🚨On-chain security alert again: a "permission design issue" was directly exposed⚠️


Recent monitoring shows that a QNT reserve pool was attacked due to a contract design vulnerability👇
👉 Loss of about 1988.5 QNT (approximately 54.93 ETH)💥
🧠The core of this issue is not about hacker skills, but👇
👉 that the permission design "left a backdoor"
Let's break down the process:
• The admin address delegated code through EIP-7702
• Delegated to the BatchExecutor contract
• BatchExecutor then authorized an unpermissioned BatchCall contract
• BatchCall functions have no permission checks
👉 Result: the attacker directly "legally invoked illegal operations"
👉 The pool assets were emptied directly
📉 This incident sends a very dangerous signal:
👉 It’s not about being "hacked," but about being "countered by design rules"
⚠️Summary of the risk:
• Permission chain is too long → risks stack up
• Lacking basic access control
• "Arbitrary calls" = leaving a backdoor for attackers
👉 In DeFi, such vulnerabilities are the most deadly because👇
Code is rules, rules are money, if rules are wrong = money is gone
📈 But there is also a positive side:
• Security incidents are transparent → industry learning costs decrease
• New mechanisms like EIP-7702 are being tested in real-world scenarios
• Security audit demands will further increase
👉 In simple terms:
Every attack is a lesson for the next generation of system upgrades
🧠 My core view:
👉 The biggest problem in DeFi has never been hackers
👉 But "overly complex permission structures + incomplete security design"
📌 To sum up in one sentence:
There are no middlemen in the on-chain world, but if permission design has vulnerabilities, attackers are the most "legitimate" users in your system.⚠️🔥#WCTC交易王PK #GateCard一拍即付 $BTC $ETH $PRL
BTC-1.46%
ETH-2.41%
PRL0.05%
View Original
post-image
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned