ExVul Security

This article aims to provide a more practical and in-depth RWA integration reference for developers in the Pharos ecosystem. We attempt to restore the complex challenges and solutions faced when bringing real-world assets (RWA) on-chain from the perspectives of business logic and risk control architecture.

On January 13, Polycule officially confirmed that its Telegram trading bot was hacked, resulting in approximately $230,000 in user assets being compromised. The team stated on X that they have taken the bot offline and promised compensation, which has sparked discussions in the industry about the security of Telegram Trading Bots. Through its functional design, it is evident that this is not a single point of failure, but rather a long-term systemic risk that has been underestimated under the trading bot model.

On January 8, 2026, the Truebit Protocol was attacked by hackers, resulting in a loss of 8,535.36 ETH (approximately $26.44 million). The official Truebit Protocol confirmed this the next morning. The ExVul security team conducted a detailed vulnerability analysis of the attack.

On December 1, 2025, Yearn suffered a multi-stage combination attack, resulting in a loss of approximately $9 million. The attacker leveraged funds through a flash loan, exploiting flaws in the protocol's extreme scenario validation, logical branching, and precision control to gradually manipulate the liquidity pool and achieve nearly infinite minting of yETH LP. The incident highlights the specialization of DeFi attacks and exposes the protocol's shortcomings in edge scenarios, combination vulnerability, and monitoring systems.

The prediction market is transitioning from a niche experiment to financial infrastructure, with Polymarket's transaction volume exceeding $5 billion and Kalshi receiving over $100 million in investment from Sequoia. As product complexity increases, security risks also amplify. This article will analyze risks from the perspective of Web3 security and introduce ExVul's protection solutions.

On November 3, 2025, the Balancer protocol suffered a hacker attack on multiple public chains including Arbitrum and Ethereum, resulting in a loss of $120 million in assets. The core of the attack stemmed from a dual vulnerability involving precision loss and invariant manipulation. The key issue of this attack lay in the protocol's logic for handling small transactions.

On September 23, the UXLINK project's multi-signature wallet was attacked due to a private key leak, resulting in the theft of approximately $11.3 million in crypto assets, which were transferred to multiple CEX/DEX. After the incident, ExVul intervened immediately, collaborating with the project team to conduct investigation and analysis while monitoring the flow of funds in real time.

On September 7, 2025, Beijing time, Nemo on the Sui chain was attacked, and hackers stole approximately 2.59 million dollars by manipulating py_index. The fundamental reason for the theft of Nemo was that PyState was incorrectly set as a mutable reference.

On September 7, 2025, Beijing time, Nemo on the Sui chain was attacked, and hackers stole approximately $2.59 million by manipulating py_index. The root cause of the theft of Nemo was that PyState was incorrectly set as a mutable reference.