GLOVE Exploit Drains $200K From WUSD.fi via Sybil Attack

Web3 security firm ExVul flagged the incident on X, describing it as an “incentive abuse” attack. According to ExVul, the attacker exploited the lack of Sybil resistance in the WUSD/GLOVE reward distribution path. The exploit is also listed in SlowMist’s hacked database for May 25, 2026.

What Is WUSD.fi and the GLOVE Token?

WUSD.fi is a DeFi protocol on Ethereum built around a governance-free stablecoin wrapper. Users deposit any of six supported USD-pegged tokens, including USDT, USDC, BUSD, USDP, TUSD, and GUSD. In return, they receive WUSD, a unified stablecoin backed by the deposited assets.

The protocol charges a 1% fee on each wrapping transaction. That fee revenue is used to purchase GLOVE tokens from the open market. GLOVE is then distributed as rewards to protocol participants, creating an incentive loop designed to attract liquidity.

GLOVE also features a “utility credit” system. Users must accumulate internal credits before they can sell their GLOVE holdings. This mechanism was designed to prevent mercenary farmers from immediately dumping reward tokens. Both tokens are tracked on CoinGecko, with WUSD trading on MEXC at roughly $83,000 in daily volume before the exploit.

How the GLOVE Exploit Worked

The attack targeted WUSD.fi’s reward mechanism rather than a traditional smart contract vulnerability. According to ExVul, the attacker used EIP-7702 helper contracts to generate fresh Ethereum addresses at scale. EIP-7702, introduced in Ethereum’s Pectra upgrade, allows externally owned accounts to temporarily delegate execution to a smart contract.

The attacker combined this capability with flash loans to wrap and unwrap tokens repeatedly through new addresses. Each fresh address collected GLOVE rewards as if it were a legitimate new user.

After accumulating rewards across multiple cycles, the attacker dumped the harvested GLOVE tokens into Uniswap liquidity pools. That concentrated selling pressure drained USDC and USDT from the GLO pools, resulting in at least $200,000 in losses.

Why Sybil Resistance Matters in DeFi Incentives

A Sybil attack occurs when one entity creates many fake identities to game a system. In this case, the reward path did not verify whether addresses belonged to unique participants or a single actor operating through disposable wallets.

This type of exploit differs from flash loan price manipulation or reentrancy bugs. The smart contracts may have functioned exactly as designed. Instead, the flaw was in the incentive design itself, which assumed each address represented a separate user.

Protocols that distribute token rewards without Sybil checks face similar risks. Airdrop farming, where users create thousands of wallets to claim tokens, operates on the same principle. The GLOVE exploit automated and monetized that process in real time using flash loans and EIP-7702.

EIP-7702 Enabled the Attack at Scale

EIP-7702 played a central role in making this Sybil attack efficient. Before this Ethereum upgrade, creating and operating fresh addresses for each reward cycle required significantly more overhead. Now, EIP-7702 allows an EOA to temporarily act as a smart contract, enabling batch operations through helper contracts.

This is not the first time EIP-7702 has been linked to exploits. Since the Pectra upgrade in May 2025, security analysts have warned about various attack surfaces. One phishing scheme cost a single user $1.54 million. The GLOVE exploit adds incentive abuse to the growing list of EIP-7702-enabled attack vectors.

No Official Response From WUSD.fi Yet

As of this writing, the WUSD.fi team has not issued a public statement or post-mortem about the exploit. There is no indication of a fund recovery plan or communication to affected liquidity providers.

ExVul’s initial report described the loss as “~$200K so far.” That phrasing suggests the total damage may still be growing. The attacker’s address and specific transaction hashes have not been independently confirmed outside of ExVul’s thread.

Major outlets including CoinDesk, The Block, and Rekt News have not yet published dedicated coverage of this incident. SlowMist’s hacked database remains the primary independent confirmation of the exploit details.

A Growing Pattern of Incentive Abuse in DeFi

The GLOVE exploit fits a broader pattern emerging in 2026. Over $2.1 billion has been stolen in crypto exploits this year, according to Stingrai’s 2026 crypto hacking report. While headline-grabbing attacks like the $285 million Drift Protocol hack dominate coverage, smaller incentive abuse exploits are growing in frequency.

Protocols that offer token rewards, liquidity mining incentives, or airdrop-style distributions are especially at risk if they lack Sybil detection. On-chain identity solutions exist, but many DeFi protocols still assume one address equals one user.

For liquidity providers on protocols with reward mechanisms, the GLOVE exploit is a clear warning. Incentive design needs Sybil resistance built in from the start. Without it, rewards become a target for anyone who can automate address generation at scale.

This is not financial advice. Always conduct your own research before providing liquidity or participating in DeFi reward programs.