Aftermath Finance Perpetuals Exploit — April 29, 2026 Post-Mortem (Aggregated)
The Incident
On April 29, 2026, Aftermath Finance — a Sui-based DeFi protocol — was exploited for approximately $1.14 million in USDC drained from its perpetuals markets across 11 transactions. The entire drain took approximately 36 minutes to complete before the protocol was paused. Only the perps protocol was affected; all other Aftermath Finance products (DEX, vaults, etc.) remained safe.
How the Attack Worked
The vulnerability was in Aftermath's builder code fee accounting logic — the system that pays back a portion of trading fees to "builders" (developers integrating Aftermath's perps markets into their own front-ends, similar to Hyperliquid's builder code program). The flaw allowed builder code fees to be set to negative values, turning what was meant to be a rebate-from-protocol-to-builder mechanism into an extraction primitive: the attacker effectively configured the protocol to "pay out negative fees" — i.e., pay out positive amounts on every trade — and then executed trades to drain the perp market collateral.
The Core Technical Issue
The fee-accounting code lacked a basic non-negativity check on the builder code fee parameter. Once the attacker registered a builder code with a negative fee, every subsequent trade routed through that builder code drained synthetic collateral instead of accruing it. The Merkle described it as an integer-overflow / signed-integer bug pattern, where unsigned-vs-signed assumptions in the fee calculation let negative values silently flip into very-large-positive payouts.
Scope and Response
• Loss: $1.14M in USDC, drained across 11 transactions over ~36 minutes.
• Containment: Aftermath paused the perps market once the drain pattern was detected.
• User impact: Mysten Labs and the Sui Foundation publicly pledged to cover all losses tied to the exploit. Every affected user is to be made whole with zero net losses.
• Forensics: Aftermath engaged zeroShadow, Seal, Blockaid, and OtterSec on the response.
Why This Matters
This is the second material Sui-DeFi exploit in the same week (Scallop on April 26 for ~$142K, Aftermath on April 29 for $1.14M). Both were configuration / accounting bugs (uninitialized field, missing sign-check) rather than novel cryptographic or oracle attacks — suggesting the Sui DeFi stack still has substantial low-hanging-fruit vulnerabilities in its newer protocols' admin/fee plumbing. The fact that Mysten Labs/Sui Foundation made the protocol whole suggests an "ecosystem warranty" pattern that may not scale if loss frequency or magnitude continues climbing.