A white hat hacker helped Foom Money get better many of the funds stolen in a $2.26 million exploit, underscoring the rising position of moral hackers in Web3 incident response.
Foom Money, a decentralized, nameless lottery protocol primarily based on zero-knowledge proofs, was exploited for $2.26 million in funds.
The intervention of an moral hacker helped the protocol get better $1.84 million, or 81% of the stolen funds, Foom Money introduced on Monday.
Pseudonymous white hat hacker Duha recognized the vulnerability and secured funds on Base earlier than malicious actors might exploit them, whereas Decurity dealt with restoration efforts on Ethereum, the protocol stated in a Monday put up on X.
Foom Money awarded the white hat hacker a $320,000 bounty, whereas crypto safety platform Decurity was awarded a $100,000 safety price.
”By honoring their bug bounty coverage, @foomclub_ has confirmed that they take protocol safety significantly and worth the researchers serving to them,” wrote white hat hacker Duha, in response to the incident.
Associated: Suspected insider wallets rack up $1.2M betting on ZachXBT’s Axiom exposé
”Deadly deployment oversight” led to $2.2 million exploit
The $2.26 million exploit stemmed from a “deadly” deployment error involving a lacking command-line interface (CLI) step in the course of the Section 2 trusted setup course of.
”In Groth16, when you skip the circuit-specific contribution setup in snarkjs, the parameters γ (gamma) and δ (delta) stay set to the identical default worth (the G2 generator),” wrote Foom in a Monday X response.
This deployment error enabled the attacker to trick the protocol into ”accepting solid proofs as a result of a placeholder was by no means randomized.”
White hat hackers to the rescue
White hat interventions have grow to be an more and more frequent characteristic of DeFi incident response, significantly as exploiters transfer shortly to bridge funds throughout chains or into privateness instruments.
In August 2023, white hat hacker and Paradigm researcher Samczsun established a staff of moral hackers often called SEAL (Safety Alliance), surpassing 900 hack-related investigations inside their first 12 months, Cointelegraph reported.
The initiative got here almost a month after a hacker stole over $230 million from WazirX, an Indian cryptocurrency alternate, within the second-largest cryptocurrency hack of 2024.
On Feb. 10, 2026, the Ethereum Basis partnered with SEAL to create a ”Trillion Greenback Safety” initiative to fight crypto pockets drainers.
Journal: Inside a 30,000 telephone bot farm stealing crypto airdrops from actual customers
