Prism Relaunches on New Contract After Exploit Diverted Nearly 40% of Fees
Prism, a token that pays a share of trading fees to everyone who holds it, is relaunching on a new Ethereum contract after disclosing that an attacker spent most of July siphoning off nearly 40% of those fees.
The original PRISM token, which the project is now abandoning, plunged about 91% in the 24 hours through 2:13 p.m. ET on Tuesday, compared with a 4% gain for Bitcoin, according to CoinGecko data. It changed hands near $16, down from a high of about $1,145 on June 3, for a market value of roughly $82,000 on about $288,000 of 24-hour volume.
The attacker used purpose-built helper contracts to create 2,500 fee-earning positions beyond the 5,000 the token's design allows, Prism said in a post on X on Tuesday. When the team found them, those extra positions were diverting just under 40% of every trading fee away from ordinary holders, according to the post.
A Test for a New DeFi Primitive
The episode is an early stress test for one of DeFi's newer building blocks. Prism is built as a Uniswap v4 "hook," code that lets a token double as a liquidity pool, so that simply holding it earns a cut of trading fees with no manual staking. The design is meant to make token holders and liquidity providers the same people. The exploit shows how a single gap in that code can redirect the rewards the whole model depends on.
"This was never a theft of principal," Prism wrote in the post. "It was a corruption of the fee layer — the very thing that made Prism worth holding."
The flaw came down to one missing check, according to the disclosure. In the original contract, a fee-earning position could be moved to addresses that were never meant to hold one, including the pool manager and the token contract itself. Those addresses sit outside the token's internal accounting, so a position parked there kept earning fees while counting as no one's. That created a "phantom" share whose cut could be pulled from the pool's balance, the team said.
The team said a patch on the old deployment would not work because the phantom positions already sit inside the pool and cannot be removed, so it built a new contract instead.
What Changed
The new contract blocks that path, Prism said. A position can now belong only to a wallet whose token balance backs it, and any attempt to route one to the pool manager or to the contract itself now fails outright. The team said the number of fee-earning positions can no longer exceed the 5,000 the design guarantees, and that fees can only ever reach genuine holders.
The team relaunching Prism said they did not create it. They wrote that they "found this project the way everyone else did" and bought the token on the open market with their own money. The disclosure was signed by a pseudonymous account, @0xsolazy. The team did not say how holders of the old token would move to the new contract.
Despite its small size, Prism has drawn a handful of projects building on its fee mechanism. Spectrum, a tool for launching baskets of tokens, uses Prism and has deployed baskets across Ethereum, Base and Robinhood's chain, according to Spectrum's site. Prism has promoted several of those baskets, including one holding Sky, Aave, Maple, Curve, Spark, Ondo and Ethena tokens.
Limited Damage
The damage was limited, largely because Prism never took off. The team said the absolute losses were small only because trading volume had been low, and warned the drain would have grown alongside the token had it gained traction.
Prism has not published an independent review of either the exploit or the fix.
Advertisement
Get an edge in Crypto with our free daily newsletter
Know what matters in Crypto and Web3 with The Defiant Daily newsletter, Mon to Fri
90k+ Defiers informed every day. Unsubscribe anytime.



