Adshares Bridge (wADS) — Fake Mint via Bridge-Minter EOA — May 15, 2026

Attacker: 0x63e22ce9bde9bb8892a447258abfcaa4142f001b (Etherscan label: 'Adshares Exploiter 1') — recipient of 3 fraudulent fake wADS mints from the zero address via the compromised bridge-minter EOA

Funds moved to: 3 Wrap To mints (15 May 2026): tx 0x8844b4ec... at 20:32:11 UTC (99,999.93 wADS / $45,777) + tx 0xfba82bb3... at 20:32:23 UTC (99,999.93 wADS / $45,777) + tx 0xa3476575... at 20:48:11 UTC (999,999.94 wADS / $457,778). Dump via Uniswap V4 + 2 swaps to 0x83928768...88644f23B ($91,555.80 each) + MetaMask Swaps ($41,200). On 18 May 2026: 256 ETH (~$540,700, 86%) returned to Adshares deployer (10% bounty).

Mono-attacker cluster centred on 0x63e22ce9bde9bb8892a447258abfcaa4142f001b. wADS contract: 0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a. 27 all-time transactions, all in the 20:32-21:27 UTC window on 15 May 2026. Recurring dump path address: 0x83928768...88644f23B (likely MEV builder or OTC).

Timeline: On 15 May 2026, the compromised Adshares bridge-minter EOA signed 3 wrapTo() calls referencing non-existent transaction IDs on the canonical Adshares chain. At 20:32:11 UTC: mint #1 of 99,999.93 fake wADS ($45,777.87) to 0x63e22ce9bde9bb8892a447258abfcaa4142f001b. At 20:32:23 UTC: identical mint #2 ($45,777.87). At 20:38:35 UTC: first test swap via MetaMask Swaps Spender ($41,200.11). At 20:48:11 UTC: mint #3 of 999,999.94 fake wADS ($457,778.97), the largest. Between 20:48:59 and 20:55:47 UTC: massive dump via Uniswap V4 Pool Manager in 6 batches + 2 transfers to 0x83928768...88644f23B ($91,555.80 each). At 21:27:35 UTC: final residual swap ($457.32). Total extracted: ~$549K on Ethereum directly. On 16 May 2026 at 16:50 UTC, chrisdior777 (CD Security co-founder) publicly flagged the exploit on X. Adshares posted an on-chain whitehat message offering 10% bounty for the return of 90% of funds. On 18 May 2026, PeckShield confirmed via X (@PeckShieldAlert) the return of 256 ETH (~$540,700, 86.1% of the $628K total loss confirmed by SlowMist Hacked) to the Adshares deployer. Pattern identical to 2022-2024 wrapped-asset bridges: no source-side validation of the lock/burn txid existence.