Timeline of events
May 30, 06:51 PM UTC — A third party attacker executed an exploit targeting the Mendi-to-Malda migrator contract:https://lineascan.build/tx/0xd62a3d483b89e38b681777804b286dec682919891924c2b13c566dfaad666ed3
The attacker leveraged a vulnerability in the migrator contract, which was intended solely to allow Mendi protocol users to migrate directly to Malda. Instead, the attacker deployed a fake Mendi Comptroller contract, enabling the attacker to mint a fraudulent Malda position and withdraw funds against it.
May 30, 06:52 PM UTC — Hypernative’s monitoring system detected the exploit and attempted to pause the markets. The Hypernative team notified the company that two operations failed. A manual pause of the network was initiated.
May 30, 7:30 PM UTC — The third party attacker carried out another malicious transaction targeting the Mendi-to-Malda migrator contract again:
https://lineascan.build/tx/0x9f12f7b982ffbd90ac5944b3ab8520f7fb5a9882a0a9acf20d63f6922950e59a
May 30, 07:36 PM UTC — The full protocol was paused:
https://lineascan.build/tx/0xa9d5c00aee3be937ceada32181f0f02b9ac3d9be9b2b8c008213ca53114257fd
An investigation was initiated immediately after the pause, and the Malda community was informed via official social channels:
https://x.com/malda_xyz/status/1928545070052970928
Attacker Activity Summary
-
The third party attacker directed exploited funds to following wallet address: 0x370a8Db1F020CE70E8eAB2502c739844Ca2C2910 – an address under their control.
-
The exploiter address was funded by ChangeNow 13 minutes prior to the initial exploit: https://lineascan.build/tx/0xaccb4b73fed508958ec8b913e8c4dabd125c15d7800d5b8c63466910df8a5c77
-
The funds allegedly according to ChangeNow came from Monero.
-
The attacker swapped the stolen assets to ETH on Linea utilizing SyncSwap.
-
Assets were bridged to Ethereum Mainnet via Stargate, using multiple transactions: https://lineascan.build/txs?a=0x370a8db1f020ce70e8eab2502c739844ca2c2910
-
Once on Ethereum Mainnet funds were sent through Tornado Cash: https://etherscan.io/address/0x370a8db1f020ce70e8eab2502c739844ca2c2910
Root Cause and Impact
The vulnerability originated in the Migrator.sol contract. The contract allowed the Mendi Comptroller address to be passed dynamically, rather than being hardcoded. This enabled the attacker to supply their own malicious Comptroller, mint a synthetic position on Malda, and withdraw approximately $285,000.
The Migrator contract passed Malda’s security review processes in advance of deployment. The logic gap described above had not been identified. We are committed to the long-term resilience of Malda. This incident has deepened our resolve to enhance and implement additional cyber security procedures and review processes to ensure the ongoing safety of the protocol and its users. We also continue to deepen our coordination with our monitoring and audit partners to proactively strengthen the protocol’s security and reinforce its resilience through continuous evaluation and improvement.
Importantly, the exploit was isolated to the migrator contract. There was no compromise of core lending logic and no vulnerabilities identified in the zk-proof infrastructure.
Law Enforcement and Forensic Engagement
We are collaborating with leading blockchain forensics firms to monitor attacker wallets and track asset flows across chains.
All relevant addresses and transaction data have been shared with appropriate law enforcement agencies, and we continue to cooperate with those investigations.
We remain committed to pursuing all lawful avenues for fund recovery.
White Hat Bounty Offer and Status
Following the exploit, a public on-chain message was posted offering a 10% white hat bounty in exchange for the voluntary return of 90% of the stolen funds:
https://lineascan.build/tx/0xd62a3d483b89e38b681777804b286dec682919891924c2b13c566dfaad666ed3
As of the June 4, 19:00 UTC deadline, no funds were returned and no contact was made. The white hat window is closed.
Remediation and Next Steps
-
The immediate fix involved updating the migrator parameter to an empty contract. Transaction hash:
https://lineascan.build/tx/0xd62a3d483b89e38b681777804b286dec682919891924c2b13c566dfaad666ed3 -
A more robust long-term fix will involve hardcoding both the Mendi Comptroller and Malda operator addresses.
-
Due to the attacker’s remaining position in the protocol, unpausing is currently not feasible. As a result, the protocol will remain paused until the Malda team proposes a secure withdrawal plan to the community. A Snapshot vote will be initiated, allowing depositors to vote on the preferred method for safely accessing the remaining funds in the protocol.
-
Over the past days, we’ve been actively collaborating with ecosystem participants, partners, and advisors to assess the situation and determine the best path forward.
-
As part of these efforts, we’re preparing to introduce a recovery plan.
-
We’ll be hosting a livestream next week to walk through the findings, outline the next steps, and answer questions.
We are committed to transparency and the long-term integrity of the Malda protocol. Appreciate the community's patience and resilience.