goplus

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

Web3 wallet infrastructure Claw Wallet announced a strategic partnership with GoPlus. Claw Wallet has integrated GoPlus's SafuSkill Launchpad, supporting the assetization and tokenization of AI skills, empowering developers to obtain continuous on-chain revenue through GitHub verification.At the same time, Claw Wallet introduces GoPlus AgentGuard security scanning technology, which conducts real-time monitoring and risk visualization of AI Agent's code, sensitive data, and operating environment through a multi-dimensional scoring system. This collaboration aims to enhance the security of AI Agent wallets and improve their ecological incentive mechanisms.

According to disclosures from the GoPlus Chinese community, a user lost approximately $316,000 in USDC from their wallet due to signing a malicious Permit2 transaction, which was exploited by a phishing attacker.GoPlus advises users to adhere to the "four no" principles for phishing prevention: do not click on unfamiliar links, do not install unknown software, do not sign transactions with unclear content, and do not transfer funds to unverified addresses. They also recommend installing the GoPlus security plugin to intercept phishing risks in real-time.

According to GoPlus Security, a piece of malware named Infiniti Stealer is targeting Mac users' cryptocurrency wallets and sensitive credentials through a "ClickFix" social engineering attack method.The attackers forge a highly realistic Cloudflare CAPTCHA page to lure users into opening the terminal and manually pasting malicious commands. After executing the command, the script removes the macOS quarantine attribute and silently writes subsequent payloads to the /tmp directory. The final payload is a native macOS binary compiled with Nuitka, significantly increasing the difficulty of detection by security tools. Once deployed, Infiniti Stealer can steal Chromium / Firefox browser credentials, macOS Keychain, cryptocurrency wallets, and developer key files (such as .env files), and it has sandbox detection and delayed execution capabilities to evade tracking.

According to a security alert released by GoPlus Security, Silverfort security researchers discovered a serious vulnerability in OpenClaw's skill repository ClawHub. Attackers can bypass all protective mechanisms by calling the internal function downloads:increment, allowing them to inflate the download count to over 20,000 in just a few minutes with a single curl request, thereby pushing malicious skills to the top of search rankings and enticing users or AI Agents to install them automatically.Once the malicious skill is running, it can steal sensitive data such as cryptocurrency wallets and API keys. The vulnerability has been patched within 24 hours. GoPlus advises users that a high download count does not equal safety and recommends using AgentGuard for security scanning and protection.

According to Arkham data, at 15:54, 1.6 billion GPS (worth approximately 12.31 million USD) were transferred from GoPlus to a contract address (starting with 0x7448...).

According to GoPlus security monitoring, an address starting with 0x9709 signed malicious Permit and Approve transactions, resulting in approximately $200,000 worth of USDC and wmtUSDT being stolen by phishing attackers.GoPlus states that users should carefully verify transaction details and contract addresses when signing any on-chain authorizations (Approve) or offline signatures (Permit) to avoid signing unknown malicious requests and prevent asset theft.

According to GoPlus monitoring, a user lost approximately $85,000 in sNUSD to a phishing attack due to signing a malicious Approve transaction.

According to GoPlus monitoring, about 8 hours ago, a user lost $1.76 million in USDC to a phishing attack after signing a malicious Permit transaction.

GoPlus released a report on social media stating that it conducted a comprehensive security scan on the top 100 high-frequency download Skills in the ClawHub ecosystem. The number of skills that were blocked reached 21 (accounting for 21%), while the number of skills that received warnings was 17 (accounting for 17%).GoPlus indicated that 21% of the Top 100 Skills involve clearly high-risk operations (such as direct network penetration, sensitive API calls, automatic messaging, etc.), and it is recommended to enforce a "Human-in-the-Loop (HITL)" confirmation mechanism when executing such Skills, to conduct manual reviews of high-risk behaviors. 17% of Skills carry certain risks, and it is advised to execute them with caution; for users with higher security requirements, manual confirmation is also recommended.In this context, GoPlus Security announced the launch of SafuSkill, a security-first Skills marketplace. SafuSkill is built on the BNB Chain and integrates a skills marketplace, an automated Skills security scanning engine, and developer management tools into an AI Agent Skills platform, aimed at helping users filter and discover safer AI Agent Skills. It provides security scanning and runtime protection capabilities for AI Agent Skills, promoting the development of the AI Agent ecosystem towards a more transparent and secure infrastructure layer.

According to the security alert released by GoPlus, attackers are using Google search ads to deploy malware that is a pixel-perfect clone of the official #Claude Code installation page. This malware steals user passwords, cookies, session tokens, crypto wallets, credentials, and system information.GoPlus recommends identifying the ad labels in search results, carefully checking the subtle differences in URLs compared to the official website; verifying installation methods through multiple channels such as official documentation, social media, or GitHub repositories; not executing unfamiliar commands directly and analyzing command behavior before running; and installing security plugins to intercept phishing links, risky signatures, authorizations, and transactions in real-time.

