Clara
All incidents

Polygon Uninitialized Clone Wallet Takeover and TEL Drain

Share
Dec 25, 2023 17:22 UTCAttackLoss: 3,235,173,154.21 TELPending manual check7 exploit txWindow: 1h 46m
Estimated Impact
3,235,173,154.21 TEL
Label
Attack
Exploit Tx
7
Addresses
3
Attack Window
1h 46m
Dec 25, 2023 17:22 UTC → Dec 25, 2023 19:08 UTC

Exploit Transactions

TX 1Polygon
0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b
Dec 25, 2023 17:22 UTCExplorer
TX 2Polygon
0x35f50851c3b754b4565dc3e69af8f9bdb6555edecc84cf0badf8c1e8141d902d
Dec 25, 2023 17:23 UTCExplorer
TX 3Polygon
0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c
Dec 25, 2023 17:47 UTCExplorer
TX 4Polygon
0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf
Dec 25, 2023 17:52 UTCExplorer
TX 5Ethereum
0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e
Dec 25, 2023 19:05 UTCExplorer
TX 6Ethereum
0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63
Dec 25, 2023 19:07 UTCExplorer
TX 7Ethereum
0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45
Dec 25, 2023 19:08 UTCExplorer

Victim Addresses

0xfa1bb0c606120427cea97792b2fe3f4a386af102Polygon
0x0c8d4fa9b965179c7933eb843943a6b4647294d6Polygon
0x10d0e9755c67ab37089acb4f51e8b4ee407fe853Polygon

Loss Breakdown

3,235,173,154.21TEL

Similar Incidents

LunaFi VLFI Reward Replay

28%
May 22, 2023 21:03 UTC·86,820,932.19 LFI

0VIX ovGHST Oracle Inflation

25%
Apr 28, 2023 10:45 UTC·1,453,546.07 USDC +2 more

BonqDAO ALBT Oracle Manipulation via TellorFlex

25%
Feb 01, 2023 18:29 UTC·100,000,000 BEUR +1 more

Bloom Router Uninitialized Owner Fee-Drain Exploit

25%
Feb 13, 2025 15:21 UTC·23.01 BNB

Midas LP Oracle Read-Only Reentrancy via Curve stMATIC/WPOL

24%
Jan 15, 2023 17:43 UTC·273,973.51 jCHF +3 more

LiteV3 Bridge Aggregator Proxy Initialization Race Enabled Unauthorized UUPS Takeover

24%
Feb 11, 2026 14:55 UTC·No Financial Loss

Root Cause Analysis

Polygon Uninitialized Clone Wallet Takeover and TEL Drain

1. Incident Overview TL;DR

An unprivileged Polygon EOA (0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7) deployed attacker helper contract 0x10e5c8d3537856f141272e1c39befdab4dd8bde0 in tx 0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b, then executed a nonce-ordered exploit run (14 txs) that called initialize(address,bytes) on pre-existing clone wallets. Successful initializations set attacker-controlled beacon state and immediately delegatecalled attacker payload 0xa8b89898, draining TEL from clone balances to the attacker EOA.

Root cause: uninitialized clone wallets exposed externally callable initialize(address,bytes) (0xd1f57894) with no trusted-initializer gating. This let any caller become first initializer, set beacon/delegatecall targets, and execute arbitrary transfer logic in clone storage context.

The ACT predicate is satisfied at Polygon pre-state block 51546460 and exploit sequence completion by 51547146: clone TEL balances decrease while attacker TEL increases in the same exploit transactions. Deterministic TEL balance quantification for attacker 0xdb4b... is:

  • value_before_in_reference_asset: 0 TEL (block 51546460)
  • value_after_in_reference_asset: 323517315421 TEL (block 51547146)
  • value_delta_in_reference_asset: 323517315421 TEL

2. Key Background

  • Environment: Polygon clone-wallet ecosystem with EIP-1167 minimal proxies and shared implementation logic.
  • Protocol context: sampled victim clones share homogeneous runtime code and extract implementation 0x10d0e9755c67ab37089acb4f51e8b4ee407fe853.
  • Security-critical path: implementation initialize(address,bytes) both upgrades beacon state and executes payload logic via delegatecall.
  • Asset: Polygon TEL token 0xdf7837de1f2fa4631d716cf2502f8b230f1dcc32.
  • ACT pre-state sigma_B: publicly reconstructible state immediately before attacker contract deployment tx (0xa1136f...) at block 51546460, with adversary and clone states inferable from on-chain txlists/traces.

