TechFlow news, April 28 — According to Cat (@0xCat_Crypto), a member of the crypto community, a Web3 startup lost hundreds of thousands of USDT due to hardcoded authorized wallet addresses in its smart contract code. In the incident, suspicious code was submitted by an employee who denied writing it, claiming the malicious code originated from an AI programming assistant's auto-generated output that had not been sufficiently reviewed. Currently, the owner of the involved wallet cannot be confirmed, and the actual author of the code remains unclear.
SlowMist YuXian stated in a post that preliminary investigations show that under environments using Cursor and Claude 3.7 models, the address auto-completed by AI does not match the malicious address involved, essentially ruling out the possibility of AI-generated code being intentionally harmful. The malicious address was granted ownership privileges of the smart contract, resulting in the complete withdrawal of project funds.





