Key Takeaways:
Jill Gunter had over $30,000 in USDC drained from her wallet due to a dormant “unlimited approval” on a legacy Thirdweb bridge contract she interacted with years ago.
Thirdweb admitted the contract should have been decommissioned during a previous vulnerability response, linking the exploit to a known 2023 open-source library flaw.
The funds were quickly laundered via Railgun, highlighting the persistent danger of “zombie” approvals even for seasoned industry veterans.
The “ghosts” of DeFi activity in the past have returned to haunt one of the industry’s most prominent figures. Jill Gunter, co-founder of Espresso Systems and a long-time infrastructure builder, revealed that her wallet was drained of over $30,000 in USDC on December 9. The culprit was not a sophisticated phishing link or a new zero-day exploit, but a “zombie” smart contract from Thirdweb that had been lying in wait for years.
A Trivial $5 Test Transaction Spirals Into a Devastating $30,000 Loss
The mechanics of the exploit serve as a brutal lesson in on-chain hygiene. Blockchain traces reveal that the draining transaction originated from a contract address (0x81d5) that Gunter vaguely recognized. Upon cross-referencing her history, the reality set in: she had interacted with this specific Thirdweb bridge contract only once before, likely for a trivial test transfer of around $5.
However, that single, forgotten interaction had left behind an “unlimited token approval” – a standard but dangerous UX practice in DeFi that allows a contract to spend a user’s tokens indefinitely. Because the approval was never revoked, the compromised contract retained the ability to siphon funds from her wallet the moment a significant balance of USDC appeared.
Jill Gunter has wallet drained via vulnerable ThirdWeb contract
Thirdweb Admits Failure to Decommission Compromised Legacy Contracts
The focus has now shifted sharply to Thirdweb’s security practices. This was not an unknown threat; according to Thirdweb’s own admission, the root cause was a known vulnerability in an open-source library discovered back in 2023. This flaw affected over 500 token contracts, allowing unauthorized transfers if approvals were left open.
Thirdweb stated that it had rolled out a mitigation plan in April 2025 intended to retire these vulnerable endpoints. The company believed the relevant contracts had been neutralized. Clearly, they were wrong. The specific bridge Gunter interacted with remained callable, acting as a live trap for any former user who hadn’t manually revoked permissions.
Security researchers from the SEAL Security Alliance and ScamSniffer have criticized the remediation process. They argue that disclosing a list of vulnerable contracts without ensuring a 100% successful “kill switch” essentially provides attackers with a hit list. In this case, the gap between the patch and the reality cost a user $30,000.
Stolen Funds Immediately Laundered Through the Railgun Privacy Protocol
Following the theft, the attacker wasted no time. The stolen USDC was immediately funneled into Railgun, a privacy protocol that obscures transaction history. This pattern has become the standard operating procedure for wallet drainers, making the tracking and freezing of assets nearly impossible for law enforcement.
Gunter’s reaction has been notably pragmatic. Describing the loss as an “occupational hazard,” she acknowledged the humbling nature of the event. Despite her expertise in privacy infrastructure, she fell victim to the same UX pitfalls that plague retail users. She has pledged that if any funds are recovered – likely through an insurance claim or a white-hat negotiation – she will donate them to the SEAL Security Alliance.
The Persistent Threat of “Zombie Approvals” Continues to Haunt DeFi Users
The most unsettling takeaway for the broader market is the persistence of risk. Gunter’s loss reinforces that one-time audits are insufficient; DeFi requires ongoing “approval hygiene.”
If a ten-year crypto veteran can be exploited due to a $5 interaction from years ago, the average user is navigating a minefield. Until wallet interfaces make revoking dormant permissions automatic or significantly more intuitive, these “zombie” contracts will continue to bleed users dry long after the initial transaction is forgotten.
Read Next: Unlock Value and Mitigate Risk: The Essential Benefits of Contract Compliance Audits