2026-05-16 · Loss: 0 · Post-Incident On-Chain Message

This Ethereum transaction occurred on 2026-05-16 18:28:23 UTC and is not the exploit execution path for the Adshares Wrapper incident. The trace shows a single zero-value CALL from 0xcb6af4e5e29d66A14af1F516BaAF1D5F7d8F6b84 to 0x63e22ce9bde9bb8892a447258abfcaa4142f001b carrying plaintext calldata that repeats the whitehat return message from the alert. No internal calls, logs, token transfers, or ETH transfers occur, so the financial impact of this specific transaction is zero. The only supported conclusion from the collected artifacts is that this hash is a post-incident communication artifact referencing the separate Adshares Wrapper exploit.

Root Cause

Vulnerable Contract

The incident brief points to WrappedADS at 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A as the suspected affected component. The contract is not a proxy according to manifest.json, and its source is verified in 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A/0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A.sol. However, this transaction never calls that contract, so the exploit root cause cannot be attributed from this dataset alone.

Vulnerable Function

No vulnerable Adshares Wrapper function is exercised in 0x7a823a891b7c5c02de50931f34cf50fc12cc600fe8b390b8f3dc29f2222c93b8. The only observed call targets 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, and the calldata is free-form ASCII text rather than ABI-encoded function input.

Vulnerable Code

The closest relevant wrapper entrypoints reviewed from source are the unwrap paths below, but none of them are invoked in this transaction and no line in this snippet can be identified as the exploit trigger from the available evidence.

function unwrap(uint256 amount, uint64 to) public whenNotPaused {
    _unwrap(amount, to, 0);
}

function unwrapMessage(uint256 amount, uint64 to, uint128 message) public whenNotPaused {
    _unwrap(amount, to, message);
}

function _unwrap(uint256 amount, uint64 to, uint128 message) internal {
    _checksumCheck(to);
    emit Unwrap(_msgSender(), to, amount, message);
    _burn(_msgSender(), amount);
}

function unwrapFrom(address account, uint256 amount, uint64 to, uint128 message) public whenNotPaused {
    _checksumCheck(to);
    emit Unwrap(account, to, amount, message);
    _burnFrom(account, amount);
}

Why It’s Vulnerable

Expected behavior for an exploit report is that the analyzed transaction reaches the vulnerable contract, executes a state-changing path, and moves assets in a way that can be tied back to a concrete missing check or flawed invariant. Actual behavior here is different: the trace contains only one top-level call to a separate message destination, with no nested execution into WrappedADS, no event emissions, and no transfers in funds_flow.json.

That matters because any attempt to name an Adshares Wrapper root cause from this transaction would be speculative and would violate the evidence hierarchy. The correct forensic conclusion for round 1 is narrower: this hash documents incident response messaging after the exploit, not the exploit mechanism itself. The exploit root cause remains unproven until the actual draining transaction is analyzed.

Attack Execution

High-Level Flow

1. The sender address named in the public alert submits a zero-value Ethereum transaction.
2. The transaction targets 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, not the Adshares Wrapper.
3. The calldata embeds a plaintext law-enforcement and whitehat bounty message.
4. The call completes successfully without any internal calls or emitted logs.
5. No funds move, so this transaction functions only as an on-chain notice.

Detailed Call Trace

• Depth 0: 0xcb6af4e5e29d66a14af1f516baaf1d5f7d8f6b84 -> 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, CALL, value 0
  • Input prefix 0x4c617720 is unresolved in selectors.json and corresponds to the ASCII start of the plaintext payload ("Law"), not to an ABI-resolved function selector.
  • No child calls appear under this frame in trace_callTracer.json.

Financial Impact

funds_flow.json reports No attacker gains detected, with no ERC-20 transfers, approvals, or ETH transfers. The total loss attributable to this transaction is therefore 0 tokens and $0. No user, LP, or protocol treasury balance change is evidenced in the collected artifacts for this hash.

Evidence

• Transaction hash: 0x7a823a891b7c5c02de50931f34cf50fc12cc600fe8b390b8f3dc29f2222c93b8
• Block number: 25109526
• Block timestamp: 2026-05-16T18:28:23Z
• Receipt status: 1
• Sender: 0xcb6af4e5e29d66A14af1F516BaAF1D5F7d8F6b84
• Tx target: 0x63e22ce9bde9bb8892a447258abfcaa4142f001b
• Suspected affected contract from the incident brief: 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A
• Receipt logs: none
• ERC-20 transfers: none
• ETH transfers: none
• Trace depth: one top-level call only

• https://twitter.com/defimonalerts/status/2055717050484396118