2026-05-15 · Loss: 999,999.94319920782 wADS minted via authorized minter allowance path; USD not directly measurable from this transaction · Access Control

WrappedADS on Ethereum processed a direct wrapTo() mint on May 15, 2026 that created 999,999.94319920782 wADS for 0x63e22ce9bde9bb8892a447258abfcaa4142f001b. The evidence in this analysis directory supports an access_control conclusion, not a proven bridge-message forgery: the verified source requires onlyMinter, the trace shows a single direct call from 0xf54af6d4d18c8d61f504e530c127eaa05e011414, and the state diff shows that caller’s minter allowance falling by exactly the minted amount. funds_flow.json shows the supply expansion but no same-transaction disposal into ETH or stablecoins, so a USD realization cannot be measured from this artifact set alone. Based on the available on-chain data, this transaction is best described as a privileged mint executed through the intended minter allowance path, with any claim of fake or replayed bridge metadata remaining unproven here.

Root Cause

Vulnerable Contract

WrappedADS at 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a, non-proxy, verified source. trace_callTracer.json shows no proxy hop, helper contract, or DELEGATECALL; the transaction entered WrappedADS directly from the EOA sender.

The local artifacts do not prove an implementation bug that bypassed contract checks. They prove that WrappedADS delegated mint authority to privileged minter or owner accounts and that this transaction successfully used that trust boundary.

Vulnerable Function

wrapTo(address,uint256,uint64,uint64) with selector 0xdfe11cf1, defined in 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a.sol.

Vulnerable Code

function wrapTo(address account, uint256 amount, uint64 from, uint64 txid) public onlyMinter whenNotPaused returns (bool) {
    _checksumCheck(from);
    emit Wrap(account, from, txid, amount);
    _mint(account, amount); // <-- TRUST BOUNDARY: mint executes once the caller is recognized as a minter
    _minterApprove(_msgSender(), _minterAllowances[_msgSender()].sub(amount, "WrappedADS: minted amount exceeds minterAllowance")); // <-- TRUST BOUNDARY: allowance accounting is the only quantitative backstop
    return true;
}

function isMinter(address account) public view returns (bool) {
    return MinterRole.isMinter(account) || isOwner(account); // <-- TRUST BOUNDARY: owner is also treated as a valid minter
}

Why It’s Vulnerable

Expected behavior: if a wrapped-asset bridge is meant to be trust-minimized, the mint path should independently bind account, amount, from, and txid to an authenticated deposit or a previously authorized message. A compromised or malicious operator should not be able to create supply by simply calling the mint function.

Actual behavior: wrapTo() accepts any caller that satisfies onlyMinter, emits the supplied bridge metadata, mints immediately, and only then decrements that caller’s _minterAllowances balance. In the analyzed transaction, the caller passed the access-control check, the mint executed, and the allowance dropped by the same 99999994319920782 units shown in the Transfer event and storage diff.

Why this matters: the security of the mint path is concentrated in the privileged minter or owner role. The current artifact set proves that the privileged path was used successfully; it does not prove that the txid was fabricated, replayed, or previously consumed. The evidence-backed conclusion is therefore a privileged-authority failure or compromise scenario, not a demonstrated message-validation bug inside this transaction alone.

Attack Execution

High-Level Flow

1. A privileged account sends a direct mint transaction to the WrappedADS token contract.
2. The caller chooses a recipient address, a mint amount, and bridge metadata values.
3. WrappedADS accepts the caller as an authorized minter and executes the mint path without any intermediate helper contracts.
4. The contract emits the bridge-style Wrap event and mints nearly one million wADS to the recipient.
5. The contract deducts the same amount from the caller’s remaining minter allowance, confirming that the authorized allowance path executed as designed.

Detailed Call Trace

1. Depth 0: 0xf54af6d4d18c8d61f504e530c127eaa05e011414 -> 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a, CALL, wrapTo(address,uint256,uint64,uint64) (0xdfe11cf1), value = 0. Arguments from decoded_calls.json: account = 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, amount = 99999994319920782, from = 0x300000025ab2b, txid = 0x30000b8490001. Return value: 0x1.
2. No nested calls occur. trace_callTracer.json shows calls: null, so the entire transaction was a single direct execution inside WrappedADS.

Financial Impact

funds_flow.json records one asset movement: 999,999.94319920782 wADS minted from the zero address to 0x63e22ce9bde9bb8892a447258abfcaa4142f001b. No ETH transfers, no stablecoin proceeds, and no realized attacker_gains appear in this transaction artifact set.

The measurable loss in this transaction is therefore supply inflation of 999,999.94319920782 wADS. Existing holders or the bridge system bear the solvency impact because total supply increased without any on-chain evidence in this directory of a corresponding redemption, repayment, or balancing asset inflow.

Attacker profit after costs cannot be computed from this transaction alone. The incident brief references later disposal trades, but those proceeds are outside the local evidence package for this report and are not asserted here.

Evidence

• Transaction: 0xa3476575183204b4a662dd6ee56f6499d806e4f41ce83d98366752d31e9e9ca3
• Block: 25103043
• Timestamp: 2026-05-15T20:48:11Z
• Status: 0x1
• Direct caller: 0xf54af6d4d18c8d61f504e530c127eaa05e011414
• Mint recipient: 0x63e22ce9bde9bb8892a447258abfcaa4142f001b
• Vulnerable contract: 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a
• Selector verification: cast sig "wrapTo(address,uint256,uint64,uint64)" -> 0xdfe11cf1
• Verified source: 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a.sol:987-991 contains the exercised wrapTo() implementation; :900-902 enforces onlyMinter; :1066-1067 treats both minters and owners as valid minters.
• receipt.json log 0x3fc: Wrap(address,uint64,uint64,uint256) emitted with to = 0x63e22ce9bde9bb8892a447258abfcaa4142f001b, from = 0x300000025ab2b, txid = 0x30000b8490001, amount = 99999994319920782
• receipt.json log 0x3fd: Transfer(address,address,uint256) from 0x0000000000000000000000000000000000000000 to 0x63e22ce9bde9bb8892a447258abfcaa4142f001b for 99999994319920782
• receipt.json log 0x3fe: MinterApproval(address,uint256) for 0xf54af6d4d18c8d61f504e530c127eaa05e011414 with post-call allowance 0x011fd360b43135ff
• trace_prestateTracer.json slot 0xfeacedcc5c154b64fabcf59e5a9f3e81c91b625c20d9603f868c63ed32efb006: minter allowance changed from 0x028318d7bf2c148d to 0x011fd360b43135ff, a delta of 99999994319920782
• trace_prestateTracer.json slot 0x0000000000000000000000000000000000000000000000000000000000000002: total supply changed from 0x276628b7c4c8cfb6 to 0x28c96e2ecfc3ae44, a delta of 99999994319920782
• trace_prestateTracer.json slot 0x5ecfe4ae75b3235fc648ccd26032e0c1fc85225b4fdfe5b0d66174ea2250df51: recipient balance changed from 0x0027146df82cc1d6 to 0x018a59e50327a064, a delta of 99999994319920782
• No artifact in this directory proves that txid = 0x30000b8490001 was invalid, replayed, or previously consumed on the source chain.