Security report / 29th May 2025

Due to a bug in three Vault contracts discovered on the 21st May 2025, some user deposits were lost, with a total value of $18,612.93. The CYBRO team will fully refund the affected users using funds from the project treasury. The contracts had previously been audited by QuillAudits.

Affected Vaults

• BlasterSwap V2 (USDB/WETH): $12,765.49

• BladeSwap (USDB/WETH): $5,456.74

• Camelot V3 + GAMMA (ETH/USDC): $390.70

Refunds will be issued directly to users' wallets by the end of May, in USDC on the same chain where the Vault was deployed.

What happened

On May 23rd, a user reported an incorrect balance in the CYBRO dApp. Unusual on-chain activity was detected in several CYBRO’s Vaults, and the CYBRO team quickly identified a bug. The auditors at QuillAudits supported the investigation and promptly assigned an additional investigator from Merkle to assist.

It appears that some users may have exploited the vulnerability to steal funds from the affected Vaults. The investigation is ongoing, and we will report our findings to the appropriate authorities once complete.

The vulnerable contracts were promptly shut down, new deposits were halted, and the team conducted a thorough multi-day investigation.

Other contracts are safe, the CYBRO token contract is also safe.

CryptoCrouton CYBRO Project Lead