On September 12, 2025, a critical vulnerability was exploited in the Kame Aggregator contracts, resulting in an estimated loss of approximately $1 million. The attacker leveraged this vulnerability to steal funds from users who had approved tokens for the contract.
Overview
Primary attacker: https://seiscan.io/address/0x3A42B17f0D25de388BF0b08ffd860cdBDDdfB110
Vulnerable Contract: https://seiscan.io/address/0x14bb98581ac1f1a43fd148db7d7d793308dc4d80
One of exploit TXs: https://seiscan.io/tx/0x1bf7a70c0f55344d3466fbce42317fbc842c29a25d1ed86253a2cc64163dfdc2
Exploit Analysis
The Kame Aggregator is a short contract of about 40 lines of code with one primary function: swap, which swaps tokens for users. The problem is that the swap function allows arbitrary calls to any address with any parameters, without any validation or restrictions.
If users use this as a helper contract and approve only the token intended to be swapped, there is no problem. But in the real world, users are often asked to approve unlimited token allowances when swapping. Attackers target users who have given unlimited approval to this contract and craft params to call transferFrom, moving approved tokens from the user’s wallet to the attacker.
Conclusion
As a developer, when building your own project, does not trust any user input. Any parameter given must be carefully validated by the code. Calls to untrusted contracts can introduce several unexpected risks or errors. External calls can trigger malicious code, either within the target contract or across its ecosystem. Every external call should be treated as a potential security risk and must be processed with extreme caution.
Furthermore, conducting a security audit is strongly recommended for all projects, even though they are smart contracts, backends, wallets, or dapps.
As a blockchain user, remember: approving tokens grants strangers access to spend them as they please. Avoid infinite approvals, always allocate the exact amount needed for each transaction, even if it incurs additional fees. Proactively review and revoke unnecessary approvals to safeguard your money now.