Skip to main content
2 min read

The Inugami staking
contract contains a logic vulnerability

The Inugami staking contract was exploited due to a vulnerability in its reward accounting logic. The attacker staked tokens during an inactive period following the conclusion of a reward cycle. Because the contract failed to correctly initialize the reward debt, the attacker was able to perform an excessive reward withdrawal, resulting in a loss of approximately $8,750.

AUTOSEC.DEVAUTOSEC.DEV
The Inugami staking contract contains a logic vulnerability
  • Attack Date: March 5, 2026
  • Target: Inugami
  • Target Overview: Inugami is a Web3 token staking and yield farming project that provides staking reward services.
  • Loss Amount: Approximately $8,750
  • Attack Vector: Logic Vulnerability

Incident Review & Technical Details

1. Attack Path:

  • Accounting Logic Defect: The contract's reward accounting logic contained a flaw, failing to properly validate the status of the reward cycle.
  • Inactive Period Staking: Users were able to stake during an inactive phase after the reward cycle had already concluded ($endRewardTimestamp < block.timestamp$).
  • Improper Initialization: The contract failed to correctly initialize the Reward Debt for stakes made during this period. This resulted in the ability to perform an excessive reward withdrawal.

2. Impact Scope: Reward funds within the Inugami staking contract were drained due to inflated reward claims.

3. Official Determination: The official assessment confirmed a reward accounting logic vulnerability, specifically a failure to correctly handle staking behavior following the expiration of the reward period.

4. Investigation Progress: No further investigation details have been disclosed at this time.

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

  1. Team OPSEC (Operations Security) Audit & Hardening: We provide enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
  2. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

Reference

https://x.com/chrisdior777/status/2029279007489900834