Adshares Wrapper On-Chain Whitehat Message Is Settlement Traffic, Not The Exploit

On Ethereum at 2026-05-16 18:15:23 UTC, transaction `0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464` was an on-chain plaintext settlement message related to Adshares Wrapper, not the drain transaction itself. The trace shows a single zero-value `CALL` from `0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f` to EOA `0x63e22ce9bde9bb8892a447258abfcaa4142f001b`, with ASCII calldata offering whitehat terms and requesting return of 90% of previously drained assets. No contract code executes, no logs are emitted, and `funds_flow.json` records no token, approval, or ETH transfers, so the financial impact of this transaction itself is `0`.

## Root Cause

This transaction does not expose a root-cause vulnerability because it never reaches the suspected Adshares Wrapper contract `0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A`. The only trace entry is a top-level message call to an externally owned account, so there is no callable contract function, no state transition inside the wrapper, and no on-chain evidence here for how the earlier drain was performed.

### Vulnerable Contract

No vulnerable contract is exercised in this transaction. The incident brief names Adshares Wrapper at `0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A`, but `trace_callTracer.json` shows that address is never called. The only callee is EOA `0x63e22ce9bde9bb8892a447258abfcaa4142f001b`.

### Vulnerable Function

Not applicable. The input payload begins with ASCII bytes `0x546f2074` ( `”To t”`), not a Solidity function selector, and `decoded_calls.json` leaves the call unresolved.

### Vulnerable Code

Not applicable for this transaction. No contract bytecode is entered, so there is no vulnerable function body to quote from the verified Adshares Wrapper source.

### Why It’s Vulnerable

Expected behavior for an exploit transaction would be a call path that enters the affected protocol contract, executes one or more functions, and produces asset movement or other state changes that can be tied to a concrete code flaw. Actual behavior here is just off-chain-readable text embedded in calldata and delivered to an EOA, with no nested calls and no balance-changing events.

That distinction matters because any attempt to assign an exploit root cause from this transaction alone would be unsupported. This queue item can only support the narrow conclusion that a party controlling `0xb6fe3854…` posted settlement terms to `0x63e22c…` after an earlier incident.

## Attack Execution

### High-Level Flow

1. A sender EOA submits a zero-value Ethereum transaction.
2. The transaction targets EOA `0x63e22c…`, not the Adshares Wrapper contract.
3. The calldata carries a plaintext message describing whitehat settlement terms.
4. The EVM records the call successfully and exits without any nested calls.
5. No tokens, ETH, or protocol state move in this transaction.

### Detailed Call Trace

– Depth 0: `0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f` → `0x63e22ce9bde9bb8892a447258abfcaa4142f001b`, `CALL`, value `0`
– input starts with `0x546f2074`
– `selectors.json` and `decoded_calls.json` do not resolve this as a Solidity function
– no child calls

The calldata decodes to plain ASCII text beginning with “To the address that interacted with Adshares Wrapper contract…”. The message offers to treat the prior drain as a whitehat disclosure if 90% of the assets are returned within 72 hours.

## Financial Impact

The direct financial impact of transaction `0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464` is `0`.

`funds_flow.json` shows:

– no ERC-20 transfers
– no approvals
– no ETH transfers
– no attacker gains

The only economic effect is gas expenditure by the sender: `53,576` gas at `0x9e74e680` wei, or `0.00013154066571776 ETH`. Any actual exploit losses belong to a separate earlier transaction that is not evidenced by this call trace.

## Evidence

– Transaction hash: `0x99a1114c2e8dc1807e00da0e963a6fbd5d91a04d1e1fd0a75b78e9c6b41a7464`
– Chain: Ethereum
– Block number: `25109461`
– Block timestamp: `2026-05-16 18:15:23 UTC`
– Receipt status: `1`
– Sender: `0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f`
– Recipient: `0x63e22ce9bde9bb8892a447258abfcaa4142f001b`
– Suspected affected contract from the brief: `0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A`
– Trace shape: one top-level `CALL`, no nested calls
– Receipt logs: `0`
– Funds flow summary: `No attacker gains detected`
– Unresolved selector bytes: `0x546f2074`, which correspond to ASCII text rather than ABI-encoded function dispatch

Recent posts