A critical smart contract vulnerability in VeChainThor's VTHO (gas token) accrual mechanism allows attackers to artificially mint unbounded VTHO by exploiting incomplete energy settlement in the self-destruct logic when combined with flash loans. The flaw occurs because the OnSuicideContract function fails to update accrued VTHO when the transfer amount is zero, enabling repeated exploitation.
A critical vulnerability was discovered in Oasis Earn service that allows attackers to selfdestruct the OperationExecutor contract through a delegatecall code-reuse attack, exploiting the assumption that executeOp() runs only in user's DSProxy context. The researcher earned a $20K bounty by chaining arbitrary calldata execution with hardcoded service registry mappings to achieve contract destruction.