0G Foundation: Contract Attacked, Resulting in 520,000 $0G Stolen

On December 13, 0G Foundation announced on the X platform that a targeted attack compromised its reward contract. The attacker exploited the emergency withdrawal function of the 0G reward contract used for distributing alliance rewards, stealing 520,010 $0G tokens, which were subsequently bridged and dispersed through Tornado Cash.

The attacker obtained leaked private keys from an Alibaba Cloud instance responsible for managing NFT status and reward updates, storing the keys locally. Multiple Alibaba Cloud instances were breached due to a serious vulnerability in Next.js (CVE-2025-66478) that was exploited on December 5. The attacker moved laterally using internal IP addresses, affecting services including calibration, validator nodes, Gravity NFT services, node sales services, computing, Aiverse, Perpdex, Ascend, and others. Confirmed total losses: 520,010 $0G, 9.93 ETH, and 4,200 USDT. Aside from the reward distribution contract, the core chain infrastructure and user funds were not affected.