Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/maldaprotocolmigratorcontractfakecomptrollerdrain.php}} {{Unattributed Sources}} Malda Protocol Logo/HomepageMalda, formerly known as Mendi Finance, is a cross-chain DeFi lending platform that unifies Ethereum and Layer 2 assets into a single, seamless lending experience powered by zero-knowledge proofs and zkMachine Learning risk models. Despite rigorou..."

2025-06-16T22:42:18Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/maldaprotocolmigratorcontractfakecomptrollerdrain.php}} {{Unattributed Sources}} thumb|Malda Protocol Logo/HomepageMalda, formerly known as Mendi Finance, is a cross-chain DeFi lending platform that unifies Ethereum and Layer 2 assets into a single, seamless lending experience powered by zero-knowledge proofs and zkMachine Learning risk models. Despite rigorou..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/maldaprotocolmigratorcontractfakecomptrollerdrain.php}}
{{Unattributed Sources}}

[[File:Maldaprotocol.jpg|thumb|Malda Protocol Logo/Homepage]]Malda, formerly known as Mendi Finance, is a cross-chain DeFi lending platform that unifies Ethereum and Layer 2 assets into a single, seamless lending experience powered by zero-knowledge proofs and zkMachine Learning risk models. Despite rigorous audits and real-time monitoring, the protocol suffered an exploit when an attacker used a fake Comptroller contract and a vulnerability in the Migrator.sol contract to fraudulently mint a position and steal approximately $285,000. While the core lending and zk infrastructure remained secure, the exploit prompted a manual network pause and a temporary halt of the protocol. Funds were laundered through various means, and although Malda offered a 10% white-hat bounty, the attacker did not respond by the June 4 deadline. The team has since disabled the vulnerable contract, notified authorities, and is actively working on a recovery and user compensation plan, which will be presented via a community livestream and voted on through a Snapshot proposal.<ref name="maldaxyztweet1-20198" /><ref name="maldaxyztweet2-20199" /><ref name="etherscanbountyidm-20200" /><ref name="maldaxyztweet3-20201" /><ref name="maldaxyztweet4-20202" /><ref name="maldaxyztweet5-20203" /><ref name="maldaxyztweet6-20204" /><ref name="maldapostmortem-20205" /><ref name="lineascantransaction-20206" /><ref name="lineascanexploit-20207" /><ref name="maldahomepage-20208" /><ref name="maldadocs-20209" />

== About Malda Protocol ==
Malda (formerly Mendi Finance) is a next-generation DeFi lending protocol that offers unified, cross-chain lending and borrowing experiences across Ethereum and its Layer 2 ecosystems. Designed for seamless interoperability, Malda allows users to lend, borrow, repay, and withdraw assets across chains through a single platform—eliminating the friction of managing fragmented assets or switching networks. At the core of its offering is a unified global liquidity pool with a single, consistent interest rate, simplifying user interaction and maximizing capital efficiency.

The platform’s security and interoperability are powered by advanced zero-knowledge (zk) technology. Malda employs off-chain zkProofs to ensure Ethereum-grade protection while enabling asynchronous, secure interactions across chains. Further enhancing its safety and transparency, Malda is pioneering the first zkMachine Learning-based risk management system in DeFi. This system will progressively become part of the protocol, delivering fully open-source, on-chain verified computations for risk assessment.

