QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$285 000 USD
MAY 2025
GLOBAL
MALDA PROTOCOL
DESCRIPTION OF EVENTS
Malda (formerly Mendi Finance) is a next-generation DeFi lending protocol that offers unified, cross-chain lending and borrowing experiences across Ethereum and its Layer 2 ecosystems. Designed for seamless interoperability, Malda allows users to lend, borrow, repay, and withdraw assets across chains through a single platform—eliminating the friction of managing fragmented assets or switching networks. At the core of its offering is a unified global liquidity pool with a single, consistent interest rate, simplifying user interaction and maximizing capital efficiency.
The platform’s security and interoperability are powered by advanced zero-knowledge (zk) technology. Malda employs off-chain zkProofs to ensure Ethereum-grade protection while enabling asynchronous, secure interactions across chains. Further enhancing its safety and transparency, Malda is pioneering the first zkMachine Learning-based risk management system in DeFi. This system will progressively become part of the protocol, delivering fully open-source, on-chain verified computations for risk assessment.
Malda has undergone thorough security audits by firms like Veridise and is actively monitored in real-time by platforms such as Hypernative to prevent attacks and ensure robust protocol integrity. The protocol also features a points-based reward system where users earn incentives for depositing and borrowing, with boosted multipliers for borrowers. High APYs on supported assets like ezETH, wrsETH, and weETH make Malda an attractive platform for users seeking both yield and innovative, cross-chain DeFi functionality.
The attacker created a fake Mendi Comptroller contract to mint a fraudulent Malda position, ultimately withdrawing approximately $285,000. The exploit was first detected by Hypernative’s monitoring system, and although initial automatic pause attempts failed, a manual pause of the network was successfully executed shortly after. The protocol remains paused as a result.
The root cause of the exploit was traced to the Migrator.sol contract, which permitted the Comptroller address to be passed dynamically instead of being hardcoded. This oversight passed through prior security reviews undetected. Malda confirmed that the exploit was isolated to this contract—core lending logic and zk-proof infrastructure were not compromised.
Following the attack, the exploiter transferred funds through various obfuscation methods, including bridging assets to Ethereum and laundering them through Tornado Cash. The attacker’s funding source was traced back to ChangeNow and allegedly originated from Monero. Law enforcement agencies have been notified and are working alongside blockchain forensic firms to track the attacker’s activity.
The total lost was estimate at $281k by SlowMist, however the Malda protocol has published a figure of $285k.
Malda posted a series of simple updates to Twitter/X.
As part of immediate remediation, the migrator contract was disabled, and a long-term fix is planned that will include hardcoding critical addresses.
An investigation by Malda in collaboration with other security experts is underway to thoroughly assess the recent contract compromise. Relevant government authorities have been informed, and Malda remains paused as a precautionary measure. Mendi contracts have been confirmed secure and were not impacted.
A 10% white hat bounty was publicly offered to the exploiter in exchange for the return of 90% of the funds, but no response was received by the June 4th deadline.
"To those responsible for the recent exploit: We are offering a 10% bounty, which you may keep if you voluntarily return the remaining 90% of the stolen funds. If you voluntarily return the funds, this will be treated as a white-hat recovery. The deadline for completing the return is 4 June, 19:00 UTC."
There was no response received from "those responsible".
Malda is reportedly still working on a recovery plan for affected users, which will be announced through Discord.
The team appreciates the community’s patience. Looking ahead, Malda is collaborating with partners and advisors on a recovery plan, which will be shared with the community via a livestream next week. Unpausing the protocol is not currently viable due to remaining exposure; instead, a Snapshot vote will be held for depositors to decide how to safely access remaining funds.
Malda, formerly known as Mendi Finance, is a cross-chain DeFi lending platform that unifies Ethereum and Layer 2 assets into a single, seamless lending experience powered by zero-knowledge proofs and zkMachine Learning risk models. Despite rigorous audits and real-time monitoring, the protocol suffered an exploit when an attacker used a fake Comptroller contract and a vulnerability in the Migrator.sol contract to fraudulently mint a position and steal approximately $285,000. While the core lending and zk infrastructure remained secure, the exploit prompted a manual network pause and a temporary halt of the protocol. Funds were laundered through various means, and although Malda offered a 10% white-hat bounty, the attacker did not respond by the June 4 deadline. The team has since disabled the vulnerable contract, notified authorities, and is actively working on a recovery and user compensation plan, which will be presented via a community livestream and voted on through a Snapshot proposal.
Malda Finance - "A Malda contract has been compromised. All contracts have been paused. Please do not interact with any contracts until further notice. We’re actively investigating and will provide updates as they become available." - Twitter/X (Jun 12)
Malda Finance - "Current investigation status update: Mendi contracts are secure; they were not affected. Malda is currently paused pending the on-going investigation and to ensure that there is currently no further risk to users. A postmortem will also be provided when the investigation is completed. Additional updates will be provided in a timely manner." - Twitter/X (Jun 12)
Malda Finance - "To those responsible for the recent exploit: We are offering a 10% bounty, which you may keep if you voluntarily return the remaining 90% of the stolen funds. If you voluntarily return the funds, this will be treated as a white-hat recovery. The deadline for completing the return is 4 June, 19:00 UTC." - Etherscan (Jun 12)
Malda Finance - "We are offering a 10% white-hat bounty for the voluntary return of funds. This offer is valid until 4 June, 19:00 UTC." - Twitter/X (Jun 12)
Malda Finance - "The 10% white-hat bounty window has been closed as no contact has been made by the exploiter. Our team, in coordination with cybersecurity experts continues to work diligently to conclude the investigation." - Twitter/X (Jun 12)
Malda Finance - "As mentioned in our previous announcement, we are continuing to work closely with cybersecurity experts and ecosystem partners to move the investigation forward." - Twitter/X (Jun 12)
Malda Finance - "On May 30th, a malicious actor exploited Malda’s Mendi-to-Malda migrator contract. The core lending logic and zk-proof infra were unaffected." - Twitter/X (Jun 12)
May 30th Incident: Post Mortem - Malda Finance (Jun 12)
Deployment Of Immediate Fix - LineaScan (Jun 12)
One Of The Exploit Transactions - LineaScan (Jun 12)
Malda Homepage (Jun 12)
Docs - Malda Homepage (Jun 12)
