Gushiken Yona
A blog post published September 21 by Shiba Inu core developer Kaal Dhairya details the technical specifics of a security exploit on the Shibarium bridge, confirming an attacker used unauthorized validator power on September 12 to maliciously withdraw assets and outlining an ongoing investigation with external security specialists. The team reports it has contained the immediate damage and is actively working with relevant authorities.
Key Points:
- An attacker used compromised validator signing power to push a malicious exit through the Proof-of-Stake bridge on September 12.
- Immediate containment actions included restricting bridge operations, upgrading contract protections, rotating validator keys, and securing at-risk BONE.
- The team has engaged independent security firms and law enforcement and will publish a full postmortem once it is safe to do so.
Incident Details Revealed
According to the latest blog, the Shibarium bridge exploit occurred at 18:44 UTC on September 12. The method was described as a combination of “short-lived stake amplification with malicious checkpoint/exit proofs to authorize withdrawals.” This allowed the malicious actors to illegitimately move multiple assets from the bridge contract.
Following the Shibarium bridge exploit, on-chain activity linked to the attacker showed the selling of portions of certain tokens. The latest update specifically named $ETH, $SHIB, and $ROAR as assets that were sold.
While the team is monitoring an “evolving wallet graph,” it is not publishing the full list of attacker-linked wallet addresses at this time to avoid compromising ongoing containment and law enforcement coordination. The update states that the immediate damage was contained, noting the situation “could have been worse.”
Related: How to Create a Safe, Low-Cost Home Crypto Mining Setup That Works
Immediate Defensive Actions
Dhairya’s latest update, moreover provides a detailed list of containment measures the Shiba Inu core development team executed immediately following the incident. These actions were broken down into several categories.
- Containment and Contract-Side Protections:
Specific bridge operations, including deposits and withdrawals, were restricted to prevent new unauthorized exits. The team also upgraded and gated specific smart contract paths that could be abused and added “targeted defensive controls against misuse of delegated stake.” - Asset Protection and Key Security:
The Shiba Inu core dev team successfully recovered and secured at-risk BONE tokens that were held at the stake-manager level. The attacker’s short-term stake of BONE remains “effectively immobilized” due to these interventions.
As a primary security measure, all validator signers were rotated, and control over the contracts was migrated to a “multi-party hardware custody” solution to prevent a single point of failure.
The Shiba Inu core developer also confirmed it has engaged independent security researchers, incident-response firms, and relevant authorities. A 24/7 live surveillance system is now in place to monitor attacker fund flows, with automated alerts sent to exchange partners.
Related: Zama to Launch First-Ever Private Token Auction on Live Blockchain
A full technical postmortem will be released, with Dhairya stating in the latest update that it will be published only “when it no longer increases risk” to the investigation.
Follow on X
Follow on Instagram
Read More
- Florida Court Lets $80M Binance Bitcoin Lawsuit Move Forward
- US CFTC Approves Spot Crypto Trading on Regulated Exchanges
- OpenAI Must Hand Over Millions of ChatGPT Logs in Copyright Case
- Sam Altman Eyes Rocket Company, Taking on Elon Musk’s SpaceX Ambitions
- 7 Reasons Gas Fees Rise and How It Affects Everyday Web3 Users
YONA GUSHIKEN
Yona brings a decade of experience covering gaming, tech, and blockchain news. As one of the few women in crypto journalism, her mission is to demystify complex technical subjects for a wider audience. Her work blends professional insight with engaging narratives, aiming to educate and entertain.
