Fusion by IPOR

FORENSIC REPORT

Time of death: January 6, 2026, approximately 0300 UTC. The specimen—Fusion by IPOR, deployed on Arbitrum—was found in full cardiac arrest with $336,000 in user assets missing from the scene. No signs of struggle. Death was swift. The attending pathologist noted the body was still warm when discovered, suggesting the attack window was brief but surgical.

Cause of death analysis: The victim succumbed to an EIP-7702 delegation exploit, a relatively novel vector that demonstrates a fundamental misunderstanding of what happens when you hand over cryptographic keys to a smart contract. EIP-7702 introduces account abstraction by allowing delegated transaction execution—essentially temporary custody of signing authority. The victim's implementation failed to properly validate delegation parameters or implement sufficient guardrails on what delegated accounts could actually *do*. Attackers leveraged this gap to execute unauthorized transactions, draining liquidity pools with the elegance of someone using someone else's credit card while the PIN code was still written on the back.

Contributing factors: The autopsy reveals warning signs that were either missed or ignored. EIP-7702 is newer than a fresh corpse in this line of work—launched mere months before the attack. The protocol rushed to integrate it without the defensive paranoia that should accompany untested cryptographic primitives. There's evidence the codebase lacked proper delegation scope limitations, transaction validation checkpoints, and rate limiting on delegated operations. The victim was, in technical terms, wide open.

Victim impact: Fusion's users—liquidity providers and traders—absorbed the full $336,000 hemorrhage. This isn't abstract: real positions liquidated, real yield evaporated, real trust vaporized. The protocol's total value locked plummeted with the speed of gravity. We estimate moderate to severe reputational damage; the market has already moved on to newer victims.

Pathologist's note: EIP-7702 is a scalpel in the wrong hands—specifically, the hands of developers who treat new Ethereum features like they're beta testing sandbox toys rather than live financial infrastructure. The victim didn't just fail to defend against this; it invited the attacker in, handed him a drink, and asked him to make himself comfortable. The specimen's tissues show all the signs of what we in the field call 'premature adoption syndrome'—a chronic condition where projects race to integrate cutting-edge features before understanding what 'cutting' really means. Another one for the files.