BTC $95,092.00 -0.07%
ETH $3,320.23 +0.76%
SOL $142.20 -1.46%
AVAX $13.60 -0.63%
UNI $5.31 -1.56%
AAVE $173.15 -1.16%
MATIC $0.000000 +0.00%
ATOM $2.51 -2.34%
LINK $13.78 +0.17%
ADA $0.3934 -0.78%
DOT $2.15 -2.93%
DOGE $0.1371 -0.28%
SHIB $0.000008 -1.54%
LTC $75.38 +0.56%
TRX $0.3169 +1.62%
XLM $0.2271 -0.39%
XMR $585.44 -5.75%
ALGO $0.1286 -3.40%
VET $0.0116 -3.00%
BTC $95,092.00 -0.07%
ETH $3,320.23 +0.76%
SOL $142.20 -1.46%
AVAX $13.60 -0.63%
UNI $5.31 -1.56%
AAVE $173.15 -1.16%
MATIC $0.000000 +0.00%
ATOM $2.51 -2.34%
LINK $13.78 +0.17%
ADA $0.3934 -0.78%
DOT $2.15 -2.93%
DOGE $0.1371 -0.28%
SHIB $0.000008 -1.54%
LTC $75.38 +0.56%
TRX $0.3169 +1.62%
XLM $0.2271 -0.39%
XMR $585.44 -5.75%
ALGO $0.1286 -3.40%
VET $0.0116 -3.00%
HASH Banner
Home › HASH Desk › IPOR Fusion vault...
HASH DESK

IPOR Fusion vault exploit causes $336K USDC loss on Arbitrum

AI-Powered • Editor Verified
•
January 7, 2026
IPOR Fusion vault exploit causes $336K USDC loss on Arbitrum

Blockchain security firms have flagged suspicious on-chain activity linked to the Fusion Plasma Vault contract, part of the IPOR (Inter Protocol Offered Rate) ecosystem, resulting in a confirmed exploit and a loss of approximately $336,000 in USDC.

Security monitoring platform MistEye was among the first to detect irregular transactions associated with IPOR, identifying a vulnerability tied to an underlying smart contract delegated by an externally owned account (EOA) controlled by the project team. 

According to the analysis, the delegated contract, implemented through EIP-7702, contained a flaw that allowed arbitrary external calls. This vulnerability enabled an attacker to deploy and configure a malicious “fuse” contract within the PlasmaVault architecture, ultimately draining funds from the affected vault.

The IPOR team stated that it was alerted to a malicious transaction on January 6 by security firms Hexagate and Blockaid. 

Following an internal investigation, the team confirmed that a legacy IPOR USDC Fusion Optimizer vault on Arbitrum had been exploited.

IPOR clarified that the incident was limited in scope. The root cause was traced to a specific legacy Fusion vault with a unique configuration, making it the only vault susceptible to this particular attack vector. As a result, no other Fusion vaults or user funds across the broader protocol were affected.

The total loss of $336,000 USDC represents less than 1% of the total funds secured by the Fusion system, according to the team.

In response, IPOR is working alongside security organizations, including SEAL and other relevant entities, to trace the stolen funds and explore potential recovery options. 

Importantly, the IPOR DAO has committed to covering the full shortfall from its treasury, ensuring that all affected depositors will be fully reimbursed.

The team emphasized that additional safeguards are being implemented and reaffirmed that no further vulnerabilities have been identified across the remaining Fusion vaults. IPOR stated that user fund safety remains its top priority as remediation efforts continue.