WUSD GLOVE Reward Exploit Drains $200K From Uniswap V3 Pools

On May 25, 2026, security firm ExVul reported an active exploit targeting the reward mechanism of WUSD.fi, a stablecoin wrapping protocol on Ethereum. The attackers abused a faulty reward function called WUSD._englove, which distributed GLOVE tokens (0x3545ddeef5b90ad5c3fd59c3f43bfcd7bd7a4207 on Ethereum) to any wallet that wrapped at least 100 WUSD. The function contained no rate-limiting, cooldown periods, or anti-Sybil protections, allowing the same operator to collect rewards across unlimited wallets. Approximately $200,000 in liquidity was drained from associated Uniswap V3 pools. The attacker deployed EIP-7702 helper contracts to automate the process at scale, using Ethereum's account abstraction capabilities to coordinate operations across multiple wallets in a single transaction flow. A Morpho USDT flash loan provided the initial capital to wrap WUSD without requiring any upfront investment. The attacker repeatedly wrapped at least 100 WUSD from each Sybil wallet to collect GLOVE token rewards, then immediately dumped the accumulated GLOVE tokens into Uniswap V3 liquidity pools, draining approximately 11,702 USDC and 8,079 USDT from liquidity providers. Arisk Security confirmed the exploit on X, classifying it as a "reward mechanism Sybil attack." The losses fell entirely on Uniswap V3 liquidity providers who had placed assets into GLOVE trading pools, while the core WUSD protocol reserves remained untouched. The GLOVE token, which had a total supply of 1 billion tokens and only 46 holders, saw its value collapse to effectively zero as the attacker flooded the market with farmed rewards. The WUSD.fi team had not issued a public post-mortem at the time of reporting. The faulty _englove function represented a fundamental design oversight — reward distribution mechanisms in DeFi protocols require robust Sybil resistance measures such as minimum holding periods, wallet age requirements, progressive reward curves, or on-chain identity verification to prevent exactly this type of farming attack. DeFi users providing liquidity to pools for newly launched or low-holder-count tokens should exercise particular caution. Before committing capital, verify that the token's reward mechanisms have been audited and include anti-gaming protections. The small holder count (46 addresses for GLOVE) and the absence of a security audit were warning signs that preceded this exploit. Liquidity providers bear the greatest risk in these scenarios, as their assets become the effective payout for reward farming attacks.