Silo Finance (V2, soUSDC managed vault on Arbitrum): Immutable hardcoded wstUSR oracle (pricing depegged asset ~10x reality) + supply-cap bypass via `receiver` parameter + `totalAssets()` summing externally-donated shares

Summary #

Silo Finance (V2, soUSDC managed vault on Arbitrum) suffered a Isolated Lending (curator-managed meta-vault over isolated markets) on 2026-04-03, resulting in a loss of approximately $392K.

What happened #

Silo Finance's soUSDC managed vault on Arbitrum lost ~$392K on April 3, 2026 when an attacker exploited a hardcoded immutable wstUSR oracle pricing the depegged token at $1.13 while it traded at $0.12, combined with a supply-cap bypass via the `receiver` parameter and a `totalAssets()` accounting flaw that counted externally-donated shares as vault assets.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — ~9.4x mispricing (oracle $1.13 vs market $0.12) for ~12 days]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — original protocol; V2 meta-vault pattern is conceptually similar to MetaMorpho but not a fork]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — V2 managed-vault architecture ~12 months old; wstUSR market configuration newer]