Base network exploit drains $219,000 in WETH
An unknown attacker exploited a smart-contract bug on Base on October 30, draining around 55 WETH (roughly $219,000 at the time) within hours
On‑chain monitoring by BlockSec Phalcon spotted unusual fund movements and traced them to a misconfigured access control within a Base smart contract. The bug in the permission checks allowed the attacker to move tokens using approvals that users had previously granted – without any new confirmation on their side.
For a regular Base user, the situation looks like funds are leaving their balance even though no new approval was given. BlockSec Phalcon therefore urges users to promptly review active permissions and, if needed, revoke them for the affected contract address 0xE143b486ab0413Df0D6DAd2caf6d2f61CAC54730.
This is a standard safety measure that helps prevent further unauthorized withdrawals and gives developers time to fix the vulnerability.
The main takeaway: this wasn’t a traditional wallet hack. The breach stemmed from a flaw in the logic of a specific smart contract that users had already authorized. When permission checks are too loose, that authorization becomes an open door for attackers. As a result, funds can be moved long before most users even realize it.
While experts investigate, users should practice basic hygiene: review existing approvals, remove anything unnecessary, and avoid granting unlimited or open‑ended permissions in the future.
The incident on Base is a reminder that even large, reputable ecosystems can suffer real losses from a single weak link. The more carefully users manage their permissions, the lower the risk of seeing their tokens appear in someone else’s wallet.
Read our step-by-step guide: How to revoke smart‑contract permissions
Base is an Ethereum Layer‑2 built by Coinbase on the OP Stack. It inherits mainnet security while offering lower fees and faster execution, making it a convenient platform for mass‑market apps and onboarding newcomers. A similar exploit on Base occurred in September 2025, with losses estimated at roughly $90,000, and the root cause (overly permissive access in contract logic) was the same as today’s case.
