I just saw a security breach on the ARB network, and it’s pretty alarming. According to Cyvers’s data, the attacker exploited a vulnerability in the proxy contract to steal $1.5 million in a single attack, involving the USDGambit and TLP projects.

The attack method was essentially targeting the ProxyAdmin permissions. The attacker deployed their own contract, updated the admin rights, and directly bypassed the original permission restrictions. The $1.5 million USDT on the victim’s address was transferred directly to the attacker’s wallet. I checked the transaction records, and the flow of funds is very clear—just a straightforward transfer.

What’s even more outrageous is that the stolen funds were immediately bridged to Ethereum and then sent to Tornado Cash to obfuscate the source of the funds. As a result, the $1.5 million is basically unrecoverable. This incident really exposed a major vulnerability in proxy contract governance, especially highlighting how risky centralized permission management can be. It seems DeFi projects need to pay even more attention to smart contract security audits.