Hacks Feed

An attacker stole the private key to StakeDAO's deployer wallet on Arbitrum and used it to redirect the vsdCRV token's trusted cross-chain link to a contract they controlled on Ethereum. They then forged a cross-chain message that minted roughly 5.4 trillion vsdCRV out of thin air, dumped what little liquidity existed for about 43.78 ETH (around $91,000), and bridged the proceeds to Ethereum where the funds still sit untouched. Locked sdCRV collateral on Ethereum, other StakeDAO products, and user deposits were not affected. The team has already locked out the compromised key and reset the cross-chain trust setting.

An attacker drained 86 Gnosis Safes across Ethereum and Base by tricking the Safe owners into enabling a malicious Safe module that impersonated the SquidRouter brand. Once a Safe enables a module, that module can execute transactions on the Safe's behalf without further owner approval. The attacker waited until enough victims had installed the module, then deployed a drainer contract and walked through every Safe in 14 minutes, pulling out tokens and swapping them to DAI through attacker-controlled Uniswap V3 pools. All proceeds, about 3 million DAI, consolidated into a single wallet. This is not a vulnerability in the legitimate Axelar SquidRouter, which has no involvement.

An attacker minted approximately $11M of unauthorized stablecoins after compromising a single operations key that controlled the mint authority on both EURR and USDR. The mint-authority contracts are the original ConsenSys MultiSigWallet (not Gnosis Safe), and both were configured with required=1, meaning one signer could submit and execute any transaction immediately. The attacker then added three decoy owners and removed both legitimate owners during the attack, making the public picture look like a multi-party compromise when it was a single key. About 7,010,000 EURR and 3,310,000 USDR were minted to nine attacker-controlled wallets over three hours. Both stablecoins depegged; USDR to about $0.78 and EURR to about $0.88.

An attacker stole roughly $700,000 worth of POL tokens from two of Polymarket's operational wallets on Polygon. The wallets paid out user rewards and managed Polymarket's prediction-market resolution contract; both had their private keys exposed. Customer deposits, open trades, and market settlements were not touched. The stolen funds were routed through Changenow, HTX, and KuCoin within hours.

A new validator joined THORChain's network, then quietly participated in routine signing ceremonies for one of the protocol's six vaults. A flaw in the way those ceremonies worked leaked tiny fragments of the vault's private key each time. After 48 hours of collecting fragments, the attacker reconstructed the full key offline and drained roughly $10.8 million across nine different blockchains. The protocol caught it within an hour and halted trading. No user deposits or liquidity-provider positions were affected, only protocol-owned vault assets.

Lazarus Group, the North Korean state-sponsored hacking unit, drained $292 million from KelpDAO's cross-chain bridge in a single transaction. The bridge used LayerZero for cross-chain messaging, but Kelp had configured it to trust just one verifier, LayerZero Labs' own. The attackers compromised the developer credentials for that verifier, then made the bridge believe a fake withdrawal was legitimate. About 18% of all rsETH in circulation moved to the attackers in a single block.

A team posing as a quant trading firm spent six months getting close to Drift's developers, then tricked two of the protocol's signers into blindly approving transactions that handed over admin control. With control of the protocol, the attacker invented a fake collateral token, deposited it, and withdrew $285 million from three vaults in twelve minutes. Funds were swapped to USDC, bridged to Ethereum, and laundered through addresses pre-funded via Tornado Cash. The attack has been attributed to UNC4736, a North Korean state-sponsored group.