Hacks Feed

An attacker took over Gravity Bridge's validator set on Ethereum and drained about $5.4 million. Gravity is a bridge between Ethereum and the Cosmos-based Gravity chain, and its Ethereum contract releases funds only when validators holding two thirds of the voting power sign off. The attacker got enough of the real validators to sign a change that shrank the set from 58 validators to 34, concentrating control, then used that concentrated set to sign withdrawals that emptied the bridge's USDC, ETH, USDT and gold-backed PAXG. The funds were swapped to ETH and moved through ChangeNow and Binance. The attacker still holds about 2,059 ETH.

An attacker drained about $815K from Alephium's TokenBridge on Ethereum. The bridge mints its wrapped ALPH token and releases funds only when a quorum of its guardians sign off, and the attacker got hold of 3 of the 4 guardian keys. With those, they signed fake approval messages that told the bridge to mint 13.76 million wrapped ALPH out of nothing, more than the entire amount that existed before, and to hand over its USDT, USDC, WBTC and WETH. The funds were swapped to ETH and spread across dozens of wallets. The bridge's code worked correctly. The keys behind its signatures were compromised.

An attacker who controls the owner key of DxSale's old liquidity locker on BNB Chain has been draining LP tokens that more than 1,400 projects locked up as far back as 2021, including SafeMoon-linked liquidity. Around $1.74 million has been pulled out so far and roughly $2.91 million more is still exposed, out of about $7.3 million of affected positions. The locker keeps working exactly as coded. The problem is that whoever holds its owner key can move the locked funds, and that key is now in hostile hands. Proceeds were swapped into BNB and moved through more than 80 wallets, so they are effectively gone.

An attacker stole the private key to StakeDAO's deployer wallet on Arbitrum and used it to redirect the vsdCRV token's trusted cross-chain link to a contract they controlled on Ethereum. They then forged a cross-chain message that minted roughly 5.4 trillion vsdCRV out of thin air, dumped what little liquidity existed for about 43.78 ETH (around $91,000), and bridged the proceeds to Ethereum where the funds still sit untouched. Locked sdCRV collateral on Ethereum, other StakeDAO products, and user deposits were not affected. The team has already locked out the compromised key and reset the cross-chain trust setting.

An attacker compromised the operational keys that propose and approve Fluid's reward payout lists, then used them to approve self-serving reward lists and claim with empty proofs across three chains. In total about 125,109 FLUID and 51,946 GHO, plus a little cbBTC (about $225,000), were taken from Fluid's reward distributors on Ethereum, Base, and Arbitrum. Fluid's lending markets, vaults, DEX, and user deposits were not affected. The Layer 2 proceeds were bridged back to Ethereum, swapped for ether, and about 142.6 ETH was routed into Tornado Cash. Fluid later removed the compromised keys and moved the remaining reward funds to safety. A separate, much larger movement of roughly 70 to 110 million dollars out of Fluid in the days after was depositors withdrawing their own funds, a confidence driven bank run, not a second hack.

An attacker drained 86 Gnosis Safes across Ethereum and Base by tricking the Safe owners into enabling a malicious Safe module that impersonated the SquidRouter brand. Once a Safe enables a module, that module can execute transactions on the Safe's behalf without further owner approval. The attacker waited until enough victims had installed the module, then deployed a drainer contract and walked through every Safe in 14 minutes, pulling out tokens and swapping them to DAI through attacker-controlled Uniswap V3 pools. All proceeds, about 3 million DAI, consolidated into a single wallet. This is not a vulnerability in the legitimate Axelar SquidRouter, which has no involvement.

An attacker minted approximately $11M of unauthorized stablecoins after compromising a single operations key that controlled the mint authority on both EURR and USDR. The mint-authority contracts are the original ConsenSys MultiSigWallet (not Gnosis Safe), and both were configured with required=1, meaning one signer could submit and execute any transaction immediately. The attacker then added three decoy owners and removed both legitimate owners during the attack, making the public picture look like a multi-party compromise when it was a single key. About 7,010,000 EURR and 3,310,000 USDR were minted to nine attacker-controlled wallets over three hours. Both stablecoins depegged; USDR to about $0.78 and EURR to about $0.88.

An attacker stole roughly $700,000 worth of POL tokens from two of Polymarket's operational wallets on Polygon. The wallets paid out user rewards and managed Polymarket's prediction-market resolution contract; both had their private keys exposed. Customer deposits, open trades, and market settlements were not touched. The stolen funds were routed through Changenow, HTX, and KuCoin within hours.

A new validator joined THORChain's network, then quietly participated in routine signing ceremonies for one of the protocol's six vaults. A flaw in the way those ceremonies worked leaked tiny fragments of the vault's private key each time. After 48 hours of collecting fragments, the attacker reconstructed the full key offline and drained roughly $10.8 million across nine different blockchains. The protocol caught it within an hour and halted trading. No user deposits or liquidity-provider positions were affected, only protocol-owned vault assets.

Lazarus Group, the North Korean state-sponsored hacking unit, drained $292 million from KelpDAO's cross-chain bridge in a single transaction. The bridge used LayerZero for cross-chain messaging, but Kelp had configured it to trust just one verifier, LayerZero Labs' own. The attackers compromised the developer credentials for that verifier, then made the bridge believe a fake withdrawal was legitimate. About 18% of all rsETH in circulation moved to the attackers in a single block.

A team posing as a quant trading firm spent six months getting close to Drift's developers, then tricked two of the protocol's signers into blindly approving transactions that handed over admin control. With control of the protocol, the attacker invented a fake collateral token, deposited it, and withdrew $285 million from three vaults in twelve minutes. Funds were swapped to USDC, bridged to Ethereum, and laundered through addresses pre-funded via Tornado Cash. The attack has been attributed to UNC4736, a North Korean state-sponsored group.