Blockchain security firm Blockaid has flagged an active smart-contract exploit that has siphoned roughly $132,700 from ShapeShift’s FOX Colony on Arbitrum.
Blockaid announced the incident on X on May 13 and identified the attacker wallet as 0xeed236Afb6967f74099a0a6bf078BC6b865fbf28. FOX Colony is ShapeShift’s community governance and participation program: FOX token holders stake, vote and engage through Colony Network contracts deployed on Arbitrum.
According to Blockaid’s analysis, the flaw lies in the executeMetaTransaction function. The attacker meta-signed a targeted transaction, repointed the colony’s resolver to a malicious contract, then used a delegatecall to drain funds. Because the affected registration function can be invoked by any external address (it lacks permission modifiers), Blockaid says the vulnerability is effectively equivalent to making a protocol key available to any attacker who discovers it.
Blockaid also warned that the issue is not isolated: any Colony Network colony exposing executeMetaTransaction on top of EtherRouter—on any chain—shares the same attack surface. At the time of Blockaid’s post, ShapeShift had not issued a public statement.
The incident is the latest in a rough stretch for DeFi security in 2026. In April, Blockaid flagged a $5 million exploit on Wasabi Protocol across Ethereum and Base that used a compromised admin key to drain vault contracts. Earlier in May, the firm identified a $6.7 million exploit on TrustedVolumes. April 2026 was the worst month on record for DeFi thefts, with about $625 million drained across 28 incidents. Blockaid also warned users in April about a CoW Swap frontend hijack that served malicious transaction prompts.
Blockaid says it screens over 500 million blockchain transactions per month and provides security infrastructure to major industry players including Coinbase, MetaMask, Uniswap and OKX.
Read more AI-generated news on: undefined/news
