According to ChainCatcher, a crypto community member Cat (@0xCat_Crypto) revealed that a Web3 startup project lost hundreds of thousands of USDT due to a hardcoded authorization wallet address in the smart contract code.
In the incident, a suspicious contract code was submitted by an employee who denied writing the code, claiming that the malicious code was automatically generated by an AI programming assistant without thorough review. Currently, the ownership of the involved wallet cannot be confirmed, and the source of the code writing is difficult to determine.
Slow Fog's Cosine stated that after preliminary investigation, under environments using Cursor and Claude 3.7 models, the AI auto-completed addresses did not match the malicious address, ruling out the possibility of AI code generation causing harm. The malicious address possessed smart contract owner permissions, resulting in the complete transfer of project funds.
