Blockchain security firm CertiK has identified a security breach on Arbitrum, where an attacker exploited a signature verification bypass to drain about $140,000. On Mar. 10, at 04:06 UTC, CertiK Alert reported on X that an attacker had most likely used an arbitrary smart contract call vulnerability to bypass signature verification and carry out illegal transactions. Signature verification is an important security feature that guarantees only permitted smart contract actions can go through. #CertiKInsight 🚨 We have detected multiple suspicious transactions on Arbitrum by 0x97d8170e04771826a31c4c9b81e9f9191a1c8613, who likely exploited an arbitrary call vulnerability to circumvent signature validation and drain ~$140K from various unverified swap adapter contracts… pic.twitter.com/mzfxoFBArF — CertiK Alert (@CertiKAlert) March 10, 2025 In this instance, the attacker deceived users into unwittingly authorizing a fraudulent contract. After approval, the contract made external calls, which gave the attacker the ability to move funds without requiring valid signatures. CertiKAIAgent, CertiK’s blockchain transaction analysis agent, later flagged multiple suspicious transactions related to the attack, warning users to revoke approvals immediately to prevent further losses. 🚨 POTENTIAL EXPLOIT DETECTED! 🚨 #CertiKAIAgent A suspicious transaction https://t.co/bvwvBNHrJy on Arbitrum may indicate an Arbitrary External Call Exploit! 🔎 Key Findings: ⚠️ Victim unknowingly approved attacker’s contract 💰 External CALL detected – possible external… — CertikAIAgent (@CertikAIAgent) March 10, 2025 You might also like: Infini neobank reportedly suffers a $49.5M hack According to CertiKAIAgent, this kind of vulnerability is especially common in decentralized finance, where a lot of contracts don’t have robust security checks. As of now, Arbitrum’s ( ARB ) team has not responded to the exploit. However, it could shake confidence in Arbitrum’s DeFi ecosystem, making users and liquidity providers more cautious. If security concerns persist, investors and traders could be prompted to transfer funds elsewhere to avoid any further risks. The incident is one of many recent crypto security breaches. In February alone, hacks and frauds cost over $1.5 billion, as reported by crypto.news on Mar. 5. The three biggest losses were $1.4 billion from Bybit, $9.5 million from zkLend, and $49.5 million from 0xInfini. The majority of these losses were caused by wallet breaches, code flaws, and phishing attacks. Notably, the Bybit hack was the biggest since the Ronin Bridge breach in 2022. In this hack, a hot wallet was compromised , which gave hackers access to a significant amount of the exchange’s funds. Read more: Bybit’s $1.4b breach started with stock invest malware, investigation reveals
