Key facts
- Fluid lost $215,000 due to an attacker gaining control of its operational signing keys.
- The attacker used a single-entry reward list with an empty Merkle proof to claim tokens from Fluid.
- Stolen funds from Fluid were routed through Tornado Cash.
- A white hat hacker recovered approximately $2 million worth of ETH from a faulty 2016 HongCoin ICO smart contract.
- The HongCoin ICO contract bug prevented 48 original investors from reclaiming their funds for nine years.
- An attacker stole approximately $7.3 million from over 1,400 legacy DxSale locker positions on BNB Chain.
- The DxSale exploit leveraged a silent ownership transfer rather than a smart-contract bug.
- Aave restored full liquidity to its lending pools after a $300 million cross-chain exploit.
- The Aave stabilization effort took several weeks to complete.
- Gnosis Pay experienced an exploit via its Zodiac delay module, enabling unauthorized transactions from Safe wallets.
The decentralized finance (DeFi) sector has been impacted by several recent security incidents, leading to significant financial losses and the recovery of funds. Fluid reported a loss of $215,000 when an attacker gained control of both operational signing keys for its Merkle distributors across Ethereum, Base, and Arbitrum. The attacker exploited this access by using a single-entry reward list with an empty Merkle proof to claim tokens, subsequently routing the stolen proceeds through Tornado Cash.
In a separate major event, the decentralized finance protocol Aave has successfully restored full liquidity to its lending pools following a substantial $300 million cross-chain exploit. This recovery and stabilization effort required several weeks to complete. Another incident saw an attacker drain approximately $7.3 million from over 1,400 legacy liquidity-provider positions on the BNB Chain. This exploit targeted old DxSale locker contracts and was achieved by leveraging a silent ownership transfer mechanism rather than a smart-contract bug, according to reports from security firms PeckShield and Coinsult.
On a more positive note, a white hat hacker has recovered approximately $2 million worth of Ether (ETH) that was locked in a faulty 2016 HongCoin Initial Coin Offering (ICO) smart contract. A vulnerability in the contract had prevented 48 original investors from accessing their funds for nine years. The white hat hacker utilized an integer overflow vulnerability to unlock the Ether, making it now claimable by the rightful investors. Additionally, Gnosis Pay has experienced an exploit that affected its Zodiac delay module. This vulnerability allowed attackers to initiate unauthorized transactions from Safe wallets, though the exact details of this exploit are still under investigation.
The ongoing exploits highlight persistent security challenges within the DeFi ecosystem, ranging from key management vulnerabilities and contract bugs to sophisticated exploitation of legacy systems and transfer mechanisms. While some incidents result in direct financial loss, others, like the HongCoin recovery, demonstrate the potential for white hat intervention to rectify past issues and return funds to investors.