DeFi Protocols Suffer Fresh Exploits

The Foom.Cash exploit was a copycat attack, leveraging a vulnerability nearly identical to one that struck the Veil Cash protocol just days prior. The attacker exploited a misconfigured zkSNARK verification key, allowing them to forge proofs and repeatedly withdraw funds from contracts on both the Ethereum and Base networks. Out of the approximately $2.26 million in drained FOOM tokens, a significant portion, around $1.83 million, was reportedly secured by white-hat hackers in a rescue operation on Ethereum. The malicious actor is believed to have gotten away with about $427,000 from a single transaction on the Base network. The IoTeX hack stemmed not from a smart contract bug, but from an operational security failure: a compromised private key. This single key gave the attacker administrative control over the ioTube bridge's Ethereum-side contracts, including the TokenSafe vault holding bridged assets. This private key compromise allowed the perpetrator to directly drain assets like USDC, USDT, and WBTC, and also mint 410 million new, unbacked CIOTX tokens. The stolen funds were quickly swapped for ETH and then bridged to Bitcoin via THORChain in an attempt to launder the proceeds. In response, the IoTeX team sent an on-chain message to the hacker offering a 10% white-hat bounty—approximately $440,000—for the return of the remaining funds, a common crisis response tactic in DeFi. The team has also proposed terminating all support for the compromised CIOTX token across six networks. These incidents underscore a persistent and growing trend in DeFi exploits. Off-chain vulnerabilities, particularly private key compromises, now account for a majority of funds lost in 2024. Cross-chain bridges remain a prime target for attackers, having accounted for billions in losses over the past few years.