Lumi Finance was attacked yesterday, with losses of approximately $270,000
2026-07-14 08:34
Odaily News, according to GoPlus monitoring, Lumi Finance on Arbitrum was attacked on July 13, with losses of approximately $270,000. The vulnerability originated from a logic flaw in the validateUserOp function of the Sodium smart account contract ERC-4337 when calling _validateSignature for signature verification. During the execution of isValidSignatureNow, the signer parameter was passed as the attacker's address. After the call to ECDSA.tryRecover failed, it did not revert, but instead called the isValidSignature function in the attacker's contract, which passed the verification.
