CAROL Reward Inflation Drain

The relevant public components are:

• Impermax V3 WETH borrowable: 0x5d93f216f17c225a8b5ffa34e74b7133436281ee
• Impermax V3 collateral: 0xc1d49fa32d150b31c4a5bf1cbf23cf7ac99eaf7d
• TokenizedUniswapV3Position: 0xa68f6075ae62ebd514d1600cb5035fa0e2210ef8
• WETH/USDC Uniswap V3 pool: 0x1c450d7d1fd98a0b04e30decfc83497b33a4f608

3. Vulnerability Analysis & Root Cause Summary

This is an ATTACK-class protocol flaw rather than a benign MEV unwind. Impermax V3's restructure path forgives debt but does not transfer collateral control to lenders or to the protocol. That violates the core invariant that any debt write-down caused by an underwater position must be matched by lender-controlled collateral recovery.

The code-level mechanism is straightforward. In ImpermaxV3Collateral.restructureBadDebt(), the protocol computes postLiquidationCollateralRatio, requires it to be below 1e18, and then calls restructureDebt() on both borrowables. In ImpermaxV3Borrowable.restructureDebt(), the borrowable computes a repayAmount that represents the debt haircut and applies it through _updateBorrow(tokenId, 0, repayAmount), immediately reducing borrower principal and totalBorrows.

The collateral contract does not seize or lock the NFT in that path. It only stores blockOfLastRestructureOrLiquidation[tokenId] and emits RestructureBadDebt. Later, ImpermaxV3Collateral.redeem() allows the borrower to burn the collateral wrapper and withdraw the underlying NFT so long as both borrow balances are zero at redemption time. The exploit is therefore to make the position underwater, trigger a write-down, clear only the reduced residual debt, and then redeem the same collateral that should have been consumed by the loss event.

4. Detailed Root Cause Analysis

The critical victim-side code is the restructure path in the collateral contract:

function restructureBadDebt(uint tokenId) external nonReentrant {
    CollateralMath.PositionObject memory positionObject = _getPositionObject(tokenId);
    uint postLiquidationCollateralRatio = positionObject.getPostLiquidationCollateralRatio();
    require(postLiquidationCollateralRatio < 1e18, "ImpermaxV3Collateral: NOT_UNDERWATER");
    IBorrowable(borrowable0).restructureDebt(tokenId, postLiquidationCollateralRatio);
    IBorrowable(borrowable1).restructureDebt(tokenId, postLiquidationCollateralRatio);

    blockOfLastRestructureOrLiquidation[tokenId] = block.number;

    emit RestructureBadDebt(tokenId, postLiquidationCollateralRatio);
}

This function proves the first half of the flaw: once a position is underwater, Impermax calls into the borrowables to write down debt, but this branch itself does not confiscate collateral. The corresponding borrowable code shows the write-down is immediate accounting state, not a lender recovery mechanism:

function restructureDebt(uint tokenId, uint reduceToRatio) public nonReentrant update accrue {
    require(msg.sender == collateral, "ImpermaxV3Borrowable: UNAUTHORIZED");
    require(reduceToRatio < 1e18, "ImpermaxV3Borrowable: NOT_UNDERWATER");

    uint _borrowBalance = borrowBalance(tokenId);
    if (_borrowBalance == 0) return;
    uint repayAmount = _borrowBalance.sub(_borrowBalance.mul(reduceToRatio).div(1e18));
    (uint accountBorrowsPrior, uint accountBorrows, uint _totalBorrows) = _updateBorrow(tokenId, 0, repayAmount);

    emit RestructureDebt(tokenId, reduceToRatio, repayAmount, accountBorrowsPrior, accountBorrows, _totalBorrows);
}

The second half of the flaw appears in redemption:

if (percentage == 1e18) {
    redeemTokenId = tokenId;
    _burn(tokenId);
    INFTLP(underlying).safeTransferFrom(address(this), to, redeemTokenId);
    if (data.length > 0) IImpermaxCallee(to).impermaxV3Redeem(msg.sender, tokenId, redeemTokenId, data);

    require(IBorrowable(borrowable0).borrowBalance(tokenId) == 0, "ImpermaxV3Collateral: INSUFFICIENT_LIQUIDITY");
    require(IBorrowable(borrowable1).borrowBalance(tokenId) == 0, "ImpermaxV3Collateral: INSUFFICIENT_LIQUIDITY");
}

The borrower's path is therefore:

1. Mint or obtain a collateralizable LP NFT and move it into the collateral contract.
2. Borrow against that tokenId.
3. Move the LP-backed position into the underwater branch using public market operations.
4. Call public restructureBadDebt(tokenId) so the protocol writes off part of the debt.
5. Repay only the reduced remainder.
6. Call redeem(..., 1e18, ...) and recover the same NFT because the code checks only for zero remaining debt, not whether collateral was already consumed by a prior debt-forgiveness event.

