Prism, a token that pays a share of buying and selling charges to everybody who holds it, is relaunching on a brand new Ethereum contract after disclosing that an attacker spent most of July siphoning off practically 40% of these charges.
The unique PRISM token, which the challenge is now abandoning, plunged about 91% within the 24 hours by means of 2:13 p.m. ET on Tuesday, in contrast with a 4% achieve for Bitcoin, in keeping with CoinGecko information. It modified palms close to $16, down from a excessive of about $1,145 on June 3, for a market worth of roughly $82,000 on about $288,000 of 24-hour quantity.
The attacker used purpose-built helper contracts to create 2,500 fee-earning positions past the 5,000 the token’s design permits, Prism stated in a submit on X on Tuesday. When the workforce discovered them, these further positions had been diverting just below 40% of each buying and selling payment away from bizarre holders, in keeping with the submit.
A Check for a New DeFi Primitive
The episode is an early stress take a look at for certainly one of DeFi’s newer constructing blocks. Prism is constructed as a Uniswap v4 “hook,” code that lets a token double as a liquidity pool, in order that merely holding it earns a minimize of buying and selling charges with no handbook staking. The design is supposed to make token holders and liquidity suppliers the identical individuals. The exploit exhibits how a single hole in that code can redirect the rewards the entire mannequin will depend on.
“This was by no means a theft of principal,” Prism wrote within the submit. “It was a corruption of the payment layer — the very factor that made Prism value holding.”
The flaw got here down to 1 lacking examine, in keeping with the disclosure. Within the authentic contract, a fee-earning place may very well be moved to addresses that had been by no means meant to carry one, together with the pool supervisor and the token contract itself. These addresses sit outdoors the token’s inside accounting, so a place parked there saved incomes charges whereas counting as nobody’s. That created a “phantom” share whose minimize may very well be pulled from the pool’s steadiness, the workforce stated.
The workforce stated a patch on the previous deployment wouldn’t work as a result of the phantom positions already sit contained in the pool and can’t be eliminated, so it constructed a brand new contract as a substitute.
What Modified
The brand new contract blocks that path, Prism stated. A place can now belong solely to a pockets whose token steadiness backs it, and any try to route one to the pool supervisor or to the contract itself now fails outright. The workforce stated the variety of fee-earning positions can not exceed the 5,000 the design ensures, and that charges can solely ever attain real holders.
The workforce relaunching Prism stated they didn’t create it. They wrote that they “discovered this challenge the way in which everybody else did” and purchased the token on the open market with their very own cash. The disclosure was signed by a pseudonymous account, @0xsolazy. The workforce didn’t say how holders of the previous token would transfer to the brand new contract.
Regardless of its small dimension, Prism has drawn a handful of tasks constructing on its payment mechanism. Spectrum, a device for launching baskets of tokens, makes use of Prism and has deployed baskets throughout Ethereum, Base and Robinhood’s chain, in keeping with Spectrum’s web site. Prism has promoted a number of of these baskets, together with one holding Sky, Aave, Maple, Curve, Spark, Ondo and Ethena tokens.
Restricted Injury
The harm was restricted, largely as a result of Prism by no means took off. The workforce stated absolutely the losses had been small solely as a result of buying and selling quantity had been low, and warned the drain would have grown alongside the token had it gained traction.
Prism has not revealed an unbiased overview of both the exploit or the repair.





