Superfluid: Composability Exploit (ctx Manipulation)
An attacker forged Superfluid's internal transaction state (ctx) to impersonate privileged calls, draining $8.7M from protocols that used Superfluid for contributor payments — crashing Mai Finance's QI token 80% as the loot was dumped.
Summary #
Superfluid suffered a Streaming Payment Protocol / Infrastructure on 2022-02-08, resulting in a loss of approximately $9M.
What happened #
An attacker forged Superfluid's internal transaction state (ctx) to impersonate privileged calls, draining $8.7M from protocols that used Superfluid for contributor payments — crashing Mai Finance's QI token 80% as the loot was dumped.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]