Malda has undergone thorough security audits by firms like Veridise and is actively monitored in real-time by platforms such as Hypernative to prevent attacks and ensure robust protocol integrity. The protocol also features a points-based reward system where users earn incentives for depositing and borrowing, with boosted multipliers for borrowers. High APYs on supported assets like ezETH, wrsETH, and weETH make Malda an attractive platform for users seeking both yield and innovative, cross-chain DeFi functionality.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
An attacker exploited a vulnerability in Malda’s Migrator.sol contract by using a fake Comptroller to mint a fraudulent position and withdraw ~$285,000.
{| class="wikitable"
|+Key Event Timeline - Malda Protocol Migrator Contract Fake Comptroller Drain
!Date
!Event
!Description
|-
|May 30th, 2025 12:51:00 PM MDT
|Attack Transaction
|The attack transaction on the Linea blockchain.
|-
|May 30th, 2025 2:12:00 PM MDT
|Malda Posts Notice Of Attack
|Malda posts a report that a contract has been compromised, prompting the immediate pause of all contracts. Users are strongly advised not to interact with any contracts until further notice. The team is actively investigating the issue and will share updates as more information becomes available.
|-
|May 31st, 2025 7:54:00 AM MDT
|Further Update From Malda
|Malda provides a further update that the ongoing investigation has confirmed that Mendi contracts remain secure and were not affected by the incident. Malda operations continue to be paused as a precaution while the investigation proceeds to ensure there is no further risk to users. A full postmortem will be shared upon completion of the investigation, and additional updates will be provided as they become available.
|-
|June 1st, 2025 1:14:11 PM MDT
|Immediate Fix Implemented
|Malda implements an immediate fix on the blockchain, which updated the migrator parameter to an empty contract.
|-
|June 1st, 2025 3:39:00 PM MDT
|Another Malda Update Posted
|Malda further reports that a comprehensive investigation is actively underway in collaboration with leading cybersecurity experts, and relevant government authorities have been notified. The team reiterates that Mendi contracts remain secure and unaffected, while Malda remains paused out of an abundance of caution. The community's patience is deeply appreciated, and a full post-mortem will be released upon completion of the investigation. Additional updates will be provided as they become available.
|-
|June 3rd, 2025 1:05:35 PM MDT
|Bounty Offered To Attacker
|Malda offers a bounty to "those responsible for the recent exploit". "If you voluntarily return the funds, this will be treated as a white-hat recovery. The deadline for completing the return is 4 June, 19:00 UTC." The bounty is also posted on Twitter/X.
|-
|June 5th, 2025 3:02:00 PM MDT
|Another Community Update Provided
|Malda provides yet another update that the 10% white-hat bounty window has officially closed without any contact from the exploiter. The Malda team, in coordination with cybersecurity experts, continues to work diligently to conclude the investigation. A full post-mortem will be shared with the community once the investigation is complete.
|-
|June 6th, 2025 2:29:00 PM MDT
|Still Nothing About Reimbursement
|Malda tweets again, still without any mention of any possible reimbursement. The team states that they are continuing to work closely with cybersecurity experts and ecosystem partners to advance the investigation. While the process is still ongoing, efforts are focused on concluding the investigation and preparing a comprehensive post-mortem. Mendi contracts remain unaffected and fully operational, while Malda will stay paused during the investigation.
|-
|June 10th, 2025 11:57:00 AM MDT
|Malda Shares Post-Mortem
|Malda shares another update which includes a post-mortem. On May 30th, a malicious actor exploited Malda’s Mendi-to-Malda migrator contract, though the core lending logic and zk-proof infrastructure remained unaffected. A detailed post-mortem has been released, and the team is actively collaborating with ecosystem partners on a recovery plan, which will be presented in a livestream next week.
|}

== Technical Details ==
The attacker created a fake Mendi Comptroller contract to mint a fraudulent Malda position, ultimately withdrawing approximately $285,000. The exploit was first detected by Hypernative’s monitoring system, and although initial automatic pause attempts failed, a manual pause of the network was successfully executed shortly after. The protocol remains paused as a result.

The root cause of the exploit was traced to the Migrator.sol contract, which permitted the Comptroller address to be passed dynamically instead of being hardcoded. This oversight passed through prior security reviews undetected. Malda confirmed that the exploit was isolated to this contract—core lending logic and zk-proof infrastructure were not compromised.

Following the attack, the exploiter transferred funds through various obfuscation methods, including bridging assets to Ethereum and laundering them through Tornado Cash. The attacker’s funding source was traced back to ChangeNow and allegedly originated from Monero. Law enforcement agencies have been notified and are working alongside blockchain forensic firms to track the attacker’s activity.

== Total Amount Lost ==
The total lost was estimate at $281k by SlowMist, however the Malda protocol has published a figure of $285k.

The total amount lost has been estimated at $285,000 USD.

== Immediate Reactions ==
Malda posted a series of simple updates to Twitter/X.

As part of immediate remediation, the migrator contract was disabled, and a long-term fix is planned that will include hardcoding critical addresses.

== Ultimate Outcome ==
An investigation by Malda in collaboration with other security experts is underway to thoroughly assess the recent contract compromise. Relevant government authorities have been informed, and Malda remains paused as a precautionary measure. Mendi contracts have been confirmed secure and were not impacted.

A 10% white hat bounty was publicly offered to the exploiter in exchange for the return of 90% of the funds, but no response was received by the June 4th deadline.

