Foom Cash recovered $1.84 million of the $2.26 million stolen in a smart contract exploit after a white hat hacker intervened to secure funds before further losses occurred.
The decentralised lottery protocol, which uses zero-knowledge proofs, said the breach stemmed from a misconfiguration in its Groth16 verifier during deployment.
“By honoring their bug bounty policy, @foomclub_ has proven that they take protocol security seriously and value the researchers helping them,”
Said white hat hacker Duha.
Foom said the exploit was caused by a “fatal” oversight during the Phase 2 trusted setup process, where a missing command-line interface step left key parameters unrandomised and allowed forged proofs to be accepted.
Duha secured vulnerable funds on Base before malicious actors could access them, while crypto security firm Decurity led recovery efforts on Ethereum.
Foom awarded Duha a $320,000 bounty and paid Decurity a $100,000 security fee for assisting in the response and fund retrieval.
The incident highlights the growing role of ethical hackers in decentralised finance, as coordinated white hat groups such as SEAL increasingly step in to mitigate damage from protocol vulnerabilities and cross-chain exploits.