Dudent

Market Prices

BTC Bitcoin
$64,137 +1.51%
ETH Ethereum
$1,842.38 +0.45%
SOL Solana
$74.88 +0.35%
BNB BNB Chain
$569.8 +1.14%
XRP XRP Ledger
$1.09 +0.63%
DOGE Dogecoin
$0.0722 +0.46%
ADA Cardano
$0.1659 +3.49%
AVAX Avalanche
$6.55 +0.99%
DOT Polkadot
$0.8370 -1.56%
LINK Chainlink
$8.31 +1.56%

Event Calendar

{{年份}}
12
05
halving BCH Halving

Block reward halving event

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

28
03
unlock Arbitrum Token Unlock

92 million ARB released

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

18
03
unlock Sui Token Unlock

Team and early investor shares released

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

Tools

All →

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,137
1
Ethereum ETH
$1,842.38
1
Solana SOL
$74.88
1
BNB Chain BNB
$569.8
1
XRP Ledger XRP
$1.09
1
Dogecoin DOGE
$0.0722
1
Cardano ADA
$0.1659
1
Avalanche AVAX
$6.55
1
Polkadot DOT
$0.8370
1
Chainlink LINK
$8.31

🐋 Whale Tracker

🔴
0x8a9b...3139
12h ago
Out
2,574 ETH
🔵
0x9f56...1b7e
3h ago
Stake
12,634 BNB
🔵
0x83c3...98a8
1h ago
Stake
9,793,374 DOGE

The TRAE Plugin Poison Nest: When Trust Becomes a Backdoor

Wallets | Bentoshi |

Over the past 72 hours, a silent hemorrhage has been occurring within the TRAE plugin ecosystem. Slow Mist’s public disclosure of a ‘plugin poison nest’ isn’t just another bug report—it’s a post‑mortem of a platform that failed its most fundamental security assumption: that users can trust the code they install. The report, posted on July 18, 2025, confirms that multiple backdoor plugins have been actively maintained and updated inside TRAE’s marketplace. This isn’t a one‑time exploit; it’s an ongoing occupation.

Let me be blunt from the start: if you are still using TRAE, stop. Revoke all approvals. Move your assets to a cold wallet. The evidence that attackers are iterating on their malicious plugins means they control the update channel. They own the supply chain. The question is no longer whether user funds have been compromised, but how much has already been drained.

I first encountered TRAE’s architecture in early 2024, while auditing a small DeFi aggregator that had integrated its wallet API. Back then, I flagged the absence of mandatory code signing as a potential single point of failure. The team’s response was polite but dismissive: ‘Our community reviewers catch anything suspicious.’ That phrase now reads like an epitaph.


Context: What Is TRAE?

TRAE positions itself as a universal plugin platform for Web3—a browser‑extension framework where users install modules for swapping, yield farming, NFT minting, and even social logins. Think of it as a decentralized app store for blockchain interactions. The idea is elegant: instead of juggling ten different wallets, you install one base client and add functionality through plugins. The execution, however, relies entirely on the security of the plugin marketplace.

The TRAE Plugin Poison Nest: When Trust Becomes a Backdoor

Most blockchain bridges learn to lock down their smart contracts. Most wallets learn to secure their seed phrase generation. TRAE’s fatal mistake was treating its plugin ecosystem as a separate, non‑critical component. But in any layered architecture, the weakest link determines the system’s overall security. A plugin that can approve arbitrary transactions, modify RPC endpoints, or spawn new wallet windows is effectively a rootkit in the user’s browser.

Slow Mist’s investigation uncovered at least seven distinct malware families embedded in TRAE plugins. Two of them specifically target Ethereum and Solana wallet interactions, injecting transaction‑modification scripts that change the destination address moments before signing. The attackers didn’t deposit these and disappear; they have continuously updated the payloads—evading signature‑based detection, rotating command‑and‑control servers, and adding new evasion techniques.


Core: How Persistent Backdoors Operate

To understand the severity, we must examine the plugin update lifecycle. TRAE’s manifest files contain a mandatory update_url field. When a user opens the browser, the client pings that URL to check for a new version. The problem: there is no cryptographic verification of the update payload. No threshold signing. No anchor on a public chain. The update_url itself can be redirected via DNS poisoning, or—more simply—the developer account that published the plugin can issue a new version without any review.

