Lumi Finance on Arbitrum reportedly suffered a ~$270k exploit tied to an ERC-4337 smart account (Sodium) logic flaw in validateUserOp signature verification, allowing attacker-controlled isValidSignature to pass after ECDSA.tryRecover failed without reverting. The incident reinforces smart-account and DeFi contract risk on Arbitrum, likely pressuring near-term risk appetite for smaller protocols and increasing scrutiny of account-abstraction implementations.
Impact level
● Low
Affected assets
ARB/USDT-1.63%
AI Insight · ARB/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Lumi Finance, a protocol on Arbitrum, was exploited on July 13, with losses estimated at about $270,000, according to GoPlus monitoring cited by Odaily Planet Daily. The issue was traced to a logic flaw in the Sodium smart account contract (ERC4337), specifically within the validateUserOp function. During signature verification via _validateSignature, the signer parameter was incorrectly set to the attacker's address. When ECDSA.tryRecover failed, the call did not revert; instead, it fell through to isValidSignature on the attacker-controlled contract, allowing the operation to pass validation.