Audit log

Every state-changing event for Fusion by IPOR: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-29 16:07:52Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,971,583

   sig

   2mnjSNJeEgEN…Y9Vn46Jrcopyexplorer ↗

   hash

   4HDCJ3P6c4yd…Qayjr7tUcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (6502 B) ▸

   {"actor":"system:backfill","investigation_id":"610e5c95-082e-484a-843b-84925eef4194","kind":"publish","page_slug":"fusion-by-ipor","published_at":"2026-05-29T16:07:52.845Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fusion by IPOR","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://ipor.io/","type":"other","url":""},{"credibility":3,"name":"https://blog.impossible.finance/ipor-fusion-research-report/","type":"other","url":""},{"credibility":3,"name":"https://docs.ipor.io/ipor-faq/fusn-snapshot-22446433","type":"other","url":""},{"credibility":3,"name":"https://www.moneyhouse.ch/en/company/ipor-labs-ag-4046606191","type":"other","url":""},{"credibility":3,"name":"https://www.ipor.io/ipor-labs-team","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://x.com/ipor_io/status/2008728627190321480","type":"other","url":""},{"credibility":3,"name":"https://www.cryptotimes.io/2026/01/07/ipors-fusion-plasmavault-hit-by-336k-exploit-via-eip-7702-flaw/","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/ipor-labs-loses-336k-in-arbitrum-vault-exploit-vows-full-refund/","type":"other","url":""},{"credibility":3,"name":"https://finance.yahoo.com/news/ipor-labs-loses-336k-arbitrum-130853308.html","type":"other","url":""},{"credibility":3,"name":"https://www.coingabbar.com/en/crypto-currency-news/ipor-fusion-vault-hack-arbitrum-full-depositor-refund-confirmed","type":"other","url":""},{"credibility":3,"name":"https://phemex.com/news/article/security-flaw-in-ipors-fusion-allows-exploit-of-plasma-vault-51824","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://x.com/ipor_io/status/2008728627190321480","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/ipor-labs-loses-336k-in-arbitrum-vault-exploit-vows-full-refund/","type":"other","url":""},{"credibility":3,"name":"https://www.hokanews.com/2026/01/ipor-fusion-vault-attacked-in-arbitrum.html","type":"other","url":""},{"credibility":3,"name":"https://www.coingabbar.com/en/crypto-currency-news/ipor-fusion-vault-hack-arbitrum-full-depositor-refund-confirmed","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://ackee.xyz/blog/ipor-protocol-core-audit-summary/","type":"other","url":""},{"credibility":3,"name":"https://blog.impossible.finance/ipor-fusion-research-report/","type":"other","url":""},{"credibility":3,"name":"https://github.com/IPOR-Labs/ipor-audit-reports","type":"other","url":""},{"credibility":3,"name":"https://www.cryptotimes.io/2026/01/07/ipors-fusion-plasmavault-hit-by-336k-exploit-via-eip-7702-flaw/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.ipor.io/tokenomics/ipor-token","type":"other","url":""},{"credibility":3,"name":"https://docs.ipor.io/ipor-faq/fusn-snapshot-22446433","type":"other","url":""},{"credibility":3,"name":"https://x.com/ipor_io/status/1912460801815765372","type":"other","url":""},{"credibility":3,"name":"https://coinmarketcap.com/currencies/ipor/","type":"other","url":""},{"credibility":3,"name":"https://blog.impossible.finance/ipor-fusion-research-report/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.cryptotimes.io/2026/01/07/ipors-fusion-plasmavault-hit-by-336k-exploit-via-eip-7702-flaw/","type":"other","url":""},{"credibility":3,"name":"https://blog.impossible.finance/ipor-fusion-research-report/","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/ipor-labs-loses-336k-in-arbitrum-vault-exploit-vows-full-refund/","type":"other","url":""},{"credibility":3,"name":"https://x.com/ipor_io/status/1912460801815765372","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.impossible.finance/ipor-fusion-research-report/","type":"other","url":""},{"credibility":3,"name":"https://sosv.com/company/ipor-labs/","type":"other","url":""},{"credibility":3,"name":"https://www.cbinsights.com/company/ipor","type":"other","url":""},{"credibility":3,"name":"https://github.com/IPOR-Labs/ipor-fusion","type":"other","url":""},{"credibility":3,"name":"https://pypi.org/project/ipor-fusion/","type":"other","url":""}]}],"sources_used":[],"summary":"Fusion by IPOR is a modular on-chain vault infrastructure product developed by IPOR Labs AG (Zug, Switzerland), designed to automate DeFi yield strategies across multiple chains without requiring Solidity expertise. On January 6, 2026, a legacy Fusion Optimizer Vault on Arbitrum was exploited for $336,000 USDC via a combination of missing fuse validation in the instantWithdraw method and an EIP-7702 delegation vulnerability on an administrator account. The IPOR DAO committed to fully compensating all affected depositors from treasury reserves, and the incident was flagged by blockchain investigator ZachXBT.","timeline":[{"date":"2021-06-14","event":"IPOR Labs AG incorporated in Zug, Switzerland by co-founders Darren Camas and Dimitar Dinev.","source":""},{"date":"2023-07-28","event":"Ackee Blockchain completes 59 engineering-day security review of IPOR Protocol core, identifying 39 findings. Review concludes with high code quality rating.","source":""},{"date":"2024-01-01","event":"Legacy Fusion Optimizer Vault deployed on Arbitrum (approximately 490 days before the January 2026 exploit), predating stricter fuse validation requirements.","source":""},{"date":"2025-05-09","event":"Governance proposal IIP-35 snapshot taken at Ethereum block 22446433 for IPOR-to-FUSN token migration at 1:1 ratio, marking a strategic rebranding of the protocol.","source":""},{"date":"2026-01-06","event":"Legacy Fusion USDC Optimizer Vault on Arbitrum exploited for $336,000 USDC via missing instantWithdraw validation and EIP-7702 admin delegation flaw. Hexagate and Blockaid alert the IPOR team. Stolen funds (approx. $267K) bridged to Ethereum and deposited into Tornado Cash.","source":""},{"date":"2026-01-07","event":"IPOR DAO publicly confirms full compensation of all affected depositors from DAO treasury. Protocol engages SEAL for forensic recovery. Post-mortem publication committed. Incident widely covered by crypto media.","source":""}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 5fd9c9c1-5bd7-4bd9-83fc-fe75be08c88bcopy
2. #2reviewby reviewerreviewer