In my 2017 Solidity audit of Golem, I learned that even a single unchecked delegatecall can cascade into a total loss. Here, the vulnerability is even more fundamental: the entire update pipeline runs on trust. The TRAE team trusted that plugin authors would be benevolent. The attackers exploited that trust not by breaking cryptography, but by becoming trustworthy developers first. They contributed benign plugins for months, built a reputation, then swapped in backdoored versions.

Once installed, a persistent backdoor doesn’t need to exfiltrate keys immediately. It can wait. It can sample the user’s portfolio, monitor for high‑value targets, and strike only when the user interacts with a specific DApp. The continuous updates allow the attacker to A/B test different infection vectors. For example, version 1.0.3 might steal only the seed phrase; version 1.0.4 adds clipboard hijacking for addresses copied from exchanges.

I saw a similar pattern during the 2020 DeFi composability crisis. Flash loan attackers would deploy multiple small tweaks to their contracts, testing which bypassed the latest audits. But that was at the protocol level—at least there, you could isolate by pausing the contract. Here, the attacker controls the code that runs in your browser before any blockchain transaction occurs. By the time the transaction reaches the mempool, the damage is done.


What This Means for the TRAE Token

If you hold TRAE’s native token, the security incident has already priced itself in. Trading volume has spiked, and the order book shows heavy sell walls at any bid above 80% of the pre‑disclosure price. The tokenomics were already questionable—a utility token for a platform that charges plugin developers a listing fee—but without user trust, the platform’s value collapses to zero.

Consider a simple back‑of‑envelope calculation: TRAE’s total value locked (TVL) across integrated DApps was approximately $120 million at the start of the year. Post‑disclosure, on‑chain data shows a 40% decline in active wallets and a 60% drop in transaction volume. If the team does not issue an emergency response within the next week, I expect another 30% flight. The economics of a plugin marketplace depend on network effects—each new plugin attracts users, each user attracts more developers. When that cycle reverses, the spiral is brutal.

The TRAE Plugin Poison Nest: When Trust Becomes a Backdoor

During the 2022 Terra collapse, I watched a similar liquidity cascade in slow motion. The difference is that Terra’s death spiral was driven by an algorithmic stablecoin that couldn’t hold its peg. TRAE’s spiral is driven by a simpler failure: code that cannot be trusted. And trust, once shattered, cannot be patched with an airdrop.


Contrarian: The Blind Spot Is Systemic, Not Just TRAE

The natural reaction is to blame TRAE’s team. They deserve a share of the responsibility. But zooming out, this incident exposes a blind spot that affects nearly every browser‑based crypto interface today. MetaMask, Rabby, Phantom—all allow third‑party plugins or companion extensions. None of them have a perfect track record of vetting every update.

Let me be precise: the industry has invested heavily in L1 consensus, zero‑knowledge proofs, and secure enclaves for hardware wallets. Yet the application layer—the layer that actually touches human hands—runs on JavaScript files fetched from centralized servers. We have built skyscrapers on sand foundations.

I recall a conversation from 2021 with a lead developer at a popular wallet. I asked about their plugin security model. He shrugged and said, "We audit the source code before listing, but updates are trusted." That same mindset now haunts TRAE. The difference is that TRAE’s smaller user base made it a softer target for the attackers. The next target could be larger.

The real contrarian insight here is not that TRAE is unsafe—that is now obvious. The contrarian insight is that the entire plugin paradigm requires a security model that the Web3 ecosystem has yet to develop. We need mechanisms for plugin updates that are as trustless as the base layer itself. Immutable on‑chain registries for plugin hashes. Mandatory multi‑party signing for version bumps. Sandboxed execution with capabilities confined to specific APIs. Until those become standard, every plugin marketplace is a ticking bomb.


Takeaway: A Vulnerability Forecast

I predict that within six months, at least one major wallet will disclose a similar backdoor incident, unless the industry standardizes plugin validation. TRAE will likely not survive this unless the team releases a full forensic report, compensates victims, and migrates its ecosystem to a chain‑based update verification system. But even then, the stigma will last years.

For the user reading this: do not rely on any plugin that updates from a URL without verifying a hash signed by multiple independent keys. That includes the one you downloaded yesterday. Verify the chain, not the brand.

Fragility is the price of infinite composability.

Hype creates noise; protocols create history.

Security is a process, not a feature.

Fear & Greed

25

Extreme Fear

Market Sentiment

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

💡 Smart Money

0xcff0...69bf
Arbitrage Bot
+$3.7M
60%
0xc620...e8d1
Arbitrage Bot
+$1.0M
89%
0xb1cd...93ed
Experienced On-chain Trader
+$1.8M
80%