What a busy autumn it is.
0G Foundation: Contract attacked, resulting in 520,000 0G stolen.
0G Foundation announced on platform X that on December 11, a targeted attack compromised its reward contract.
The attacker exploited the emergency withdrawal function of the 0G reward contract used for distributing alliance rewards, stealing 520,010 0G tokens, which were then bridged and dispersed through Tornado Cash.
The attacker obtained a leaked private key from an Alibaba Cloud instance responsible for managing NFT status and reward updates, storing the private key locally.
Due to a serious vulnerability in Next.js (CVE-2025-66478) exploited on December 5, multiple Alibaba Cloud instances were compromised. The attacker moved laterally via internal IP addresses, affecting services including calibration services, validator nodes, Gravity NFT services, node sales services, computation, Aiverse, Perpdex, Ascend, and more.
Confirmed total losses: 520,010 0G, 9.93 ETH, and 4,200 USDT. Core chain infrastructure and user funds were not affected except for the reward distribution contract. $0G
