Ambient Finance CrocSwapDex Exploit:$110K Lost to Surplus-Collateral Accounting Bug

• Incident Date: June 7, 2026
• Target: Ambient Finance / CrocSwapDex on Ethereum
• Target Overview: Ambient Finance is a decentralized exchange protocol. The reported victim component was CrocSwapDex, with public alerts pointing to the Ethereum contract 0xaaaaaaaaa24eeeb8d57d431224f73832bc34f688.
• Reported Exploit Transaction: 0xb2fc668c42623261074de6fc30d583efede2b0e20d7aded42b7b634f9322ff52
• Reported Block: 25266405
• Execution Time: June 7, 2026, 15:26:35 UTC
• Total Loss: Approximately $110,000. CryptoCity/TenArmor summarized the loss at about $110,600, while Defimon Alerts reported roughly 33.7 ETH net profit after the attacker paid a large builder bribe.
• Attack Vector: Smart-contract logic flaw / accounting bug / surplus-collateral abuse

---

Incident Review & Technical Details

1. Attack Path

1. Flash-loan funding: The attacker began with a Balancer Vault flash loan of 50 WETH and 1 USDC. The transaction receipt confirms transfers from Balancer Vault to the attack helper before the CrocSwapDex interaction sequence.
2. Repeated CrocSwapDex command cycling: According to Defimon Alerts, the attacker repeatedly routed userCmd calls through CrocSwapDex, cycling 14 times between HotProxy swaps (cmd 1) and WarmPath LP mint/burn logic (cmd 2) on the USDC/ETH pool.
3. Surplus accounting was pushed out of sync: The reported failure was not a Balancer issue or a USDC/WETH token issue. The exploit path abused surplus-collateral accounting inside CrocSwapDex, specifically the ColdPath surplus operations identified by Defimon as DEPOSIT_SURPLUS (0x49) and DISBURSE_SURPLUS (0x4a).
4. Final surplus disbursement extracted ETH: The final ColdPath disburseSurplus step withdrew approximately 83.72 ETH from the DEX. The on-chain receipt shows a WETH deposit event of 83.72198871171248 WETH during the transaction.
5. Net profit was lower than gross outflow: After flash-loan repayment and the reported builder payment, Defimon Alerts estimated that the attacker retained roughly 33.7 ETH, equivalent to about $110,000 at the time of the alert.
6. Public evidence remains alert-led: At the time of writing, the reviewed sources did not include a project-owned post-mortem, patched code diff, recovery plan, or final accounting reconciliation from Ambient Finance.

2. Impact Scope

• Protocol-Level Loss: Public reporting placed the exploit at approximately $110,000 in net economic loss.
• Gross ETH Movement: The transaction sequence involved an 83.72 ETH surplus withdrawal before flash-loan repayment and builder-payment effects.
• Affected Component: The reported affected component was CrocSwapDex surplus accounting around the USDC/ETH pool, not Ethereum consensus, Balancer Vault, USDC, or WETH.
• Affected Network: Ethereum mainnet.
• Affected Participants: Liquidity providers and traders exposed to the affected Ambient/CrocSwapDex pool were the practical risk surface if the accounting imbalance impaired pool value or execution quality.
• Disclosure Gap: The exact vulnerable invariant, patched function set, residual exposure, and reimbursement status remain unconfirmed until Ambient Finance or an independent full trace publishes a final post-mortem.

3. Official Statements

• Ambient Finance: No public final post-mortem, recovery announcement, or patch disclosure had been identified in the reviewed sources at the time of writing.
• Defimon Alerts: Defimon Alerts attributed the exploit to a surplus-collateral accounting bug in CrocSwapDex and provided the transaction, victim contract, command path, flash-loan amount, gross ETH withdrawal, and estimated net profit.
• CryptoCity / TenArmor summary: CryptoCity published a brief alert citing TenArmor monitoring and describing the Ambient Finance incident on Ethereum as an approximately $110,600 loss.

4. Investigation Progress

The exploit transaction succeeded on Ethereum mainnet in block 25266405. Public RPC data confirms interaction with Balancer Vault, WETH, USDC, and CrocSwapDex during the transaction, while Defimon's alert provides the current public technical interpretation of the repeated userCmd path.

The most important open question is the exact invariant that failed inside CrocSwapDex surplus accounting. A complete follow-up should clarify whether the bug came from stale surplus balances, repeated mint/burn side effects, cross-command state reuse, insufficient settlement checks, or a mismatch between pool liquidity accounting and user surplus accounting.

Recommended response steps for Ambient-style DEX systems:

• Reconstruct transaction 0xb2fc668c42623261074de6fc30d583efede2b0e20d7aded42b7b634f9322ff52 on a fork and convert the 14-cycle command sequence into a regression test.
• Add invariants that bind user surplus balances, pool reserves, LP mint/burn state, and final disbursement amounts across every userCmd path.
• Treat command routers as shared accounting surfaces: HotPath/HotProxy, WarmPath, and ColdPath flows should be tested together, not only as isolated modules.
• Add per-transaction surplus withdrawal caps, settlement assertions, and emergency monitoring for repeated command cycling against the same pool.
• Publish a final incident report with the vulnerable function path, confirmed loss, attacker contract set, patch status, and user impact assessment.

---

AUTOSEC.DEV Solution

Preventing a repeat of the Ambient/CrocSwapDex failure mode requires testing DEX accounting as a multi-command state machine, not as separate swap and LP helper functions.

1. Secure Code Review - CrocSwapDex's reported failure centered on surplus-collateral accounting across userCmd, HotProxy swap, WarmPath LP mint/burn, and ColdPath disbursement flows. AUTOSEC.DEV reviews smart-contract accounting invariants, command routers, internal balance ledgers, settlement logic, and edge cases where repeated calls can desynchronize value.
2. Penetration Testing - The 14-cycle attack shape shows why DEX paths need adversarial fork testing beyond standard unit coverage. We build attacker-style transaction simulations around flash loans, repeated command routing, LP mint/burn loops, and final withdrawal assertions before mainnet exposure.
3. Incident Response - For recent DEX accounting exploits, AUTOSEC.DEV can support transaction reconstruction, fund-flow tracing, emergency pause or parameter review, public technical disclosure, and post-incident regression-test design.

Service Links

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Penetration Testing
• AUTOSEC.DEV - Incident Response

---

Reference

• Defimon Alerts - Ambient Finance / CrocSwapDex alert