Fluid Reward Contract Hacked, Resulting in Approximately $215,000 in Losses

On June 1st, according to BlackHart, the reward distribution mechanism of DeFi project Fluid on Ethereum was exploited, resulting in the transfer of approximately $215,000 worth of assets. Fluid uses a Merkle reward list mechanism initiated by one key and approved by another. The attacker simultaneously controlled both operational private keys, submitted a list that only issued rewards to themselves and approved it, and then completed the claim with an empty proof. The stolen assets came from three reward distributors, including 112,883 FLUID, 47,903 GHO, and a small amount of cbBTC, which were later exchanged for ETH and transferred through Tornado Cash. Fluid's lending market, treasury, DEX, and user deposits were unaffected. The team replaced the compromised keys and transferred the remaining reward funds within approximately 10 hours. However, the public statement only mentioned a pause in reward claim updates, without detailing the private key leak or the losses.