Security Breach Reported by Blockaid
In a significant security breach, the blockchain security firm Blockaid has reported an ongoing exploit targeting ShapeShift’s FOX Colony on the Arbitrum network, resulting in the theft of $132,700. This incident was brought to light by Blockaid on May 13 through a post on X, where they detailed the wallet address associated with the attacker as 0xeed236Afb6967f74099a0a6bf078BC6b865fbf28.
About FOX Colony
FOX Colony serves as ShapeShift’s platform for community governance, allowing individuals who hold FOX tokens to participate in staking, voting, and various ecosystem activities facilitated via Colony Network contracts on Arbitrum.
Details of the Exploit
Blockaid’s technical analysis pinpointed a vulnerability within the executeMetaTransaction function, which was exploited by the attacker. By meta-signing a targeted transaction, the perpetrator redirected the colony’s resolver to a malicious contract and subsequently executed a delegate call that enabled the siphoning of funds.
This flaw arises from the capability of any external address to invoke the compromised registration function without necessary permission checks, effectively allowing unauthorized users to gain access akin to having a copy of the protocol’s critical keys.
Warnings to the DeFi Community
Blockaid has issued a broader warning to the decentralized finance (DeFi) community, indicating that any Colony Network colony that exposes the executeMetaTransaction function on the EtherRouter, regardless of the blockchain, could be vulnerable to a similar attack.
Context of the Incident
As of now, ShapeShift has yet to release an official statement addressing this breach. The incident adds to a troubling trend in DeFi security throughout 2026, with Blockaid previously reporting a $5 million exploit involving Wasabi Protocol in April, attributed to the misuse of a compromised administrative key. The same month also saw a record number of DeFi exploits, totaling around $625 million across 28 separate events.
In another alarming discovery, Blockaid uncovered a $6.7 million exploit involving TrustedVolumes, a liquidity provider for 1inch and other platforms. Additionally, the firm alerted users of CoW Swap in April about a frontend hijacking, where attackers manipulated the project’s site to deliver malicious transaction alerts.
Blockaid performs oversight on over 500 million blockchain transactions each month and provides critical security services to industry leaders such as Coinbase, MetaMask, Uniswap, and OKX.
