INK Finance: $140K USDT Vanishes in Flashy Heist!

by

41 PM UTC on May 11, 2026. They flagged the victim contract, the attacker’s address, and the exploit transaction faster than you can say “Polygonscan.”

The compromised contract, sitting pretty at 0xa184Af4B1c01815A4B57422A3419E4FB78a96Ee4, was an EIP-1967 beacon pattern contract deployed in December 2023. It was as dormant as a sloth until the exploit transaction woke it up with a rude surprise.

INK Finance has been bragging about their treasury management, governance flows, and on-chain payment modules across Avalanche and Polygon. But today, their treasury layer got hit harder than a Brooks comedy at a critics’ convention.

How the Heist Went Down

According to Blockaid’s post-mortem and on-chain forensics, the attacker didn’t crack any cryptography or steal keys. They just exploited a logic flaw in INK’s Workspace controller. Classic slapstick!

The Three-Act Comedy:

Act One. The attacker deployed a malicious contract at an address that matched a whitelisted claimer entry. Whitelisted-claimer logic? More like whitelisted-claimer loopy logic!

The integrity of the pattern? As solid as a Brooks movie plot.

Act Two. The attacker invoked claim(claimId), passed the whitelist check, and got the green light. The treasury proxy trusted that approval like a Brooks fan trusts a sequel.

Act Three. The attacker pulled a $25,000 flashloan from Balancer V2, drained $140K USDT, and repaid the loan in one atomic call. Flashloans: the get-rich-quick scheme of DeFi!

The malicious contract? Logged at 0x90b147592191388e955401af43842e19faa87ee2. The exploit transaction? Publicly viewable on Polygonscan. No hiding this blunder!

Follow the Money: Railgun to the Rescue

Blockaid traced the attacker’s wallet funding to Railgun on Ethereum, the privacy-preserving smart-contract system. Railgun: the modern Tornado Cash, minus the regulatory drama. Smooth move, Ex-Lax!

The attacker bridged funds to Polygon 32 minutes before the exploit. Pre-staged contract? Check. Gas and capital? Check. Timing? Impeccable. Execution? Sloppier than a Brooks punchline.

What Does It All Mean?

The $140K loss is small potatoes compared to the eight and nine-figure exploits we’ve seen. But the vulnerability? That’s the real comedy gold. Whitelist-gated claim functions paired with proxy-based treasuries? More like whitelist-gated disaster functions!

The exploit is a textbook case of an authorization check that confirms who is calling without re-validating what they’re entitled to. It generalizes as well as a Brooks joke at a tech conference.

Key observations for protocols with similar setups:

The Workspace Treasury Proxy was unverified on Polygonscan, limiting auditors’ ability to spot the flaw. The implementation has been live since 2023 without upgrades. Vulnerable logic? On-chain and exploitable for ages. Yikes!

The flashloan-assisted attack reinforces a DeFi pattern: if a contract’s logic is sensitive to caller balances, attackers will rent that balance for a single transaction. Balancer, Aave, Morpho-take your pick!

What’s Next?

INK Finance has yet to issue a formal statement. Blockaid has tagged the attacker’s address and exploit transaction, likely prepping for a showdown with centralized exchanges. Stay tuned for the sequel!

For INK Finance users: Revoke approvals, audit claimer whitelists, and avoid deploying fresh capital until a post-mortem and patch are confirmed. Better safe than sorry, or as Brooks would say, better safe than shticky!

The Crypto Times will keep you updated. Until then, keep your tokens close and your logic tighter!

Read More

2026-05-11 12:53