Key facts
- Fluid lost $215,000 due to an attacker gaining control of its operational signing keys.
- The attacker used a single-entry reward list with an empty Merkle proof to claim tokens from Fluid.
- Fluid routed stolen proceeds through Tornado Cash.
- Aave restored full liquidity to its lending pools after a $300 million cross-chain exploit.
- The stabilization effort for Aave's liquidity took several weeks.
- An attacker stole $7.3 million from over 1,400 legacy DxSale locker positions on BNB Chain.
- The DxSale exploit leveraged a silent ownership transfer, not a smart-contract bug.
- A white hat hacker recovered $2 million worth of ETH from a faulty 2016 HongCoin ICO contract.
- The HongCoin ICO contract bug prevented 48 investors from reclaiming funds for nine years.
- Gnosis Pay experienced an exploit via its Zodiac delay module, enabling unauthorized transactions from Safe wallets.
The decentralized finance (DeFi) ecosystem has been impacted by several security breaches and exploits, leading to substantial financial losses and the recovery of funds. Fluid reported a loss of $215,000 after an attacker successfully gained control of both operational signing keys for its Merkle distributors across Ethereum, Base, and Arbitrum networks. The attacker utilized a single-entry reward list combined with an empty Merkle proof to claim tokens, subsequently routing the stolen proceeds through the privacy mixer Tornado Cash.
In a separate incident, the decentralized finance protocol Aave has successfully restored full liquidity to its lending pools following a significant cross-chain exploit that initially put $300 million at risk. The complex stabilization effort required several weeks to complete. On the BNB Chain, an attacker managed to drain approximately $7.3 million from over 1,400 legacy liquidity-provider positions. This exploit targeted older DxSale locker contracts and was achieved by leveraging a silent ownership transfer mechanism rather than a direct smart-contract vulnerability, according to reports from security firms PeckShield and Coinsult.
Further complicating the DeFi security landscape, Gnosis Pay experienced an exploit that utilized its Zodiac delay module. This vulnerability allowed attackers to initiate unauthorized transactions from Safe wallets, though the precise details of the exploit are still under investigation. In a positive development, a white hat hacker successfully recovered approximately $2 million worth of Ether (ETH) that had been locked in a faulty 2016 HongCoin Initial Coin Offering (ICO) smart contract. The bug in the contract had prevented 48 original investors from accessing their funds for nine years. The white hat hacker exploited an integer overflow vulnerability to unlock the Ether, making it now claimable by the rightful investors.