platform: Newsletter format: snippet (weekly digest inclusion) hook: $150K drained because two functions disagreed about who sent the transaction.
---
Exploit of the Week: DBXen ERC2771 Sender Identity Bug ($150K)
DBXen lost $150K on March 12 because of a single inconsistency in how its contract resolves the transaction sender.
The contract uses ERC2771 meta-transactions with a permissionless forwarder. One function (burnBatch) uses _msgSender() correctly. The callback (onTokenBurned) references the forwarder address instead. The attacker exploited this gap to create a fresh wallet that the system treated as a three-year staker, draining 65.28 ETH and minting 2,305 DXN tokens.
No static analyzer flags this. It is a business logic flaw that requires understanding how reward math interacts with sender identity across function boundaries.
If your protocol uses ERC2771: audit sender resolution consistency across every function boundary. Never mix _msgSender() with raw msg.sender.
---
CTA: Check your ERC2771 integration for sender identity consistency.