Hacks Feed

An attacker stole about $105,000 from Thetanuts Finance, an options vault protocol, on Ethereum. They abused how the protocol's index vault tracked shares: by taking a flash loan and calling the vault's mint function 37 times, they inflated their balance in the underlying put-option vaults without ever depositing the matching USDC. They then redeemed the fake Bitcoin and Ether vault shares for about $105,000 of real USDC and repaid the flash loan. There is no tradeable NUTS governance token, so token holders were not affected; the loss came out of vault deposits.

An attacker drained roughly $2.18 million from Aztec Connect, the shut down zk.money privacy rollup, on Ethereum. They submitted forged validity proofs that the rollup's own verifier accepted, which let them withdraw all of the remaining funds, about 909 ETH plus DAI, wstETH, LUSD and some Yearn vault tokens, straight into their own wallet in a single transaction. Aztec Connect was retired in 2024 and its contracts are frozen and unmaintained, so the flaw could not be patched. This is the older zk.money product, not the live Aztec Network, which was not affected. As of now the stolen funds are sitting untouched in the attacker's wallet.

An attacker bought a bare majority of the Token of Power governance token directly from its own Balancer liquidity pool, then used that majority to mint 10 billion new TOP through a single governance vote and dumped it back into the pool. About 91 percent of the 16,384 total TOP supply sat in the pool as liquidity, so a governance majority cost only about 663 WETH to acquire. The attacker pulled 944.24 WETH out of the pool in the exploit, but had just seeded 662.86 WETH of that to buy the majority, so the real loss to liquidity providers, and the attacker's actual profit, was about 281 WETH, roughly 472 thousand dollars. Other trackers report the 944 WETH gross figure. The Balancer protocol was not at fault. The pool was only the venue, and the proceeds went to a wallet funded through Tornado Cash.

An attacker took control of the multisig that governs Humanity Protocol's H token on BNB Chain, rewrote the token's code, and minted 100 million new H for themselves, worth around 13 million dollars at the pre-attack price. Three of the project's operational signing keys had been compromised, which let the attacker seize the token's upgrade controls and mint without any limit. The same key access was used to drain roughly 10 million dollars of existing H from more than a hundred wallets, for a combined impact near 23 million dollars. The token contract was not broken by a coding bug. The keys that governed it were taken, and the minted and stolen H was then dispersed across wallets, swapped, and bridged out.

An attacker took over Gravity Bridge's validator set on Ethereum and drained about $5.4 million. Gravity is a bridge between Ethereum and the Cosmos-based Gravity chain, and its Ethereum contract releases funds only when validators holding two thirds of the voting power sign off. The attacker got enough of the real validators to sign a change that shrank the set from 58 validators to 34, concentrating control, then used that concentrated set to sign withdrawals that emptied the bridge's USDC, ETH, USDT and gold-backed PAXG. The funds were swapped to ETH and moved through ChangeNow and Binance. The attacker still holds about 2,059 ETH.

An attacker drained about $815K from Alephium's TokenBridge on Ethereum. The bridge mints its wrapped ALPH token and releases funds only when a quorum of its guardians sign off, and the attacker got hold of 3 of the 4 guardian keys. With those, they signed fake approval messages that told the bridge to mint 13.76 million wrapped ALPH out of nothing, more than the entire amount that existed before, and to hand over its USDT, USDC, WBTC and WETH. The funds were swapped to ETH and spread across dozens of wallets. The bridge's code worked correctly. The keys behind its signatures were compromised.

An attacker who controls the owner key of DxSale's old liquidity locker on BNB Chain has been draining LP tokens that more than 1,400 projects locked up as far back as 2021, including SafeMoon-linked liquidity. Around $1.74 million has been pulled out so far and roughly $2.91 million more is still exposed, out of about $7.3 million of affected positions. The locker keeps working exactly as coded. The problem is that whoever holds its owner key can move the locked funds, and that key is now in hostile hands. Proceeds were swapped into BNB and moved through more than 80 wallets, so they are effectively gone.

