A Web3 project contract may have been implanted with malicious code by employees, causing hundreds of thousands of dollars in losses

On April 28th, according to a member of the crypto community Cat (@0xCat_Crypto), a Web3 startup project was transferred hundreds of thousands of USDT due to the inclusion of hardcoding authorized wallet addresses in the smart contract code. In the incident, an employee submitted suspicious contract code, but the employee denied writing the relevant code, saying that the malicious code was automatically generated by the artificial intelligence programming assistant and had not been fully reviewed. At present, the ownership of the wallet involved cannot be confirmed, and it is difficult to identify the subject of code writing.
SlowMist Cosine said in a post that after preliminary investigation, in the environment using Cursor and Claude 3.7 models, the address automatically completed by AI did not match the malicious address involved, ruling out the possibility of evil AI code generation. The malicious address was given the owner authority of the smart contract, resulting in the project's funds being completely transferred out.