Aftermath Finance Loses $1.14M in Sui Perpetuals Exploit

Aftermath Finance reported that a flaw in its Sui-based perpetual futures market allowed an attacker to extract roughly $1.14 million in USDC. The protocol paused trading and opened an investigation with external security teams while it works on a compensation plan for affected users.

The incident targeted only the perpetual futures product. The protocol traced the issue to a builder-code feature that lets third-party integrators set custom fees for routed trades. That feature permitted negative fees, which the attacker exploited to receive USDC payouts during trade execution instead of paying fees. Aftermath said its core smart contracts were not compromised and that other products and packages remain unaffected.

On-chain trackers and security firms estimated the attack unfolded over about 36 minutes. The attacker executed a series of roughly $50,000 transfers and completed about 11 transactions in that window, according to early technical analysis. Aftermath paused activity to limit further exposure and to support forensic work.

Aftermath holds about $6.7 million in total value locked. The protocol normally handles roughly $2.33 million in daily trading volume; volume rose about 36% on the day of the exploit as the attacker swapped staked SUI and SUI for USDC to extract proceeds. The initial loss estimate stands at about $1.14 million in USDC.

On-chain data show the exploiter immediately began rotating funds across Sui-based decentralized venues, fragmenting transfers to complicate tracking. The wallet used in the attack appears to have been created beforehand and was funded from a large Sui holder’s multi-token wallet. After the initial withdrawals, the wallet produced roughly $400,000 in additional turnover through swaps. Some funds may have been routed to an exchange, potentially to convert to other stablecoins or fiat.

USDC is technically freezable by its issuer, but the issuer typically requires a court order before freezing funds and has not intervened in this incident. Protocols and automated market makers that received swapped tokens did not block the transactions, according to the team.

The exploit follows several recent attacks on smaller Web3 applications, including other Sui-based projects. Aftermath said it is coordinating with external security experts to trace funds and will provide updates to the community on investigation findings and on compensation arrangements. Trading remains paused while forensic work continues.