WUSD.fi GLOVE Incentive Abuse: SybilFarming Drains USDC and USDT from Uniswap V3 Pools

• Incident Date: May 25, 2026
• Target: WUSD.fi / GLOVE incentive and liquidity system on Ethereum
• Target Overview: WUSD.fi is described in public reporting as a stablecoin wrapper that rewards users with GLOVE for wrapping assets and supporting liquidity. The reported exploit targeted the reward-distribution design around WUSD._englove, not the protocol's main treasury or stablecoin reserve accounting.
• Affected Component: WUSD._englove reward path; secondary reporting identified the vulnerable incentive contract as 0x068e3563b1c19590f822c0e13445c4fa1b9eefa5
• Known Addresses: Reported attacker EOA 0x88329A09428778F62BC0C8BAac0997864E5a57f8; reported GLO-USDC pool 0xB89F65D6c7d33A35Da7C01934e310a6f40E18A1f; reported GLO-USDT pool 0xa2Bd1A142ff49131B8CC70A332bdA0125018c324
• Total Loss: Public alerts from ExVul and SlowMist estimated roughly $200,000 in USDC/USDT liquidity-pool damage. A later public on-chain breakdown identified about 11,702.083968 USDC and 8,079.161526 USDT as confirmed stablecoin outflows at the time of analysis, so the final amount should be treated as still source-dependent until an official post-mortem is published.
• Recovery Status: No public recovery, compensation plan, official pause notice, or final post-mortem had been identified in the reviewed sources.
• Attack Vector: Incentive Design Flaw / Sybil Reward Farming / EIP-7702 Helper Contracts / Morpho Flash Loan / Uniswap V3 Liquidity Drain

---

Incident Review & Technical Details

1. Attack Path

1. Reward Logic Treated Fresh Wallets as Fresh Users: Public reporting said the WUSD._englove path rewarded wallets that wrapped at least 100 WUSD. The reward design did not adequately distinguish genuine new participants from attacker-controlled disposable addresses.
2. The Attacker Used Many Low-Balance Addresses: SlowMist's incident entry described the attacker repeatedly using fresh addresses with less than 2 GLOVE to qualify for rewards. This made the attack a Sybil problem, where one actor appeared as many users.
3. EIP-7702 Helper Contracts Improved Automation: The attacker reportedly used EIP-7702 helper contracts to automate wallet behavior and coordinate repeated wrap/unwrap cycles at scale.
4. A Morpho USDT Flash Loan Supplied Temporary Capital: The attack did not require the attacker to permanently fund every reward cycle. Flash-loaned USDT supplied the capital needed to pass reward conditions and then unwind the position.
5. Rewards Were Harvested Across Cycles: Public summaries said the attacker repeatedly wrapped and unwrapped WUSD, harvesting nearly 2 GLOVE per cycle from the incentive path.
6. Harvested GLOVE Was Dumped Into Uniswap V3 Liquidity: After farming rewards, the attacker sold the rewards into Uniswap V3 pools, including reported GLO-USDC and GLO-USDT pools.
7. Stablecoins Were Extracted From LP Liquidity: The concentrated sell pressure depleted USDC and USDT balances in the affected pools. Crypto Times reported that liquidity providers absorbed the loss while core reserves remained untouched.
8. Public Loss Estimates Diverged: ExVul and SlowMist framed the damage at around $200,000. A later public breakdown tracked about 11.7K USDC and 8.1K USDT as confirmed stablecoin proceeds. This discrepancy should be preserved until the protocol or security researchers publish a complete transaction set.

2. Impact Scope

• Direct Economic Impact: Public incident trackers placed total pool damage at approximately $200,000, while at least one on-chain breakdown identified a lower confirmed stablecoin amount of about $19,781.
• Affected Network: Ethereum was the reported execution environment.
• Affected Assets: USDC and USDT liquidity in GLO/GLOVE-related Uniswap V3 pools was directly affected.
• Affected Participants: Liquidity providers in the impacted pools were the practical victims because the attack monetized reward farming through pool imbalance and sell pressure.
• Unaffected Components: Reviewed reporting did not identify a compromise of WUSD.fi's main treasury, reserve backing, private keys, or Uniswap V3 itself.
• Protocol Status: Reviewed public sources did not show an official team response, recovery plan, or confirmed patch at the time of writing.
• Residual Risk: Any incentive path that still pays immediately claimable rewards to fresh addresses without net-contribution, time-weighting, velocity, or Sybil controls remains exposed to repeat farming.