   2026-06-10 00:33:10Z
   Score: 52 → 52 (no score change)
   The page's core factual claims — exploit date, amount, technical mechanism, Tornado Cash routing, SEAL engagement, and DAO compensation commitment — are well-supported by multiple independent sources. The most significant factual error is the vault deployment date (listed as 2024-01-01 but arithmetically inconsistent with the '490 days' figure, which points to approximately August 2024). The ZachXBT attribution is not corroborated by any consulted source and should be considered unverifiable. Several docs.ipor.io citation URLs are dead (link rot), and the Ackee audit timeline entry overstates the finality of the July 28, 2023 date.
   anchoranchored

   chain

   ●mainnet-betaslot 425,437,316

   sig

   4CHh5RWBReCN…Zto3qJ3Hcopyexplorer ↗

   hash

   9EdtsYzoz74E…8DFT24Ekcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (989 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-10T00:33:10.788Z","decision":"review","investigation_id":"610e5c95-082e-484a-843b-84925eef4194","new_score":52,"page_slug":"fusion-by-ipor","prev_score":52,"reason":"The page's core factual claims — exploit date, amount, technical mechanism, Tornado Cash routing, SEAL engagement, and DAO compensation commitment — are well-supported by multiple independent sources. The most significant factual error is the vault deployment date (listed as 2024-01-01 but arithmetically inconsistent with the '490 days' figure, which points to approximately August 2024). The ZachXBT attribution is not corroborated by any consulted source and should be considered unverifiable. Several docs.ipor.io citation URLs are dead (link rot), and the Ackee audit timeline entry overstates the finality of the July 28, 2023 date.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision f772fdb4-6f8e-46a7-aa34-d0c83f22ea70copy
3. #3review reviseby judgejudge

   2026-06-10 00:33:11Z
   Score: 52 → 42 (-10)
   The page's core claims about the January 6, 2026 exploit — amount, technical mechanism, Tornado Cash routing, SEAL engagement, and DAO compensation commitment — are all confirmed by multiple independent sources. However, two issues require correction before the page can be approved. First, claim_findings[7] (the vault deployment date of 2024-01-01) is disputed as internally inconsistent: the page's own '490 days prior' language points to approximately August 2024, not January 2024, and no source confirms a January 2024 date. Second, claim_findings[4] (ZachXBT attribution in the public summary) is unverifiable — all consulted sources credit Hexagate and Blockaid as the alerters, not ZachXBT — and should be removed or sourced. Three high-priority coverage gaps also require attention: missing on-chain transaction links, dead docs.ipor.io citation URLs, and the unresolved ZachXBT attribution, all flagged by the reviewer.
   anchoranchored

   chain

   ●mainnet-betaslot 425,437,319

   sig

   4p3A4Nxp2UwV…Gc5nvjFacopyexplorer ↗

   hash

   DMpqzWrDsohv…RYtBGtHkcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1286 B) ▸

   {"actor":"judge","decided_at":"2026-06-10T00:33:10.788Z","decision":"review_revise","investigation_id":"610e5c95-082e-484a-843b-84925eef4194","new_score":42,"page_slug":"fusion-by-ipor","prev_score":52,"reason":"The page's core claims about the January 6, 2026 exploit — amount, technical mechanism, Tornado Cash routing, SEAL engagement, and DAO compensation commitment — are all confirmed by multiple independent sources. However, two issues require correction before the page can be approved. First, claim_findings[7] (the vault deployment date of 2024-01-01) is disputed as internally inconsistent: the page's own '490 days prior' language points to approximately August 2024, not January 2024, and no source confirms a January 2024 date. Second, claim_findings[4] (ZachXBT attribution in the public summary) is unverifiable — all consulted sources credit Hexagate and Blockaid as the alerters, not ZachXBT — and should be removed or sourced. Three high-priority coverage gaps also require attention: missing on-chain transaction links, dead docs.ipor.io citation URLs, and the unresolved ZachXBT attribution, all flagged by the reviewer.","score_delta":-10,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision f5314e7b-fc3d-4682-bc20-2ca4e1b88e18copy