Gravity Bridge, TOP, ATM, and ONTR: $6.2M Across Four Exploits
One stolen key and three code-level flaws. Gravity Bridge ($5.4M) traces to a compromised validator signing key, not a contract bug. TOP ($472K) inflated supply through an uncapped mint, ATM ($243.5K) drained liquidity through a swap buried in its transfer logic, and ONTR ($98.3K) let an attacker seize a renounced contract through a broken owner check.
In Brief
Gravity Bridge lost $5.4M due to a compromised validator signing key.
Token of Power (TOP) lost $472K due to an uncapped mint that let an attacker inflate supply without bound.
ATM Token lost $243.5K due to an unbounded auto-swap embedded in its transfer logic.
ONTR Token lost $98.3K due to an access control flaw that treated a renounced owner as a pass-all.
Hacks Analysis
Gravity Bridge | Amount Lost: $5.4M
On May 30th, the Gravity Bridge exploit on Ethereum mainnet resulted in a ~$5.4M loss. The root cause was not a smart contract flaw but a compromised validator signing key. Gravity Bridge locks assets on Ethereum and authorizes withdrawals based on validator signatures, so the contract treats any sufficiently signed withdrawal as legitimate. The attacker obtained the signing key and submitted forged withdrawal requests that the contract verified as valid, draining roughly $4.3M USDC, 274 WETH (~$553K), $434K USDT, and 14.16 PAXG (~$64K). The attacker laundered a portion through ChangeNow and Binance and still holds around 2,100 ETH.
On June 9th, the Token of Power (TOP) exploit on Ethereum drained roughly 944 ETH gross (about $1.58M), with a net loss near 281 WETH (about $472K) after backing out the attacker’s own acquisition cost. The attacker acquired a governance majority through TOP’s own Balancer V1 pool, then pushed a single governance action through to the TokenManager — which minted 10 billion TOP to the attacker, dumped for WETH and laundered through Tornado Cash.
At the center of the loss is an uncapped self-mint: the mint path in TokenManager.issue() calls generateTokens() with no max-supply check, so any holder of the minting privilege can inflate supply without bound. Olympix’s BugPocer scan flags this directly as missing_mint_cap — the code-level flaw that made the supply inflation possible, caught by static analysis before it ever reaches mainnet.
Press enter or click to view image in full size
TOP Token: 0x0EBD5eC91680d3B0CEDbb1d5BB61851154D3eDb6
On June 4th, the ATM token exploit on BNB Chain resulted in a ~$243.5K loss. The root cause was a flaw in the token’s custom `transferFrom()`, which embedded a DEX swap directly in the transfer path: on every transfer the function automatically converted 20% of the transferred ATM into BSC-USD through a router. The implementation did not properly bound this behavior, so the attacker repeatedly triggered transfers to invoke the swap over and over, extracting far more BSC-USD than the transfers warranted and draining roughly $243,500 from the contract.
On May 28th, the ONTR token exploit on Ethereum mainnet resulted in a ~$98.3K loss (49.4801 WETH). The root cause was an access control flaw in the `onlyOwner` modifier, which treated a renounced owner (`owner == address(0)`) as a pass-all condition rather than a lock. After the creator renounced ownership at deployment, the attacker called `transferOwnership()` to seize the supposedly locked contract, used `desertJasper()` to stage hidden balances and `glenFlash()` to execute `ashBud()`, inflating an address balance by 1e30 base units with no change to `totalSupply` and no mint logs. The attacker then sold the fabricated tokens into the ONTR/WETH PancakeSwap pair and drained real WETH from the pool.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.