"To those responsible for the recent exploit: We are offering a 10% bounty, which you may keep if you voluntarily return the remaining 90% of the stolen funds. If you voluntarily return the funds, this will be treated as a white-hat recovery. The deadline for completing the return is 4 June, 19:00 UTC."

There was no response received from "those responsible".

== Total Amount Recovered ==
Malda is reportedly still working on a recovery plan for affected users, which will be announced through Discord.

There do not appear to have been any funds recovered in this case.

== Ongoing Developments ==
The team appreciates the community’s patience. Looking ahead, Malda is collaborating with partners and advisors on a recovery plan, which will be shared with the community via a livestream next week. Unpausing the protocol is not currently viable due to remaining exposure; instead, a Snapshot vote will be held for depositors to decide how to safely access remaining funds.

== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="maldaxyztweet1-20198">[https://twitter.com/malda_xyz/status/1928545070052970928 Malda Finance - "A Malda contract has been compromised. All contracts have been paused. Please do not interact with any contracts until further notice. We’re actively investigating and will provide updates as they become available." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="maldaxyztweet2-20199">[https://twitter.com/malda_xyz/status/1928812207770579039 Malda Finance - "Current investigation status update: Mendi contracts are secure; they were not affected. Malda is currently paused pending the on-going investigation and to ensure that there is currently no further risk to users. A postmortem will also be provided when the investigation is completed. Additional updates will be provided in a timely manner." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="etherscanbountyidm-20200">[https://etherscan.io/tx/0x4726b4b0965e51868cb40db405ccf6b1e193650769ad14c005d89b1810fadb1a Malda Finance - "To those responsible for the recent exploit: We are offering a 10% bounty, which you may keep if you voluntarily return the remaining 90% of the stolen funds. If you voluntarily return the funds, this will be treated as a white-hat recovery. The deadline for completing the return is 4 June, 19:00 UTC." - Etherscan] (Accessed Jun 12, 2025)</ref>

<ref name="maldaxyztweet3-20201">[https://twitter.com/malda_xyz/status/1929981145065676942 Malda Finance - "We are offering a 10% white-hat bounty for the voluntary return of funds. This offer is valid until 4 June, 19:00 UTC." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="maldaxyztweet4-20202">[https://twitter.com/malda_xyz/status/1930732050832572752 Malda Finance - "The 10% white-hat bounty window has been closed as no contact has been made by the exploiter. Our team, in coordination with cybersecurity experts continues to work diligently to conclude the investigation." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="maldaxyztweet5-20203">[https://twitter.com/malda_xyz/status/1931086175051071986 Malda Finance - "As mentioned in our previous announcement, we are continuing to work closely with cybersecurity experts and ecosystem partners to move the investigation forward." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="maldaxyztweet6-20204">[https://twitter.com/malda_xyz/status/1932497463426101474 Malda Finance - "On May 30th, a malicious actor exploited Malda’s Mendi-to-Malda migrator contract. The core lending logic and zk-proof infra were unaffected." - Twitter/X] (Accessed Jun 12, 2025)</ref>

<ref name="maldapostmortem-20205">[https://mirror.xyz/0x4Da818DD3aAfb9D042a76B5037cdBa61533C7692/yhFSyxCImJ23OD00vb2GQ0JmbcBkX2CO4V2t_29ykIA May 30th Incident: Post Mortem - Malda Finance] (Accessed Jun 12, 2025)</ref>

<ref name="lineascantransaction-20206">[https://lineascan.build/tx/0xd62a3d483b89e38b681777804b286dec682919891924c2b13c566dfaad666ed3 Deployment Of Immediate Fix - LineaScan] (Accessed Jun 12, 2025)</ref>

<ref name="lineascanexploit-20207">[https://lineascan.build/tx/0x9f12f7b982ffbd90ac5944b3ab8520f7fb5a9882a0a9acf20d63f6922950e59a One Of The Exploit Transactions - LineaScan] (Accessed Jun 12, 2025)</ref>

<ref name="maldahomepage-20208">[https://malda.xyz/ Malda Homepage] (Accessed Jun 12, 2025)</ref>

<ref name="maldadocs-20209">[https://docs.malda.xyz/ Docs - Malda Homepage] (Accessed Jun 12, 2025)</ref></references>

Malda Protocol Migrator Contract Fake Comptroller Drain - Revision history