CoinVoice has recently learned that the 0G Foundation posted on the X platform stating that a targeted attack compromised its reward contract. The attacker exploited the emergency withdrawal function of the 0G reward contract used for distributing alliance rewards, stealing 520,010 $0G tokens, which were then bridged and dispersed through Tornado Cash.
The attacker obtained the leaked private key from the Alibaba Cloud instance, which is responsible for managing NFT status and reward updates, and stored the private key locally. A serious vulnerability in Next.js (CVE-2025-66478) was exploited on December 5, leading to the compromise of multiple Alibaba Cloud instances. The attacker moved laterally through internal IP addresses, affecting services including calibration services, validator nodes, Gravity NFT services, node sales services, computation, Aiverse, Perpdex, Ascend, and more. Total confirmed losses: 520,010 $0G, 9.93 ETH, and 4200 USDT. Core chain infrastructure and user funds were not affected, except for the reward distribution contract. [Original link]
