AFI Protocol afiUSD Vault Exploit

On May 30, 2026, AFI Protocol lost approximately $480,000 when an attacker exploited its afiUSD vault on Ethereum. afiUSD is the protocol's yield-bearing stablecoin product, marketed alongside AFI's proof-of-reserve infrastructure for real-world assets.

What happened

The attacker drained the afiUSD vault and began laundering the proceeds: roughly $252,000 in DAI was swapped into ETH through on-chain trades, and about 150 ETH was subsequently routed to Tornado Cash after the attacker tested a secondary wallet with a small transfer. AFI paused the affected vault, opened an investigation, and said it was working with Quantstamp, Cantina and SEAL 911 to trace and recover the stolen funds. As of the protocol's update, the full exploit path had not been published, so the incident should not be framed as a confirmed oracle, key-compromise or vault-design failure until the post-mortem lands. AFI stated its remaining systems were secure, with more than $225 million in total value locked unaffected.

Aftermath

AFI flagged the attacker's addresses with centralized exchanges and ecosystem partners through SEAL 911 in an effort to freeze movement of the funds while tracing continued. No recovery had been confirmed at the time of reporting, and the attacker's use of Tornado Cash leaves the laundered ETH difficult to follow.

Why it matters

The afiUSD incident is a small but characteristic example of how yield-bearing stablecoin vaults concentrate risk: a single contract holding pooled deposits becomes a high-value target, and a clean drain followed by an immediate Tornado Cash hop is now the default playbook. It sits alongside other 2024-2026 stablecoin and vault exploits such as Resupply and Abracadabra, and underscores why an undisclosed root cause is a reason for caution, not reassurance — the relevant question is not whether $480K was lost but whether the same flaw touches the rest of the protocol's TVL.