The incident evidence matches this exactly. The decoded receipt for transaction 0xde903046b5cdf27a5391b771f41e645e9cc670b649f7b87b1524fc4076f45983 shows:

Borrow token_id=255 borrow_amount_wei=201595425653150513986
RestructureDebt token_id=255 repaid_by_writeoff_wei=141505102074743477723 account_borrows_after_wei=60090323578407036263
RestructureBadDebt token_id=255 post_liquidation_collateral_ratio=298073844600987108
Borrow token_id=255 repay_amount_wei=60090323578407036263 account_borrows_after_wei=0
Redeem token_id=255 percentage=1000000000000000000 redeem_token_id=255

Those values are the on-chain confirmation that the protocol accepted a write-off of 141.505102074743477723 WETH, then accepted repayment of only the post-haircut residual 60.090323578407036263 WETH, and finally released the full collateral tokenId 255.

5. Adversary Flow Analysis

The attacker cluster contains:

• EOA 0xe3223f7e3343c2c8079f261d59ee1e513086c7c3, which deployed the helper and sent the exploit transaction
• Helper contract 0x98e938899902217465f17cf0b76d12b3dca8ce1b, which executed the exploit
• Payout EOA 0xe9f853d2616ac6b04e5fc2b4be6eb654b9f224cd, embedded in helper construction and funded at the end of the exploit

The helper deployment transaction was 0x2b71b54f9f9543b9e55bd18a4d91b520c5b7e7d53f8ace256adf20df7e1e506a at block 29437393. The actual exploit realization was a single public Base transaction, 0xde903046b5cdf27a5391b771f41e645e9cc670b649f7b87b1524fc4076f45983, included at block 29437439.

The on-chain execution flow is:

1. The helper sourced flash liquidity and built tokenId 255 in TokenizedUniswapV3Position.
2. The helper transferred that NFT into Impermax collateral and minted the collateral wrapper.
3. The helper borrowed 201.595425653150513986 WETH from the WETH borrowable.
4. Using only public swaps and reinvest operations, the helper pushed the LP position into the underwater branch.
5. The helper called public restructureBadDebt(255), which triggered the write-down.
6. The helper repaid only the residual 60.090323578407036263 WETH.
7. The helper redeemed the collateral NFT, unwound it, redeemed borrowable shares, and extracted ETH profit.

The decoded event summary and balance diff pin down the final extraction:

{
  "weth_borrowable_balance_delta_wei": "-34596457958884485813",
  "attacker_eoa_native_fee_delta_wei": "-1498054501742780",
  "attacker_profit_recipient_native_gain_wei": "34596457958884485813"
}

That is the ACT predicate in concrete terms: the victim borrowable loses WETH cash, and the attacker cluster realizes the same value minus transaction fees.

6. Impact & Losses

The directly measured protocol loss is on the Impermax V3 WETH borrowable. The collected balance diff shows that the borrowable's WETH balance decreased by 34596457958884485813 wei during the exploit transaction. The attacker recipient gained the same amount as native ETH, while the funding EOA paid 1498054501742780 wei in gas, producing 34594959904382743033 wei of net cluster profit.

The exploit also forced a debt haircut of 141505102074743477723 wei through the restructure path. That haircut is the lender-socialized loss event that made the later collateral recovery possible. In economic terms, Impermax absorbed the debt reduction while the borrower retained the collateral upside and then monetized it.

7. References

• Exploit transaction: 0xde903046b5cdf27a5391b771f41e645e9cc670b649f7b87b1524fc4076f45983
• Helper deployment transaction: 0x2b71b54f9f9543b9e55bd18a4d91b520c5b7e7d53f8ace256adf20df7e1e506a
• Impermax V3 collateral source at 0xc1d49fa32d150b31c4a5bf1cbf23cf7ac99eaf7d
• Impermax V3 WETH borrowable source at 0x5d93f216f17c225a8b5ffa34e74b7133436281ee
• TokenizedUniswapV3Position source at 0xa68f6075ae62ebd514d1600cb5035fa0e2210ef8
• Seed trace and decoded receipt for the exploit transaction
• Seed balance diff for the exploit transaction