams are increasingly relying on real-time monitoring services for threat detection.

The rapid response from Hexagate and Blockaid helped limit potential damage. Their notification enabled IPOR to quickly identify and contain the exploit. Such partnerships between protocols and security firms are becoming industry standard.

IPOR’s decision to reimburse affected users demonstrates commitment to depositor protection. The DAO treasury mechanism provides a safety net for such incidents. This approach may influence how other protocols structure their risk management frameworks.

Both incidents highlight the persistent threats facing decentralized finance platforms. Smart contract vulnerabilities and wallet compromises remain primary attack vectors. Users are advised to diversify holdings across multiple protocols and wallets.