An attacker stole the private key to StakeDAO's deployer wallet on Arbitrum and used it to redirect the vsdCRV token's trusted cross-chain link to a contract they controlled on Ethereum. They then forged a cross-chain message that minted roughly 5.4 trillion vsdCRV out of thin air, dumped what little liquidity existed for about 43.78 ETH (around $91,000), and bridged the proceeds to Ethereum where the funds still sit untouched. Locked sdCRV collateral on Ethereum, other StakeDAO products, and user deposits were not affected. The team has already locked out the compromised key and reset the cross-chain trust setting.

An attacker compromised the operational keys that propose and approve Fluid's reward payout lists, then used them to approve self-serving reward lists and claim with empty proofs across three chains. In total about 125,109 FLUID and 51,946 GHO, plus a little cbBTC (about $225,000), were taken from Fluid's reward distributors on Ethereum, Base, and Arbitrum. Fluid's lending markets, vaults, DEX, and user deposits were not affected. The Layer 2 proceeds were bridged back to Ethereum, swapped for ether, and about 142.6 ETH was routed into Tornado Cash. Fluid later removed the compromised keys and moved the remaining reward funds to safety. A separate, much larger movement of roughly 70 to 110 million dollars out of Fluid in the days after was depositors withdrawing their own funds, a confidence driven bank run, not a second hack.

An attacker drained 86 Gnosis Safes across Ethereum and Base by tricking the Safe owners into enabling a malicious Safe module that impersonated the SquidRouter brand. Once a Safe enables a module, that module can execute transactions on the Safe's behalf without further owner approval. The attacker waited until enough victims had installed the module, then deployed a drainer contract and walked through every Safe in 14 minutes, pulling out tokens and swapping them to DAI through attacker-controlled Uniswap V3 pools. All proceeds, about 3 million DAI, consolidated into a single wallet. This is not a vulnerability in the legitimate Axelar SquidRouter, which has no involvement.

An attacker minted approximately $11M of unauthorized stablecoins after compromising a single operations key that controlled the mint authority on both EURR and USDR. The mint-authority contracts are the original ConsenSys MultiSigWallet (not Gnosis Safe), and both were configured with required=1, meaning one signer could submit and execute any transaction immediately. The attacker then added three decoy owners and removed both legitimate owners during the attack, making the public picture look like a multi-party compromise when it was a single key. About 7,010,000 EURR and 3,310,000 USDR were minted to nine attacker-controlled wallets over three hours. Both stablecoins depegged; USDR to about $0.78 and EURR to about $0.88.

An attacker stole roughly $700,000 worth of POL tokens from two of Polymarket's operational wallets on Polygon. The wallets paid out user rewards and managed Polymarket's prediction-market resolution contract; both had their private keys exposed. Customer deposits, open trades, and market settlements were not touched. The stolen funds were routed through Changenow, HTX, and KuCoin within hours.

A new validator joined THORChain's network, then quietly participated in routine signing ceremonies for one of the protocol's six vaults. A flaw in the way those ceremonies worked leaked tiny fragments of the vault's private key each time. After 48 hours of collecting fragments, the attacker reconstructed the full key offline and drained roughly $10.8 million across nine different blockchains. The protocol caught it within an hour and halted trading. No user deposits or liquidity-provider positions were affected, only protocol-owned vault assets.

Lazarus Group, the North Korean state-sponsored hacking unit, drained $292 million from KelpDAO's cross-chain bridge in a single transaction. The bridge used LayerZero for cross-chain messaging, but Kelp had configured it to trust just one verifier, LayerZero Labs' own. The attackers compromised the developer credentials for that verifier, then made the bridge believe a fake withdrawal was legitimate. About 18% of all rsETH in circulation moved to the attackers in a single block.

A team posing as a quant trading firm spent six months getting close to Drift's developers, then tricked two of the protocol's signers into blindly approving transactions that handed over admin control. With control of the protocol, the attacker invented a fake collateral token, deposited it, and withdrew $285 million from three vaults in twelve minutes. Funds were swapped to USDC, bridged to Ethereum, and laundered through addresses pre-funded via Tornado Cash. The attack has been attributed to UNC4736, a North Korean state-sponsored group.