Sep 2025 - LyraDepositWrapper Incorrect Deposit Funds Lost To MEV Bot - $1m (Global)
The victim depositor appears to be a user of the FalconX Exchange. Their wallet was funded by the
Unfortunately, the LyraDepositWrapper has no protection against funds in the smart contract being removed by any third party.
This exploit appears to have been possible shortly after a user incorrectly deposited their million USDC in the LyraDepositWrapper smart contract, by sending the funds to the smart contract instead of calling the appropriate deposit mechanisms. As a result of their error, the funds were immediately able to be removed from the smart contract by a MEV (maximum extractable value) bot.
According to a post by TenArmor, "[i]t appears that the depositToLyra() function of the LyraDepositWrapper contract lacks proper validation for the socketVault parameter, resulting in approvals for the contract to any address."
The losses are exactly $1m USDC, which is generally worth exactly $1m USD.
The incident was reported and immediately noticed by Twitter/X user deeberiroz, and reported shortly thereafter by TenArmor.
It does not appear that significant analysis has been done and put together about the incident. There is no evidence of funds having been returned to the victim Ethereum address.
There is no evidence that any recovery was attempted by the victim.
It is unclear who the victim is, and whether they undertook any efforts to contact and request that their funds be returned by the MEV bot operator.
Further Analysis
An Ethereum address with recent withdrawals from the FalconX exchange platform inadvertently deposited $1,000,000 USDC into the LyraDepositWrapper smart contract by sending tokens directly to the contract, rather than using the appropriate deposit method (e.g., depositToLyra()). This direct transfer bypassed the intended logic and protections of the contract and left the funds vulnerable to extraction. A MEV bot detected the funds and exploited the contract to immediately remove the full amount. It is unclear if any efforts have been made to contact the MEV bot owner to request a return of the funds.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
WET Token Redemption Price Manipulation Flashloan Arbitrage > > < < Burned Finance Burn Token Smart Contract Rewards Exploit
Sources/Further Reading
TenArmor - "Our system has detected a suspicious attack involving #LyraDepositWrapper on #ETH, resulting in an approximately loss of $1M." - Twitter/X (Dec 31)
LyraDepositWrapper Attack Transaction - Etherscan (Dec 31)
deeberiroz - "Looks like some unlucky soul just sent $1m USDC to a bridge contract directly instead of calling the proper methods, getting it all immediately sweeped by a MEV bot" - Twitter/X (Dec 31)
The Deposit Transaction - Etherscan (Dec 31)
Diabetes Uzi - "This one million USDC was transferred into the contract by someone else, not by the project itself. Why would he do that? Does this mean that this person lost one million dollars?" - Twitter/X (Dec 31)
Victim Depositor Address - Etherscan (Dec 31)
Victim Wallet Funding Transaction - Etherscan (Dec 31)
LyraDepositWrapper Smart Contract - Etherscan (Dec 31)
LyraDepositWrapper Smart Contract Creation - Etherscan (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|