3. Vulnerability Analysis & Root Cause Summary

Root cause category is ATTACK. The broken invariant is: clone wallets must not allow arbitrary external parties to perform first initialization and control beacon/delegatecall execution paths. In this incident, uninitialized clones accepted external initialize(address,bytes) calls and processed attacker-chosen beacon/payload data. The code-level breakpoint is selector 0xd1f57894 (initialize(address,bytes)) in the clone implementation path, where attacker-provided inputs were accepted on uninitialized instances. Trace evidence shows each exploit call pattern as clone::initialize(0x10e5..., 0xa8b89898) followed by delegatecall execution that transfers TEL to 0xdb4b.... This was deterministic and repeatable across a nonce-ordered 14-tx sequence. The exploit required no privileged keys and no protocol-admin access, only permissionless transaction submission.

4. Detailed Root Cause Analysis

4.1 Invariant and breakpoint

  • Invariant: first initialization authority for live wallet clones must be restricted to trusted deployment flow.
  • Breakpoint operation: initialize(address,bytes) on uninitialized clone accepts adversary-controlled beacon and payload, then runs delegatecall side effects.

Snippet (victim implementation decompile):

/// selector 0xd1f57894
function Unresolved_d1f57894(address arg0, uint256 arg1) public payable {
    ...
    (bool success, bytes memory ret0) = address(arg0).Unresolved_5c60da1b(var_g); // staticcall
    ...
    store_b = (address(arg0) * 0x01) | (uint96(store_b));
    emit Event_1cf3b03a(address(arg0));
    ...
    require(!(bytes1(store_a / 0x01)), "Initializable: contract is already initialized");
}

4.2 Attacker payload mechanics

Snippet (attacker helper decompile):

/// selector 0xa8b89898
function Unresolved_a8b89898() public {
    require(address(tx.origin) == 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7);
    ...
    (bool success, bytes memory ret0) = address(0xdf7837de1f2fa4631d716cf2502f8b230f1dcc32)
        .Unresolved_a9059cbb(var_f); // transfer TEL to attacker
}

4.3 On-chain execution evidence

Snippet (Polygon exploit-batch trace, tx 0xf479...):

0xFa1BB0...::initialize(0x10E5C8..., 0xa8b89898)
  -> 0x10d0E9...::initialize(... ) [delegatecall]
     -> emit BeaconUpgraded(param0: 0x10E5C8...)
     -> 0x10E5C8...::a8b89898() [delegatecall]
        -> UChildERC20::transfer(0xDB4B84..., 86400339) [delegatecall]
        -> emit Transfer(from: 0xFa1BB0..., to: 0xDB4B84..., value: 86400339)

State delta evidence in the same tx (0xf479...) confirms victim depletion and attacker gain:

  • 0xfa1bb0... TEL: 86400339 -> 0
  • 0xdb4b... TEL: 321401808682 -> 323517315421 (+2115506739)

4.4 Deterministic ACT conditions

Exploit conditions from the validated analysis:

  • Target clone uninitialized at call time.
  • Target clone holds transferable TEL.
  • Attacker can submit initialize(address,bytes) with attacker-controlled beacon and payload.

Security principles violated:

  • Initialization authority was not restricted to trusted deployer/factory context.
  • Critical upgrade/delegatecall path was exposed to arbitrary first caller.

5. Adversary Flow Analysis

5.1 Adversary and victim set

  • Adversary EOA: 0xdb4b84f0e601e40a02b54497f26e03ef33f3a5b7 (sender of deploy and exploit batches).
  • Adversary helper: 0x10e5c8d3537856f141272e1c39befdab4dd8bde0 (deployed by 0xdb4b...).
  • Sample victim clones: 0xfa1bb0..., 0x0c8d4f....
  • Shared implementation sample: 0x10d0e9755c67ab37089acb4f51e8b4ee407fe853.

5.2 Lifecycle stages and transactions

  1. Adversary contract deployment:
  • Polygon tx 0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b (block 51546461) creates 0x10e5....
  1. Batch clone takeover and drain:
  • Polygon exploit sequence includes txs from nonce 6..19.
  • Sequence status: 14/14 successful traces in label 0x3bb145b1_nonce_order_n6_to_n19.
  • First/last representative exploit txs: 0x35f508... and 0xf479fe....
  • Cumulative TEL to attacker before burn: 323517315421.
  1. Bridge exit and monetization:
  • Polygon burn tx: 0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf (31932362500 TEL burn).
  • Ethereum exit tx: 0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e (matched to Polygon burn proof).
  • Ethereum approve tx: 0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63.
  • Ethereum swap tx: 0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45.

