The Fantom Foundation Hack: How $7.5M Were Stolen

The Fantom Foundation Hack: How $7.5M Were Stolen


2 min read

The Fantom Foundation, a leading entity in the decentralized finance (DeFi) landscape, offers a blockchain platform optimized for DeFi and crypto dApps. However, it recently faced a major security breach, resulting in a $7.5M loss.

Behind the Breach

Over $7M was drained from multiple wallets associated with the Foundation. While initial reports suggested that the Foundation itself was the primary victim, further investigations revealed a different story. The breach predominantly affected an employee of the Fantom Foundation. However, the Foundation did not remain unscathed, acknowledging a direct loss of $550k.

The attackers targeted at least 12 addresses across five different chains: ETH, FTM, OP, BSC, and AVAX.

The attacker's addresses:

  1. 0x2f4f1d2c5944dba74e107d1e8e90e7c1475f4001

  2. 0x1d93c73d575b81a59ff55958afc38a2344e4f878

  3. 0xdadc0421ee1b5426fca3db22f0a94a3bad5a329d

Consolidation address: 0x0b1F29DF74A19C44745862ab018D925501FE9596

Root Cause Analysis

While the exact attack vector remains unclear, certain details have come to light. The attack seems to have been a result of a compromised password manager, possibly LastPass. The rapid draining of multiple associated addresses in quick succession lends credence to this theory.

An initial statement from a Fantom Foundation Telegram admin hinted at a "zero-day exploit on Chrome." However, as more details emerged, this explanation appeared less plausible.

Track Record of Breaches

This isn't the first time the Fantom Foundation has been under the hacker's lens. Earlier in February 2023, during the launch of a new stablecoin, USP, the protocol suffered a massive blow with hackers stealing over $8.5M through a flash loan attack. Another incident in July 2023 saw the protocol temporarily pausing their pools due to "suspicious activities," which later turned out to involve multiple flash loan attacks.

Lessons from the Incident

Projects are starting to become more and more aware of the risks of not appropriately securing and auditing contracts, but this hack shows once again that smart contracts are only a part of a project's attack surface. It seems like, well known Web2 security practices like secure password management have been forgotten. A more holistic security shift needs to happen within the industry, where not only smart contracts are secured, but also wider IT assets, including employee passwords.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit to find out more.

You build the future. We help you secure it.