phil
@phil
2178 Following
280363 Followers
1 reply
1 recast
14 reactions
9 replies
8 recasts
66 reactions
13 replies
7 recasts
71 reactions
6 replies
0 recast
26 reactions
3 replies
1 recast
8 reactions
4 replies
0 recast
28 reactions
6 replies
4 recasts
29 reactions
18 replies
9 recasts
54 reactions
9 replies
7 recasts
110 reactions
4 replies
5 recasts
34 reactions
17 replies
20 recasts
121 reactions
2 replies
1 recast
11 reactions
8 replies
13 recasts
137 reactions
2 replies
35 recasts
67 reactions
4 replies
11 recasts
71 reactions
1 reply
0 recast
25 reactions
2 replies
4 recasts
32 reactions
POSTMORTEM
On Sunday, July 13th, the Amps smart contract was exploited. This document outlines the timeline, root cause analysis, mitigation plan, and next steps taken.
## Timeline
- Jul-13-2025 09:25:33 AM +UTC: A malicious contract is deployed by attacker.
- Jul-13-2025 09:43:21 AM +UTC: The reinitialize() function is called on the Amps proxy contract by the attacker, allowing them to change the implementation address and change ownership.
- Jul-13-2025 09:45:21 AM +UTC: First draining transaction submitted.
- Jul-13-2025 09:50:39 AM +UTC: Final draining transaction submitted.
- Jul-13-2025 09:53:31 AM +UTC: Attacker bridges stolen funds.
- Jul-13-2025 03:20:00 PM +UTC: Amps team is notified of exploit.
- Jul-13-2025 03:40:48 PM +UTC: Amps miniapp is taken offline while assessment underway.
- Jul-13-2025 03:43:26 PM +UTC: Phil posts update notifying users that the mini app is offline.
- Jul-13-2025 05:04:55 PM +UTC: Exploited is patched.
- Jul-13-2025 06:37:17 PM +UTC: Refunds sent to all affected users.
- Jul-13-2025 07:48:00 PM +UTC: All affected users notified via DM.
- Jul-13-2025 07:49:00 PM +UTC: Phil posts announcement with update regarding exploit.
- Jul-13-2025 10:13:00 PM +UTC: Phil posts postmortem.
## Root Cause Analysis
The Amps v2 contract uses a proxy / implementation pattern. The proxy contract contained a function, reinitialize(), that allowed administrator wallets to update the owner and change the version number of the proxy contract, up to a maximum version. This function did not contain adequate protections to prevent the attacker from changing the ownership of the proxy contract. The attacker was able to use this function to update the owner and fee recipient, as well as upgrade the implementation address of the proxy contract.
After changing the contract owner, the attacker upgraded the implementation contract tied to the proxy contract and submitted a series of transactions targeted at wallets with an open USDC token approval to the Amps contract and a Base USDC balance. 112 users were affected for a total of $6,711.
## Mitigation
After discussing with the Farcaster team, the Amps team took advantage of the same exploit used by the attacker to retake control of the contract and set a maximum version number, preventing future attempts at changing the implementation contract logic. The Amps miniapp was taken offline to prevent users from interacting with the contract and all affected users were sent a direct message containing a custom mini app to revoke USDC approvals to the contract.
All users were refunded their total USDC balance lost due to the exploit.
## Next Steps
The Amps miniapp remains offline while we complete our postmortem. We will continue to field questions and intend to revert the product to the simpler v1 contract to mitigate downtime for our users who rely on the service. The v2 contract will undergo an extensive review process before being reintroduced and we will revisit the product functionality that allowed users to carry large approval balances to our contract.
I apologize to anyone who was affected by this exploit, and we are committed to transparency so others in the ecosystem can learn from this situation. 13 replies
14 recasts
95 reactions
14 replies
25 recasts
153 reactions
0 reply
6 recasts
25 reactions