SlowMist (@SlowMist_Team) “🚨SlowMist TI Alert🚨 We have detected a malicious transaction exploiting a flaw” — TopicDigg

🚨SlowMist TI Alert🚨 We have detected a malicious transaction exploiting a flawed EIP-7702 account, resulting in a loss of 1,988.5 $QNT (approx. 54.93 $ETH). The root cause is that the admin identity of a QNT reserve pool is held by an EOA (0xc6ddf90790b433743bd050c1d1d45f673a3413f4), which delegated its code to a `BatchExecutor` contract via the EIP-7702 mechanism. Unfortunately, `BatchExecutor` designates the permissionless `BatchCall` contract (0x044dc3e39c566a95011e272ec800dbd2cc9c057c) as an authorized caller. However, `BatchCall.batch()` is entirely open to any external caller without any permission checks. This led to an arbitrary call vulnerability, allowing the attacker to drain the $QNT tokens from the reserve pool. Exploit tx: Powered by #SlowMist#.AI