Lumi Finance on Arbitrum Hit for $270,000 After Smart Contract Flaw Exploited
AI Market Summary
Lumi Finance on Arbitrum reportedly lost ~$270k after an ERC-4337 smart account (Sodium) signature-validation logic flaw let an attacker bypass checks and trigger token approvals during UserOperation validation. The incident underscores smart-account and account-abstraction security risks, potentially dampening near-term confidence in Arbitrum DeFi integrations using similar validation patterns and increasing scrutiny on wallet/paymaster flows and contract audits.
Impact level
● Medium
Affected assets
ARB/USDT-1.63%
AI Insight · ARB/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Lumi Finance on Arbitrum was exploited on July 13, with losses estimated at about $270,000, according to ChainCatcher, citing a GoPlus analysis.
The incident was traced to a logic vulnerability in the validateUserOp function of the Sodium smart account contract (ERC4337). During signature verification via _validateSignature, the contract invoked isValidSignatureNow using the attacker's address as the signer parameter. When ECDSA.tryRecover failed, the contract did not revert; instead, it proceeded to call isValidSignature on the attacker's contract, which returned a passing result.
By leveraging this behavior, the attacker was able to execute Token approve operations during UserOperation validation, gaining ERC20 approval permissions from multiple smart accounts without the paymaster's consent.