Last Edit Time: October 16, 2025 05:01 UTC

1. Executive Summary (TL;DR)

On October 15, 2025, an attacker exploited a critical vulnerability in the Typus Finance oracle module, leading to the manipulation of prices and a subsequent drain of funds from the TLP contract. The total loss is estimated at approx. $3.44 million USD.

Upon detection, all protocol smart contracts were immediately paused. It has been confirmed that user funds in personal wallets, as well as funds within the SAFU and DeFi Options Vaults, were unaffected due to a built-in price verification mechanism.

This report details the incident timeline, root cause, and our immediate response plan, which includes the deployment of new, fully audited contracts. An asset recovery plan is currently under internal discussion and will be announced at a later date.

2. Timeline of Events (All times in UTC)

• 13:05: The first malicious transaction was executed against the TLP contract.
• 13:24: The Typus team was alerted to anomalous on-chain activity by a community member.
• 13:39: Within 15 minutes of being alerted, all Typus smart contracts were paused.
• 13:42: The root cause of the exploit was identified.
• 13:48: The incident was formally reported to the Sui Foundation.
• 14:00: An automated alert from our monitoring service, Sentio, confirmed the activity.
• 14:54: A formal report regarding the incident was filed with the relevant law enforcement authorities.

3. Root Cause Analysis (RCA)

The exploit resulted from a combination of a code-level vulnerability and process-related oversights.

The technical cause was a missing assert check in the update_v2 function of the oracle module, found within this contract package. This flaw effectively bypassed the authorization check, allowing any address to update oracle prices.

Two process causes compounded this issue. First, the vulnerable oracle module, deployed in March 2025, was not included in the scope of our May 2025 audit conducted by MoveBit. Second, the alert frequency for our on-chain monitoring service was not configured for immediate detection of this specific event type.

4. Impact Assessment

• Financial Impact: The total assets drained from the TLP contract are valued at approximately $3.44 million USD at the time of the incident, consisting of 588,357.9 SUI, 1,604,034.7 USDC, 0.6 xBTC, and 32.227 suiETH.
• Scope of Impact: The exploit was isolated to the TLP contract.
• Unaffected Products: Funds deposited in the SAFU and DeFi Options Vaults remain secure. These products are settled by automated cranker wallets, which perform a mandatory price verification against a correct, independent oracle before execution. This security feature successfully rejected the manipulated price, neutralizing the threat to these vaults.

5. Response and Collaboration

Upon identifying the incident, our team took the following actions:

1. Protocol Suspension: All smart contracts were immediately paused to protect all remaining assets.
2. Security Collaboration: We have actively engaged and are in close collaboration with multiple security partners and key ecosystem teams, including the Sui Foundation, Mysten Labs, MoveBit, SlowMist, and Hypernative, to assist in the investigation and fund tracing efforts.
3. Fund Tracing: Efforts to trace the exploited funds are underway.
4. Redeployment Plan: A new, more secure set of smart contracts will be developed to replace the current version.

6. Asset Recovery Plan

The team is internally discussing and formulating a plan to address the losses incurred by TLP liquidity providers. A formal announcement regarding this plan will be made once a clear path forward has been determined.

7. Next Steps

Typus Finance is committed to resolving this issue and strengthening our security posture. We will continue to provide transparent updates to the community as the situation develops.

Sincerely, The Typus Finance Team