Fluid Loses $215K in DeFi Exploit Due to Key Control

Key facts Fluid lost $215,000 in an exploit involving its Merkle rewards system. An attacker controlled both operational signing keys for Fluid's reward distributors. The exploit occurred on Ethereum, Base, and Arbitrum chains. The attacker used a fake reward list and an empty Merkle proof to claim tokens. Stolen FLUID and GHO tokens were swapped for approximately 103 ETH. About 142.6 ETH was laundered through Tornado Cash. Numbers $215K — value stolen from Fluid 125,109 FLUID — stolen FLUID tokens 51,946 GHO — stolen GHO tokens 103 ETH — swapped for stolen tokens 142.6 ETH — ETH laundered via Tornado Cash 24 seconds — time from proposal to claim Who Fluid — Ethereum-based DeFi protocol that experienced an exploit BlackHartInc — X user who reported on the operational key failure 0xfluid — Fluid co-founder confirming core protocol unaffected Tornado Cash — Privacy service used to launder stolen funds Merkl — Protocol whose design choices were discussed in relation to the exploit Pablo Veyrat — Co-founder of Merkl, commented on protocol design Context Fluid, an Ethereum-based DeFi protocol, suffered a $215,000 loss due to an exploit where a single attacker controlled both operational signing keys for its Merkle reward distributors on Ethereum, Base, and Arbitrum. The attacker proposed a fake reward list and approved it using the second key, then claimed tokens with an empty Merkle proof. This allowed the attacker to steal approximately 125,109 FLUID and 51,946 GHO tokens. These were swapped for about 103 ETH, with roughly 142.6 ETH ultimately laundered through Tornado Cash. Fluid confirmed that its core lending markets and vaults were unaffected, and user funds were not at risk from this specific incident. The exploit occurred rapidly, within 24 seconds, due to the lack of a delay between key approval and payout. Following the incident, a significant withdrawal of funds by depositors occurred, which Fluid stated was unrelated to the theft itself but possibly influenced by the disclosure timing. The Fluid team later moved remaining reward balances to a safe address, initially communicating only a pause on reward claiming for updates. What's next Further investigation into the attacker's wallet and fund movements. Fluid may provide additional details on the operational security failure. Other DeFi protocols may review their key management and reward distribution mechanisms. Caveats The exploit was operational, not a smart contract bug. The attacker controlled both the 'proposer' and 'approver' keys. The speed of the exploit was enabled by the lack of a time delay between approval and payout. Depositor withdrawals following the exploit were described as a confidence-driven bank run, not a second exploit. FAQ Q: What caused the exploit at Fluid? A: An attacker gained control of both operational signing keys for Fluid's reward distributors, enabling them to mint and claim tokens without resistance. Q: How much was stolen from Fluid? A: Approximately $215,000 worth of FLUID and GHO tokens were stolen, which were then swapped for around 103 ETH. Q: Which blockchains were affected? A: The exploit impacted reward distributors on Ethereum, Base, and Arbitrum. Q: Were user funds in Fluid's core protocol at risk? A: No, Fluid confirmed that its core lending markets, vaults, and DEX liquidity were unaffected by the exploit. Q: How were the stolen funds laundered? A: The stolen ETH proceeds were routed through Tornado Cash after being bridged back to Ethereum from Base and Arbitrum.

Fluid Loses $215K in DeFi Exploit Due to Key Control

PiQ Daily

Fluid Loses $215K in DeFi Exploit Due to Key Control

PiQ Daily

Key facts

Get the newsletter.