In May 2026, the ShapeShift FOX Colony project's EtherRouterCreate3 contract on Arbitrum was exploited due to a semantic conflict between the meta-transaction mechanism and DSAuth's self-call authorization. The attacker abused the `executeMetaTransaction` function, which allowed arbitrary self-calls without filtering sensitive selectors like `setResolver`. Combined with DSAuth's automatic authorization for `address(this)`, the attacker replaced the contract's resolver with a malicious version. The new resolver mapped any function selector to an attacker-controlled implementation, enabling a `delegatecall` from the contract's fallback function to drain all ERC20 tokens. The entire exploit occurred in a single transaction via a temporary attack contract deployed by the attacker's EOA. The root cause is the lack of selector filtering in meta-transaction implementations and the unconditional trust in self-calls within DSAuth. This incident highlights the dangers of combining upgradeable proxy patterns with meta-transaction features without proper access control. The drained assets included all ERC20 tokens held by the contract. No private keys were compromised; the attack was purely logic-based.

Key facts

• EtherRouter contract allowed arbitrary self-calls via executeMetaTransaction without filtering sensitive selectors.
• DSAuth automatically authorized self-calls from address(this), enabling privilege escalation.
• Attacker replaced the resolver with a malicious version via a meta-transaction self-call.
• New resolver mapped any function selector to an attacker-controlled drain implementation.
• All ERC20 tokens in the contract were drained in a single transaction via delegatecall.

KeyAudit data perspective