The Aftermath Finance postmortem is out. Two days after losing 1,139,927 USDC in 36 minutes, the team published a full incident breakdown and named what went wrong, when it went wrong, and where the money ended up.
As AftermathFi posted on X, the root cause was a signed integer issue in the integrator accounting logic for AFperps. A malicious user could register as their own integrator, assign a negative taker fee of 100,000, and have that negative value credited to a freshly created account. That account could then withdraw freely from the vault.
The flaw was not new. It was introduced on August 29, 2025.
The Audit That Cleared It
OtterSec reviewed the exact diff in November 2025 as part of a formal audit. The postmortem from AftermathFi on X confirmed the result plainly:
“The changes were audited by @osec_io in Nov 2025, but the issue was unfortunately missed.”
Five months passed between that audit and April 29. The code stayed in production. No internal flag, no community report. The attacker found it first.
The protocol’s other products never came close to the blast radius. afSui, pools, farms, the aggregator, and SOR ran without interruption throughout the incident. Only AFperps was affected.
How the Drain Actually Ran
The attacker’s wallet received 405.24 SUI on April 28 at 22:02:07 UTC. Seed funding. The next morning, 300 SUI was swapped for roughly 278 USDC through Aftermath’s own SOR to get collateral for opening positions.
Then it started.
From 08:55:50 UTC to 09:31:49 UTC on April 29, seventeen transactions fired. Six failed. Eleven went through. Each of the eleven used the exact same structure inside a single Programmable Transaction Block: open two accounts, register as the attacker’s own integrator with a negative 100,000 taker fee, execute a market order crossing against a real counterparty’s maker order, then withdraw the resulting synthetic collateral as real USDC.
Same block. Eleven times. The exploit never adapted because it never had to.
That detail is worth sitting with. If the protocol had any circuit breaker triggered by repeated integrator registrations or repeated vault withdrawals in a short window, the structure would have changed after the first successful attempt. It did not change. Not once across 36 minutes.
CryptoNewsLive covered the initial drain and the launder route to KuCoin in this report.
Where the $1.14M Went
Between 09:22:23 UTC and 10:45:22 UTC, the attacker pushed funds through fresh single-use wallets and DEX swaps before splitting across four centralised exchanges.
Per the AftermathFi postmortem on X, the breakdown went like this: roughly $250K USDC to Binance, around $400K USDC to KuCoin, approximately 150,000 SUI to Huobi/HTX, and about $150K USDC to HitBTC.
KuCoin took the largest single USDC chunk. HTX was the only leg that received SUI directly rather than stablecoins. The primary attacker address remains traceable at 0x1a65086c… on SuiVision.
Aftermath was not the only Sui protocol hit that week. The Scallop exploit drained 150K SUI from a deprecated contract days earlier, a separate incident on the same network.
A New Auditor, Not OtterSec
Aftermath confirmed every affected user will be made whole. AFperps stays paused until a full re-audit is done. The team was specific: the relaunch audit will go to a separate company. Not back to OtterSec.
The postmortem from AftermathFi on X stated:
“We also recognize that manual review alone is insufficient in 2026. We are investing heavily to improve our AI-security workflows.”
Blockaid, ZeroShadow, OtterSec, Sui Foundation, and Mysten Labs all gave rapid response support after the incident was confirmed. Going forward, AI-driven tooling will sit alongside manual review in the security process.
The April 2026 DeFi hack total reached $629M across the month. CryptoNewsLive’s full breakdown of every Sui exploit that month is here. Aftermath’s $1.14 million sits at the smaller end of that figure. The audit failure makes it one of the harder ones to explain away.
