According to DeFi risk intelligence platform BlackHart, the Ethereum reward distribution system of the DeFi project Fluid was exploited, resulting in the theft of approximately $215,000 worth of assets. The attacker reportedly obtained both operational keys used for creating and approving reward lists, then registered and approved a list where only they would receive rewards, and subsequently claimed the rewards. The incident was analyzed as an operational key leak rather than a smart contract vulnerability. The stolen assets included 112,883 FLUID, 47,903 GHO, and a small amount of cbBTC, which were later exchanged for ETH and transferred via Tornado Cash. Fluid stated that the lending market, vaults, DEX, and user deposits were not affected, and they have replaced the leaked keys and moved the remaining reward funds to a secure address.
