A comprehensive analysis of the sophisticated ERC1967Proxy vulnerability that compromised thousands of smart contracts across multiple blockchain networks.

An unknown actor spent months silently compromising thousands of smart contracts across multiple EVM chains.

The patience and technical skill involved is disturbing to say the least.

How Attackers Targeted Uninitialized Proxy Contracts

An unknown threat actor deployed sophisticated scanning infrastructure across multiple EVM chains, systematically hunting for a single vulnerability: freshly deployed ERC1967 Proxy contracts left uninitialized by their developers.

The attack methodology was deceptively simple yet brutally effective. The moment a new proxy contract hit the blockchain without proper initialization, automated scanners would detect it within minutes.

Before legitimate developers could react, the attacker would initialize the contract with their own malicious implementation, embedding a backdoor that could lay dormant for months.

$1.55M DeFi Hack: The Kinto Protocol Case Study

On July 10, 2025, the consequences of this became very clear.

Kinto Protocol fell victim to a $1.55 million exploit when the attacker finally activated their dormant backdoor, upgraded the proxy to a malicious implementation, and minted K tokens directly from the compromised contract.

The backdoor had been strategically placed months earlier, designed to survive reinitialization attempts and multiple contract upgrades. It waited patiently, invisible to security audits and monitoring systems, until the attacker decided the time was right to strike.

What made this particular hack so insidious was its stealth. The attacker didn't trigger obvious functions like mint() that would generate clear audit trails.

Instead, they wrote tokens directly into storage slots tied to fake addresses, making the attack nearly invisible to standard monitoring systems.

How Smart Contract Backdoors Stayed Hidden

The technical sophistication of this attack campaign sets it apart from typical DeFi exploits. The attackers employed multiple layers of obfuscation to keep their backdoors undetected:

Storage Manipulation: Rather than leaving obvious traces, the attackers carefully reset all initialized parameters and storage in victim contracts while preserving pointers to original implementation contracts.

Zero-Day Exploitation: According to security researcher @pcaversaccio, the attacker exploited a previously unknown vulnerability in the Etherscan family of blockchain explorers.

By layering an OpenZeppelin proxy on top of an EIP-1967 proxy and the backdoor itself, they created a three-proxy stack that effectively spoofed the implementation details shown on block explorers.

Gradual Extraction: When it came time to drain funds, the attacker showed remarkable discipline. Instead of executing large, noticeable transactions, they drained vaults in small increments over time, flying under the radar of most security monitoring systems.

Uninitialized Proxy Vulnerabilities in DeFi: Scale

The full scope of this attack campaign is staggering. According to blockchain security researcher deebeez, thousands of smart contracts were compromised, with over $10 million in total funds at risk across multiple protocols and chains.

This represents one of the largest coordinated smart contract attacks in DeFi history, not just in terms of financial impact, but in the sheer number of affected protocols. The attackers had built comprehensive extraction infrastructure months in advance, suggesting they were either waiting for the most lucrative targets or preparing to drain all victims simultaneously.

The attack's success highlights a critical gap in smart contract deployment practices. Many development teams deploy proxy contracts and initialize them in separate transactions, creating a window of vulnerability that sophisticated attackers are actively monitoring and exploiting.

Preventing Proxy Initialization Attacks: Smart Contract Security Best Practices

The phantom proxy attack serves as a stark reminder that smart contract security extends far beyond code audits and formal verification. Deployment practices and operational security are equally critical.

Immediate Initialization: The most effective prevention is to initialize proxy contracts in the same transaction as deployment.

Monitoring and Alerting: Implement comprehensive monitoring for your deployed contracts, including alerts for unexpected initialization events, storage changes, and proxy upgrades.

Multi-Signature Controls: Use multi-signature wallets or governance mechanisms for critical contract operations, including proxy upgrades and initialization.

Regular Security Audits: Professional smart contract auditing companies review not just your code, but your deployment processes.

Many vulnerabilities exist in the gaps between development and production.

The Future of Smart Contract Security: Lessons from Advanced Threat Actors

The phantom proxy attack represents an evolution in blockchain security threats. We're no longer dealing with opportunistic hackers looking for quick profits. Instead, we face sophisticated threat actors with deep technical knowledge, extensive resources, and the patience to execute months-long campaigns.

This shift demands a corresponding evolution in how we approach smart contract security. Traditional point-in-time audits and code reviews are necessary but insufficient. We need comprehensive security practices that cover the entire lifecycle of smart contracts, from development through deployment and ongoing operations.

As DeFi continues to grow and mature, we can expect threat actors to become increasingly sophisticated. The phantom proxy attack won't be the last of its kind—it's a preview of the advanced persistent threats that will define the next phase of blockchain security challenges.

For comprehensive smart contract security auditing and consultation, contact our team of blockchain security experts who stay ahead of emerging threats like the phantom proxy attack.

Request an audit at 🔗 audita.io/request

STAY SAFU

Audita's Team