According to GoPlus’s technical analysis of the attack incident and the official statement from Aftermath Finance released on April 30, the perpetual contract platform Aftermath Finance on the Sui chain was attacked on April 29, suffering losses of more than $1.14 million. With support from Mysten Labs and the Sui Foundation, the project team announced that all users will receive full compensation.
Attack Mechanism: ADMIN Privilege Misuse and Fee Symbol Flaw
According to GoPlus’s technical analysis, the attacker is suspected of stealing the ADMIN privilege of the add_integrator_config function, and then exploiting the symbol mismatch vulnerability in the calculate_taker_fees function to extract tokens for profit repeatedly.
According to Aftermath Finance’s official statement, the core mechanism that was exploited is “builder code fees”—a mechanism that refunds part of transaction fees to the integration front-end or order routing service. The statement notes that the contract logic “incorrectly allows setting negative builder code fees.” This design flaw enables the attacker to configure a fee value below zero, allowing the attacker to continuously extract funds from the protocol.
Aftermath Finance stated that the scope of impact is limited to the perpetual contract protocol; spot trading, cross-protocol smart routers, afSUI liquid staking derivative products, and AMM pools were not affected and remain in normal operation. Aftermath Finance also emphasized that this attack is not a security issue with the Move contract language itself.
The Sui wallet address associated with the attacker, 0x1a65086c85114c1a3f8dc74140115c6e18438d48d33a21fd112311561112d41e, has been publicly tracked via the Sui block explorer Suivision.
Aftermath Finance’s Response and Compensation Plan
According to a public statement by Aftermath Finance co-founder airtx on the X platform, after the attack occurred, the Aftermath Finance team temporarily halted malicious transactions and worked with on-chain security company Blockaid in a “war room” to carry out recovery efforts. Blockaid is an on-chain security platform trusted by MetaMask, Coinbase, and other major wallets, responsible for assisting with attack vector analysis and tracking the attacker’s wallet.
According to Aftermath Finance’s latest announcement, with support from Mysten Labs and the Sui Foundation, all affected users will receive full compensation; Aftermath Finance said it is currently continuing efforts to recover funds.
Background: Attacks on the Sui DeFi Ecosystem
According to industry reports, in April 2026, the Sui ecosystem experienced multiple security incidents in succession: the Volo vault was attacked, losing approximately $3.5 million (about 60% has been recovered); Scallop disclosed a flash loan vulnerability targeting previously deprecated sSUI reward contracts two days before the attack, with losses of $142k.
According to industry statistics, total DeFi vulnerability losses in April 2026 exceeded $606 million, one of the most severe months since February 2025. Major incidents include the Kelp DAO rsETH vulnerability ($292 million), the Drift Protocol social engineering attack ($285 million), and exploitation of vulnerabilities in projects such as Mantra Chain and Lista DAO.
FAQ
When did the Aftermath Finance attack incident occur, and what were the technical reasons?
According to GoPlus technical analysis and Aftermath Finance’s official statement, the attack occurred on April 29, 2026. The attacker exploited the ADMIN privilege of the add_integrator_config function and the symbol mismatch vulnerability in the calculate_taker_fees function, repeatedly extracting tokens by setting negative builder code fees, confirming losses of $1.14 million.
How does Aftermath Finance ensure users receive full compensation?
According to Aftermath Finance’s official statement, with support from Mysten Labs and the Sui Foundation, all affected users will receive full compensation; Aftermath Finance said it is currently continuing efforts to recover funds.
Does this attack involve security vulnerabilities in the Sui Move language?
According to Aftermath Finance’s official statement, this attack is not a security issue with the Move contract language itself. Instead, it was caused by a fee configuration error in the logic of a specific protocol contract. Other products such as spot trading, afSUI liquid staking, and AMM pools were not affected.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
