Current $QR hack situation. 

DO NOT INTERACT WITH THE NOTIFICATION PICTURED HERE. 

(Disclaimer I'm just a guy reading the chain and this is a developing situation so take with some grains of salt it could all be wrong)

It appears someone was able to send a false notification from the QR miniapp prompting an airdrop claim. This is a typical kind of notif from QR app, but in this case it is a "big" airdrop. 

When the user clicks this notif, it triggers the claimAirdrop function on this contract https://basescan.org/address/0xf7f60e8a370a239bd86f59d2414f7ce6596d2f3a which takes 0.0006 ETH from the user's wallet, and then it sends them fake QR coins. 

The strangest thing about this to me is how small the amount being taken is.  It looks like the hacker has not even made 0.2 ETH from this so far: https://basescan.org/address/0x92564bC5B93c951e6821d6bf2C331318cDc82EB8. Not sure why they would design it this way. It could be an ethical justification or there could be more planned. Or maybe they though it would allow this to go unnoticed, but that doesn't really make sense because of the fake notification which would obviously be recognized fairly quickly. 

*It's probably a good idea to not click on any notifications until we get an update from the Merkle team. *

Tortoise Token

So I wasn’t the only one that got the pop 

Thanks for the clarity Matt 👍