Web3 security company GoPlus stated that the AI development tool OpenClaw has recently been reported to have experienced a self-attack security incident. During the execution of automated tasks, the system constructed an incorrect Bash command while calling Shell commands to create a GitHub Issue, inadvertently triggering command injection, which led to the exposure of a large number of sensitive environment variables.In the incident, the AI-generated string contained a set wrapped in backticks, which was interpreted by Bash as command substitution and executed automatically. Since Bash outputs all current environment variables when executing set without parameters, this ultimately resulted in over 100 lines of sensitive information (including Telegram keys, authentication tokens, etc.) being directly written to the GitHub Issue and publicly published. GoPlus recommends that in AI automation development or testing scenarios, API calls should be used instead of directly concatenating Shell commands, and the principle of least privilege should be followed to isolate environment variables. Additionally, high-risk execution modes should be disabled, and a manual review mechanism should be introduced for critical operations.

GoPlus announced a long-term strategic partnership with Custos. The teams from both sides will engage in deep cooperation around the token locking business, exploring new possibilities for on-chain asset management, and elevating token locking from a basic tool to a protocol-level capital strategic infrastructure.Both parties will maintain clear boundaries and distinct roles, achieving strategic synergy while developing independently. Custos will focus on innovation at the asset management protocol layer, driving the token locking business to a higher level. GoPlus will continue to build secure infrastructure while providing strategic support for Custos's development.

GoPlus released a security alert stating that the 4AGENT token (contract starting with 0x15ea), themed around Gork 4.2, is a Pi Xiu token, with KOLs and smart money being affected, resulting in a total loss of 170 #BNB (approximately $100,000).Out of the attack proceeds, 123.7 BNB was transferred to an address starting with 0xFcc7; another 46 BNB was exchanged for ETH via orbiter and crossed to an address starting with 0x96f4. The source of the Dev funds is Bitget, and by tracing back through the cross-chain address, two previously issued malicious tokens that were also not open-sourced were found: DEBOT and U Lottery.

GoPlus Chinese community issued a warning on platform X, stating that North Korean hackers have published a set of 26 malicious packages to the npm registry. These malicious packages come with an installation script ("install.js") that automatically executes during the package installation process, running malicious code located in "vendor/scrypt-js/version.js".The malicious code downloads and executes a remote access trojan (RAT) via the same malicious URL, implementing malicious activities such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity known as "Famous Chollima".

GoPlus Chinese Community has issued a warning that the OpenClaw Gateway has a high-risk vulnerability. Please upgrade to version 2026.2.25 or higher immediately, and audit and revoke unnecessary credentials, API keys, and node permissions granted to Agent instances.The analysis states that OpenClaw operates through a WebSocket Gateway bound to the localhost, which serves as the core coordination layer for the Agent and is an important component of OpenClaw. This attack targets the vulnerabilities in the Gateway layer, requiring only one condition: the user visits a malicious website controlled by hackers in their browser.The complete attack chain is as follows: 1. The victim visits a malicious website controlled by the attacker in their browser; 2. JavaScript on the page initiates a WebSocket connection to the OpenClaw gateway on the localhost; 3. Subsequently, the attack script attempts to brute-force the gateway password hundreds of times per second; 4. Upon successful cracking, the attack script silently registers as a trusted device; 5. The attacker gains administrator-level control over the Agent.

GoPlus Security warns users to be cautious of a new type of Android malware called PromptSpy. This malware lures users into downloading APK files through phishing websites (such as those disguised as bank websites) and can remotely control devices after obtaining accessibility permissions.What makes PromptSpy unique is its use of the Google Gemini API to analyze the device interface and develop attack strategies, allowing it to better adapt to different phone brands and system versions, thereby increasing the stealth and success rate of the attacks.

According to GoPlus monitoring, a user lost approximately $127,000 worth of USDC, TIBBIR, and PAXG assets to a phishing attack after signing multiple malicious Approve transactions.

According to the official announcement from Bithumb, Bithumb will add the GoPlus (GPS) Korean Won market trading pair.

According to disclosures from the GoPlus Chinese community, the prediction market platform Polymarket was hacked due to a design flaw in the synchronization mechanism between off-chain and on-chain trading results in its order system.The attacker manipulated the nonce, causing on-chain matched trades to be canceled or invalidated before execution, while off-chain records remained valid, leading to API false reports that affected trading behaviors of bots like Negrisk, resulting in user losses. The analysis of the attack process is as follows:The attacker submitted/matched large reverse trades with the market-making bot on the Polymarket off-chain orderbook.The attacker constructed transactions with forged/repeated nonces or utilized on-chain nonce competition, causing the on-chain transactions to inevitably revert.The Polymarket API returned "transaction successful" to the bot before on-chain confirmation, leading the bot to believe that the position had been hedged, while the actual on-chain state had not changed.The attacker then executed real on-chain trades to take advantage of the direction exposed by the bot, thus profiting "risk-free."Since the revert occurred at the chain level, Polymarket fees would not explode, making the attack cost controllable and executable continuously.GoPlus recommends that users pause automated trading tools, verify on-chain trading statuses, enhance wallet security, and closely monitor official announcements from Polymarket.