5.3 Transaction sequence b (from ACT definition)

  1. 137:0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b
  2. 137:0x35f50851c3b754b4565dc3e69af8f9bdb6555edecc84cf0badf8c1e8141d902d
  3. 137:0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c
  4. 137:0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf
  5. 1:0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e
  6. 1:0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63
  7. 1:0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45

6. Impact & Losses

Validated impact metrics:

  • Gross TEL inflow to attacker on Polygon exploit batches: 323517315421 TEL.
  • Burned on Polygon for bridge exit: 31932362500 TEL.
  • Received from Ethereum swap path: 37494468852942501684 wei ETH.

The direct security impact is unauthorized control/takeover of uninitialized clone wallets and extraction of wallet-held TEL balances. Scope spans multiple clone instances sharing the vulnerable initialization surface.

7. References

Primary evidence artifacts:

  • Upstream trace status summary: artifacts/collector/iter_4/analysis/upstream_3bb145b1_trace_status.json
  • Exploit trace sample (0xf479...): artifacts/collector/iter_4/tx/137/0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c/trace.cast.log
  • Implementation decompile (0x10d0...): artifacts/collector/iter_4/contract/137/0x10d0e9755c67ab37089acb4f51e8b4ee407fe853/decompiled.sol
  • Attacker helper decompile (0x10e5...): artifacts/collector/iter_4/contract/137/0x10e5c8d3537856f141272e1c39befdab4dd8bde0/decompiled.sol
  • Clone bytecode homogeneity: artifacts/collector/iter_4/analysis/f479_array_bytecode_summary.json
  • Creator/factory linkage: artifacts/auditor/iter_4/evidence/polygon_contract_creation_sample.json
  • TEL flow accounting: artifacts/collector/iter_4/analysis/upstream_3bb145b1_balance_diff_flow_summary.json
  • Exit payload decoding and child tx mapping: artifacts/collector/iter_3/analysis/exit_payload_decoding_summary.json
  • Ethereum swap balance diff: artifacts/collector/iter_2/tx/1/0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45/balance_diff.json
  • Deterministic attacker TEL snapshots: artifacts/auditor/iter_5/evidence/polygon_tel_balance_snapshots_db4b.json

Complete relevant tx set (role-tagged in root_cause.json):

  • Related: 1:0xf5b9d6939bbf972ad7f771e9a1633669f393f8063c4a4e4b123640ce5e622557, 1:0xa08a39160c0554d815801bf0b08b457e36ae9ce68ea5172a2fe65f8fdade8967, 137:0xbc4baf16eda2da549eb198484e174e81a0d91e63085778d5da1bdbcf97f7c8f0.
  • Adversary-crafted: 137:0xa1136fbc83534e9c0c8d262761dc5242c21038c4159bb31e149a465d60f2cb0b, 137:0x35f50851c3b754b4565dc3e69af8f9bdb6555edecc84cf0badf8c1e8141d902d, 137:0x0b2c7e34152d3b71bf79c2e048c78004581c21c519562374f2af7f3deab1c0c3, 137:0x022150fa5b660c1f4f6f911dbd8ca0d483c2876ce784c8ea1e2a57f60de5eac9, 137:0x9f15cd029676ec339ad9a3c1528b7f54591c1a4c6d8ad9f7baf9ba89f4c1349a, 137:0x1b99e0826e4d23e77321e811a276138ab3da2bb0284f76ed15f49c61dbecfbed, 137:0x8a6cb45686c9aaef9f2950f1202ca8ced7929ad9f5174da96bdd06eb98b7cbb2, 137:0x919034799171c1dace0b4c0d0ce29e810ea8077a80109622a897d112f6fe4be6, 137:0x09391f982c3281f21a8e35ba879d1827f10995eda236e70868b085a8e5d39442, 137:0xee4e25d690d56aa77446e18422ba26ffb6d4ca3531b81ae3fbc478330a3ab7c0, 137:0xde55e877784385db0060d96de547b5d30aecd01c3fb4c8958fef2096b6792fc3, 137:0x2562bb2f2b727d9987af4e77c253934889ffc9cb1b23f46c28b20f289e6ad42c, 137:0x7e37cb018d60c570ad28c8a854bb0bcc93b3f0718b863571ede983f30f7e1211, 137:0x911abcc4067fdf6a993644623d9d8b5f9ca94c9dd805eb5fa90be2d26ab4b7c6, 137:0xf479febaffb9be360b1568220e6f1b0332c7f5e8a61f058c4bbec99cd570f90c, 137:0xd568764f5d4329a5864f6bf904d15b555c0475cb2b5ab539fbe7ca45f42f21cf, 1:0xfec244364bc0d320ca0a2298d480b32f14b66162c4cf73cb6f562b0d9262b01e, 1:0x55ab6f933ff99d9c451afb39eac815f717e111dba212e241bb2a80d48db19c63, 1:0x4ad18ca40f0dfb8bb2e5442366543d22a603bf36be7946bfb6562098110a7b45.