3. Root Cause Assessment

This incident is best understood as an incentive-design failure rather than a classic reentrancy, oracle, or private-key compromise. The contract behavior may have followed its configured reward rules, but the rules allowed one actor to manufacture many "new users" and turn rewards into stablecoin liquidity.

Key risk patterns to examine:

• One Address Was Treated as One Participant: Reward logic that assumes each wallet maps to an independent user is fragile. Attackers can generate or delegate many addresses cheaply, especially when automation patterns such as EIP-7702 reduce operational friction.
• Reward Eligibility Was Too Easy to Reset: If an address with minimal prior GLOVE exposure can repeatedly qualify by wrapping 100 WUSD, the system rewards address churn instead of durable participation.
• Flash Loans Bypassed Capital Commitment: The attacker could satisfy temporary balance or wrapping requirements without making a lasting contribution to protocol liquidity.
• Rewards Were Immediately Monetizable: Dumping harvested GLOVE into Uniswap V3 converted a reward-design bug into a direct LP loss. The liquidity pool became the exit venue for the incentive loop.
• No Strong Time-Weighting or Cooldown Was Enforced: Incentives that pay immediately after a short-lived action are vulnerable to farm-and-dump cycles.
• Pool-Level Circuit Breakers Were Missing or Insufficient: A sudden sequence of reward dumps into thin liquidity should trigger alerts, slippage controls, or emergency review before losses compound.

The core invariant should have been strict: GLOVE rewards should only accrue to users that provide real, time-weighted value to WUSD.fi, and no user should be able to reset eligibility or multiply rewards merely by rotating addresses, borrowing temporary capital, or batching delegated wallet actions.

4. Mitigation and Response

Recommended actions for WUSD.fi-style reward programs, stablecoin wrappers, and liquidity-mining systems:

• Pause or disable vulnerable reward paths until eligibility, accounting, and payout rules are redesigned.
• Replace per-address reward eligibility with net-deposit, time-weighted, and withdrawal-adjusted participation metrics.
• Add epoch-based reward caps per identity cluster, funding source, contract helper, and newly created address cohort.
• Require minimum holding periods, vesting, cooldowns, or delayed reward claims before GLOVE can be sold or transferred.
• Reject same-block or same-epoch wrap/unwrap cycles as reward-eligible activity.
• Make rewards flash-loan resistant by using historical balances, average liquidity contribution, and minimum duration checks rather than momentary balances.
• Monitor EIP-7702 delegation patterns, helper-contract fanout, repeated fresh-address reward claims, and synchronized wrap/unwrap transactions.
• Add liquidity-pool circuit breakers for abnormal reward-token sell pressure, sudden USDC/USDT imbalance, and high-volume swaps from newly funded addresses.
• Build dashboards for per-source reward concentration, address clustering, flash-loan-linked transactions, and pool depletion.
• Publish an official post-mortem with the transaction set, vulnerable logic, total confirmed loss, affected LP scope, patch details, and recovery or compensation decision.
• Add regression tests for fresh-wallet farming, EIP-7702 helper batching, flash-loaned eligibility, repeated wrap/unwrap cycles, and immediate reward dumping into thin pools.

---

AUTOSEC.DEV Solution: Building a 360-Degree Defense

The WUSD.fi / GLOVE incident shows that DeFi reward systems need to be audited as economic security systems, not only as Solidity control flow. A reward function can be syntactically correct while still allowing automated Sybil farming to drain liquidity.

1. Incentive Mechanism Security Review: AUTOSEC.DEV reviews reward eligibility, epoch accounting, vesting, cooldowns, anti-Sybil assumptions, flash-loan resistance, and liquidity-exit paths.
2. Smart Contract & Economic Invariant Testing: We build fork tests and simulations for repeated wrap/unwrap cycles, temporary-balance attacks, address fanout, EIP-7702 delegation helpers, and pool-drain scenarios.
3. Liquidity Pool Risk Monitoring: We design alerts for abnormal reward emissions, coordinated sell pressure, new-address farming, pool imbalance, flash-loan-linked flows, and sudden LP loss exposure.
4. Incident Response (IR): AUTOSEC.DEV supports exploit reconstruction, affected-pool scoping, fund-flow tracing, emergency reward shutdown, user communication, and post-incident hardening.

Service Content

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Penetration Testing
• AUTOSEC.DEV - Incident Response Service

---

Reference

• https://x.com/exvulsec/status/2058803971947385330