June 25, 2026
|

Gravity Bridge, TOP, ATM, and ONTR: $6.2M Across Four Exploits

One stolen key and three code-level flaws. Gravity Bridge ($5.4M) traces to a compromised validator signing key, not a contract bug. TOP ($472K) inflated supply through an uncapped mint, ATM ($243.5K) drained liquidity through a swap buried in its transfer logic, and ONTR ($98.3K) let an attacker seize a renounced contract through a broken owner check.

In Brief

  • Gravity Bridge lost $5.4M due to a compromised validator signing key.
  • Token of Power (TOP) lost $472K due to an uncapped mint that let an attacker inflate supply without bound.
  • ATM Token lost $243.5K due to an unbounded auto-swap embedded in its transfer logic.
  • ONTR Token lost $98.3K due to an access control flaw that treated a renounced owner as a pass-all.

Hacks Analysis

Gravity Bridge | Amount Lost: $5.4M

On May 30th, the Gravity Bridge exploit on Ethereum mainnet resulted in a ~$5.4M loss. The root cause was not a smart contract flaw but a compromised validator signing key. Gravity Bridge locks assets on Ethereum and authorizes withdrawals based on validator signatures, so the contract treats any sufficiently signed withdrawal as legitimate. The attacker obtained the signing key and submitted forged withdrawal requests that the contract verified as valid, draining roughly $4.3M USDC, 274 WETH (~$553K), $434K USDT, and 14.16 PAXG (~$64K). The attacker laundered a portion through ChangeNow and Binance and still holds around 2,100 ETH.

Press enter or click to view image in full size

Exploited Contract: 0xa4108aA1Ec4967F8b52220a4f7e94A8201F2D906

Transaction: 0xfce883a8f9a4f3479cce1368b99287973ab40451ac092f5a41e1e09eecab5044

Token of Power | Amount Lost: $472K

On June 9th, the Token of Power (TOP) exploit on Ethereum drained roughly 944 ETH gross (about $1.58M), with a net loss near 281 WETH (about $472K) after backing out the attacker’s own acquisition cost. The attacker acquired a governance majority through TOP’s own Balancer V1 pool, then pushed a single governance action through to the TokenManager — which minted 10 billion TOP to the attacker, dumped for WETH and laundered through Tornado Cash.

At the center of the loss is an uncapped self-mint: the mint path in TokenManager.issue() calls generateTokens() with no max-supply check, so any holder of the minting privilege can inflate supply without bound. Olympix’s BugPocer scan flags this directly as missing_mint_cap — the code-level flaw that made the supply inflation possible, caught by static analysis before it ever reaches mainnet.

Press enter or click to view image in full size

TOP Token: 0x0EBD5eC91680d3B0CEDbb1d5BB61851154D3eDb6

Exploit Contract: 0x25c68C44A96518294f5B47D758f98309c6729A21

Attacker Wallet: 0xff8eF7bC455a57e5893232203052Ce0232b39Fa2

Exploit Tx: 0x967aa34c69b7775c718545c7f94d92e965eb5fc553c0f27f6f1a9c65c93ac156

Read the full postmortem →

ATM Token | Amount Lost: $243.5K

On June 4th, the ATM token exploit on BNB Chain resulted in a ~$243.5K loss. The root cause was a flaw in the token’s custom `transferFrom()`, which embedded a DEX swap directly in the transfer path: on every transfer the function automatically converted 20% of the transferred ATM into BSC-USD through a router. The implementation did not properly bound this behavior, so the attacker repeatedly triggered transfers to invoke the swap over and over, extracting far more BSC-USD than the transfers warranted and draining roughly $243,500 from the contract.

Press enter or click to view image in full size

Vulnerable Contract: 0x4fd0878ee1bbf7b1019138e8eec746e5a5d5a205

Transaction: 0x37b90a337075cd2feea93b12780abe9f953dad476e1c1418a02447aaa6dcfd86

Read the full postmortem →

ONTR Token | Amount Lost: $98.3K

On May 28th, the ONTR token exploit on Ethereum mainnet resulted in a ~$98.3K loss (49.4801 WETH). The root cause was an access control flaw in the `onlyOwner` modifier, which treated a renounced owner (`owner == address(0)`) as a pass-all condition rather than a lock. After the creator renounced ownership at deployment, the attacker called `transferOwnership()` to seize the supposedly locked contract, used `desertJasper()` to stage hidden balances and `glenFlash()` to execute `ashBud()`, inflating an address balance by 1e30 base units with no change to `totalSupply` and no mint logs. The attacker then sold the fabricated tokens into the ONTR/WETH PancakeSwap pair and drained real WETH from the pool.

Press enter or click to view image in full size

Vulnerable Token: 0xf074865358b0dd039beee075831f8a2ae6b1f3f3

Transaction: 0x98f80eff0ce609606bb73cef3edfbb4c1d415ffc7676fec16f4d980c54903621

Attacker EOA: 0xE806B37A9F965bd9D54AaDf9560C78957550b760

Attacker contract: 0xd7a33e89abc1ac5b2497d9589c81784a2bc52491

Victim Pair: 0xd46d89f4675bc96328fbdeb443842cdb5fcd83fd

Read the full postmortem →

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

  1. Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
  2. Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.

In Brief

  • Remitano suffered a $2.7M loss due to a private key compromise.
  • GAMBL’s recommendation system was exploited.
  • DAppSocial lost $530K due to a logic vulnerability.
  • Rocketswap’s private keys were inadvertently deployed on the server.

Hacks

Hacks Analysis

Huobi  |  Amount Lost: $8M

On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.

Exploit Contract: 0x2abc22eb9a09ebbe7b41737ccde147f586efeb6a

Ready to Shift Security Assurance In-House? Talk to Our Security Experts Today.