A security breach targeting the bridging infrastructure in the IoTeX (IOTX) ecosystem reportedly resulted in the theft of over $8 million worth of cryptocurrency. Initial findings suggest the attack stemmed not from a smart contract error, but from the compromise of a single private key.
According to on-chain data, the attacker quickly converted the compromised assets to ETH and then began bridging the funds to the Bitcoin network via THORChain. This is seen as a move to make tracing more difficult.
At the heart of the incident is the breach of the security of the EOA (Externally Owned Account) address that owns the “TransferValidatorWithPayload” contract. The acquisition of this private key allowed the attacker to change ownership of the TokenSafe and MinterPool contracts. This enabled the attacker to gain privileged access to the system and steal funds.
According to experts, there is no smart contract vulnerability or complex exploit mechanism here. A simple mint() function in the contract was making a transfer() call in token contracts. However, once ownership was gained, this function was misused and all assets were withdrawn.
According to on-chain analysis, the assets stolen in the attack include the following:
- 2,835 UNI
- 45.825 BUSD
- 13.85 million IOTX
- 8.71 PAXG
- 20.158 DAI
- 6.11 WBTC
- 635 WETH
- 1.36 million USDC
- 1.14 million USDT
In addition, the attacker minted approximately $4 million worth of CIOTX tokens via MinterPool. Analysts note that the incident was not a “contractual breach” but a direct breach of trust at the ownership layer, and that the compromise of a single key created a chain reaction.
After the incident spread on social media, the IoTeX team released an official statement. The statement indicated that the security breach was quickly addressed and the situation was brought under control. Initial assessments suggest that the potential loss is lower than the figures circulating online.
The team also announced that they are coordinating with several major cryptocurrency exchanges and working to track and freeze the attacker’s assets. They stated that updates will be shared through official channels and that users should only trust verified sources.
*This is not investment advice.