The Aftermath Finance exploit on Sui was fast, clean, and costly. Then the attacker made a move that crypto investigators rarely see. On April 29, 2026, the protocol confirmed $1.14 million in USDC had been drained from its perpetuals vault. Eleven transactions. Thirty-six minutes.

AftermathFi posted on X with two words first: “We have been exploited.” Security researcher 0xairtx followed on X, writing the team was already in a war room with Blockaid working to contain the damage.

The Fee Logic Nobody Caught

The vulnerability did not live in the core smart contracts. It sat inside the builder code fee system. Aftermath confirmed on X the protocol had wrongly allowed negative builder code fees to be set. That single configuration gap was enough.

Builder code fees exist so third-party developers and integrators earn rewards on trading volume they route through the protocol. Aftermath built the system flexible. The attacker reversed the fee direction into negative territory, turning the payout mechanism into an extraction channel. USDC flowed out. Fast.

The team stated on X total damage came to 1.14 million dollars. Only the perps protocol was affected. Swaps, staking, and every other product stayed untouched. The attacker’s wallet was published publicly and put under active monitoring.

Funds Routed Directly to KuCoin

Then came the part that drew immediate attention across crypto security circles. Crypto commentator FabianoSolana wrote on X that after pulling $1.14M from the protocol, the attacker sent the funds straight to KuCoin. He tagged KuCoin executives and on-chain investigator ZachXBT in the same post, describing it as one of the more self-defeating exit moves he had seen.

KuCoin is a centralized exchange. It runs mandatory identity verification. It can freeze deposits and cooperate with law enforcement on request. Sending stolen funds there does not work the way sending them to a non-custodial wallet or a mixer would. The trail does not go cold. It goes to a KYC file.

Aftermath updated on X that it is actively coordinating with zeroShadow, Seal, Blockaid, and OtterSec on response and fund tracing. Every available law-enforcement channel is being pursued. A patch for the affected contracts is in development.

Mysten Labs Covers the Losses

The recovery outcome separated this from most DeFi exploits. Aftermath announced on X that Mysten Labs and the Sui Foundation committed to covering all user losses. Every affected user will be made whole. Zero losses.

The team also clarified this was not a Move contract-language security issue, cutting off any suggestion the flaw ran deeper into the Sui network itself. Blockaid’s rapid response was credited directly in the same statement.

Ecosystem-level backing of this scale is not common. Most exploited DeFi protocols negotiate their own recovery or absorb the hit. Mysten Labs and the Sui Foundation moving within hours to backstop $1.14M in user funds is a different kind of signal. Not just about Aftermath. About how Sui handles crisis response when one of its protocols takes a hit.

For traders and developers building or holding on Sui, the full-recovery commitment carries real weight. The flaw was real. The damage was real. The response was faster than most.