⚠️ Very few people know that Monad's Airdrop claim website once had a session hijacking vulnerability. This error doesn't lie with the smart contract, but with the web/app layer, specifically how the site manages sessions and assigns the wallet address for receiving rewards. According to @morsyxbt, hackers can silently hijack a user's open login session, then switch the Airdrop receiving wallet to a wallet controlled by the hacker, without requiring signature verification. Users still believe they are claiming from the correct wallet. 📌 Two main types of damage have been recorded: First: Steal 1.5 million MON. A single address collected Airdrop from over 56 people, totaling approximately $1.5 million MON, and then Dump onto a DEX. This is direct, large-scale misappropriation. Second: scams using a "vanity" wallet address (similar to the real address). The hacker created a wallet address with a prefix and suffix identical to the victim's wallet address (for example, both ending in …00cD). Meanwhile, Monad's claim page only displays a shortened wallet address (like 0x1234…abcd), so many people didn't realize their reward wallet had been changed. 🫡 This vulnerability was warned about by security professionals, including SlowMist founder Yu Xian, more than a month before the mainnet launch, but it was not thoroughly addressed or publicly disclosed by @monad. When users reported the issue, some responses from the team attributed it to "user wallets being hacked," while many cases involved the same scenario of losing Airdrop – which is almost certainly not a coincidence. 👉 Ultimately, the community is the one that suffers: some people contributed to the project for many years but lost everything during the Airdrop , not due to personal fault, but due to a system flaw that should not have existed.