In a stark reminder of the vulnerabilities plaguing decentralized finance (DeFi), security firm Cyvers has detected a major exploit on the Arbitrum network, resulting in the theft of approximately $1.5 million from proxy contracts associated with the USD Gambit (USDG) and TLP projects.
The incident, flagged early this morning, highlights ongoing risks in smart contract access controls and deployer account security.According to Cyvers' real-time alert, the attack appears to stem from a compromise of the projects' single deployer account.
The attacker exploited this by deploying a malicious contract and upgrading the ProxyAdmin privileges, granting themselves unauthorized control over the affected contracts. This allowed them to siphon funds, primarily in USDT and other assets, from the victim addresses.Key details from the Cyvers dashboard include:
Total Estimated Loss: ~$1.5M, with initial traces showing $666,867 in USDT drained in a single transaction (tx hash:
0x6c9436035b695bfa6fa1abed252c5e1b...).
Attacker Address:
0x763a6764...5c112661, which received the bulk of the stolen funds.
Victim Address:
0x67af542d...3e8e1cb4, identified as a TransparentUpgradableProxy, suffering the primary balance depletion.
Detection Time: January 5, 2026, at 01:20:17 UTC, with the exploit unfolding over multiple suspicious transactions.
Post-exploit, the attacker bridged the funds to the Ethereum mainnet and funneled them into Tornado Cash, a privacy mixer notorious for laundering illicit proceeds. This move complicates tracing efforts and underscores the challenges in recovering stolen assets in the crypto space.
USD Gambit (USDG), a stablecoin-like token trading at around $0.92 (down 2% in the last 24 hours), and TLP (potentially a liquidity or trading pool token) are lesser-known projects on Arbitrum, focused on providing stable value and liquidity services.
The shared deployer suggests interconnected operations, amplifying the impact of the breach. While the exact nature of TLP remains unclear, preliminary analysis points to it being a companion project for liquidity provisioning.
Cyvers emphasized that this type of access control exploitation could have been mitigated with proactive monitoring and multi-signature safeguards. "If you wish to safeguard yourself against such incidents, please contact us to arrange a demo of our solution," the firm stated in their alert.
The incident adds to a growing list of 2026 DeFi exploits, following a reported 46% year-over-year increase in blockchain security incidents totaling $2.935 billion in losses last year. On-Chain Media reached out to the USD Gambit and TLP teams for comment but has not received a response as of publication.
Community reactions on X (formerly Twitter) have been swift, with calls for enhanced audits and deployer security practices. This breach serves as a cautionary tale for DeFi users: always verify contract upgrades and monitor for abnormal behavior.Stay tuned to On-Chain Media for updates as the investigation unfolds. For real-time alerts, follow security providers like Cyvers.
On-Chain Media articles are for educational purposes only. We strive to provide accurate and timely information. This information should not be construed as financial advice or an endorsement of any particular cryptocurrency, project, or service. The cryptocurrency market is highly volatile and unpredictable.Before making any investment decisions, you are strongly encouraged to conduct your own independent research and due diligence
Tags :
0 Comments
Show More
Solana is showing a bullish engulfing candlestick that could drive prices toward $150. Analysts forecast a potential 600% surge for XRP if market momentum strengthens.
Cyvers detects deployer account compromise, funds bridged to Ethereum and laundered through Tornado Cash. Latest DeFi security incident on January 5, 2026.
Revolut’s 2017 “experiment” is now the fintech standard. Neobanks, marketplaces & apps are all adding crypto to boost revenue, retention & user growth.
On-Chain Media is an independent, reader-funded crypto media platform. Kindly consider supporting us with a donation.
bc1qp0a8vw82cs508agere759ant6xqhcfgcjpyghk
0x18d7C63AAD2679CFb0cfE1d104B7f6Ed00A3A050
CBaXXVX7bdAouqg3PciE4HjUXAhsrnFBHQ2dLcNz5hrM
Contains the last 12 releases
