Thala recovers $25.5M in crypto lost  through v1 farming vulnerability

Decentralized finance firm Thala Labs recovered $25.5 million of liquidity pool tokens stolen from one of its farming contracts after the hacker was tracked down by law enforcement and crypto sleuths.

In a post on Nov. 16, Thala revealed it had suffered a “security breach” on Nov. 15 due to an “isolated vulnerability” related to its v1 farming contracts, which allowed the hacker to withdraw liquidity tokens.

Thala said it immediately paused all relevant contracts and froze $11.5 million worth of Thala-related assets and was able to identify the hacker. “With the help of law enforcement, Seal 911, Ogle, and others, we were able to quickly identify the exploiter,” Thala said.

The hacker handed the funds back six hours after the incident, crypto sleuth Ogle said. Thala said it negotiated a $300,000 bounty with the hacker in exchange for the full return of user assets. Details of the attacker’s identity weren’t disclosed.

Thala stressed that “affected users require no further action, and positions will be made 100% whole.”

Hackers, Police, Cybersecurity
Source: Thala Labs

Access to Thala’s front end is live again. However, farming is still paused and users are unable to stake and unstake positions until Thala conducts an “extensive review” and re-audit of the protocol’s codebase.

The attack involved Thala’s integration with Move, a network of modular blockchains built by Movement Labs, Thala’s CEO Adam Cader noted in a Nov. 16 X post.

“It’s inevitable some security issues may happen in the future on Move, but why we’re all building here is for these to occur at a far far less frequency and severity and trend to 0 over time as adjacent tooling gets stronger.”

Thala is one of the most prominent DeFi platforms on the Aptos layer-1 blockchain.

The THL token has tanked about 35% to $0.51 since the incident occurred, according to CoinGecko.

About $2.5 million worth of THL tokens were stolen in the exploit, while another $9 million came from Thala’s Move Dollar (MOD) stablecoin.

Meanwhile, the total value locked on Thala fell from $240 million on Nov. 15 to $195.6 million at the time of writing, DefiLlama data shows.

Hackers, Police, Cybersecurity
Thala protocol’s change in TVL since April 2023. Source: DefiLlama

Almost $130 million was snatched from victims in October, with the bulk coming from exploits, blockchain security firm CertiK reported.

The biggest incident in October involved lending protocol Radiant Capital, which lost about $54 million.

About $460 million was stolen by hackers across 28 incidents in the preceding three months in Q3 2024, according to cybersecurity company Hacken.

Main, News

Leave a Reply

Your email address will not be published. Required fields are marked *