Numa Money Major Collateral Loss Flash Loan Price Manipulation
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Numa Money is a decentralized finance protocol that creates synthetic stablecoins backed by liquid staking tokens like rETH, allowing users to mint stablecoins by burning its native $NUMA token and earn sustainable real yield through staking. On April 18, 2025, a sophisticated exploit targeted Numa’s lending system by manipulating the $NUMA token price via large long and short positions, enabling the attacker to withdraw excessive collateral and drain about 292.96 rETH before the manipulation was detected. In response, the Numa team quickly paused vulnerable functions, engaged security auditors, and launched a recovery plan involving vault injections of external funds and protocol rewards, disabling risky features like shorting $NUMA, and preparing for a secure relaunch on new chains. Numa is actively working on remediation efforts to restore the token price, compensate users, and rebuild community trust.[1][2][3][4][5][6]
About Numa Money
Numa Money is a decentralized finance (DeFi) protocol that offers synthetic assets backed by liquid staking tokens (LSTs), designed to deliver real-world asset exposure, sustainable real yield, and zero-slippage trading. Built as a non-custodial system, Numa leverages Ethereum-based staking derivatives like rETH to back its ecosystem, enabling users to mint synthetic stablecoins called nuMoney (e.g., nuUSD) by burning its native token, $NUMA.
At its core, Numa uses a burn-and-mint model to maintain transparent, on-chain collateralization. Users acquire $NUMA and burn it at a 1:1 USD value ratio to mint synthetic stablecoins. These nuMoney assets are then eligible for single-sided staking, where users can earn real yield from the staking rewards generated by underlying LSTs, such as rETH. This setup allows the protocol to offer sustainable yield without relying on inflationary incentives.
In addition to yield farming, the protocol enables zero-slippage trading between synthetic assets, offering a seamless and cost-efficient user experience. Numa’s roadmap outlines a progressive rollout of features including multiple synthetic stablecoins, staking options, and cross-chain compatibility.
Numa aims to create a robust financial layer for DeFi by bridging liquid staking rewards with synthetic asset generation—unlocking a new avenue for decentralized, real-yield financial products.
The Reality
A vulnerability in the Numa Money protocol allowed the price to be manipulated.
What Happened
The $NUMA token price was manipulated using flash loans, excessive borrowing, and self-liquidation to extract over 3.6 million $NUMA in protocol collateral.
| Date | Event | Description |
|---|---|---|
| April 18th, 2025 3:10:28 PM MDT | Reported Time Of Exploit | The reported time of the exploit occurring. |
| April 20th, 2025 2:34:00 AM MDT | Cyvers Alert Tweet Posted | Cyvers Alert makes a tweet with the full loss amount reported on Twitter/X. |
| April 20th, 2025 9:35:00 AM MDT | Officer CIA Tweet Posted | Officer CIA shares a tweet with basic information about the Numa Money exploit, including the time, amount, and other details. |
| April 21st, 2025 10:39:00 AM MDT | Numa Updates On Incident | Numa reports that, on April 18, 2025, they experienced a sophisticated price manipulation attack that exploited its lending functionality, resulting in the unauthorized extraction of approximately 292.96 rETH. The attacker manipulated the NUMA token price to open leveraged positions, remove collateral, and exit through the vault. In response, the Numa team, alongside auditors and security experts, paused key protocol functions to contain the incident and began a full investigation. The team is now focused on securing the platform, restoring collateral, and implementing protocol changes to prevent future exploits. A detailed recovery and remediation plan will be shared soon. |
| April 25th, 2025 2:55:00 AM MDT | Skippy Brussels Claim | Skippy Brussels claims to have reported the vulnerability before it was exploited, and been repeatedly ignored. |
| April 29th, 2025 12:33:00 PM MDT | Numa Money Community Update | In a recent update, Numa detailed the full scope of the April 18th exploit, where an attacker used flash loans and complex interactions between addresses to manipulate the $NUMA token price and extract over 3.6 million $NUMA from the protocol. The attacker exploited the ability to borrow more than the circulating supply and used strategic donations to the vault to influence token pricing and enable self-liquidation. Numa has since paused lending and is working with auditors to implement fixes, including disabling short positions on $NUMA ahead of the upcoming Sonic launch. To restore the token price and make users whole, the team will inject $100,000 and protocol rewards into the vault and absorb losses themselves. Lending on Arbitrum will resume after Sonic’s rollout, targeted for late May. |
Technical Details
"On April 18th at approximately 9:00PM UTC, a user was able to manipulate token prices to create excess personal gain. This resulted in unintended profit of approximately 292.96 rETH in protocol assets."
The exploit that affected the Numa protocol on April 18, 2025, was a targeted and complex manipulation of the lending system, centered around the price dynamics of the NUMA token. The attacker took advantage of a vulnerability that allowed them to artificially influence token prices within the protocol’s internal pricing mechanisms. By simultaneously opening large long and short positions, the exploiter was able to create significant price swings, which they then used to their advantage by strategically removing collateral and exiting the system before price normalization could occur.
The manipulation hinged on inflating the value of $NUMA to misrepresent the health of loan positions. As the manipulated price rose, the attacker’s loan positions appeared overcollateralized, allowing them to withdraw more collateral than should have been permissible under fair market conditions. Once sufficient assets were withdrawn, the attacker closed their positions, effectively draining the protocol of roughly 292.96 rETH in value. This process occurred quickly—within about an hour—before the manipulation was detected.
In response, the Numa team immediately paused key functions such as loan openings and liquidations to prevent further abuse. Security auditors, including Sherlock, were brought in to investigate and analyze the exploit’s mechanics. The team is currently working on patching vulnerabilities, recovering assets, and developing safeguards to prevent similar exploits in the future. Measures under consideration include migrating rewards to a secured vault, injecting personal and protocol capital to replace lost collateral, and potentially raising external funds to stabilize the system.
Total Amount Lost
Losses reported by Cyvers Alerts: 82,279.85490689 $NUMA and 283 $rETH.
The total amount lost has been estimated at $530,000 USD.
Immediate Reactions
Numa Money reports that they acted quickly and decisively to contain the damage and begin remediation. The team discovered the issue about an hour after it occurred, thanks to unusual price activity spotted during UI work ahead of the Sonic launch. Upon discovery, they immediately paused vulnerable protocol functions, including lending and liquidations, to prevent further exploitation. They also engaged their auditing partner, Sherlock, and other independent security professionals to investigate the attack and identify the underlying vulnerabilities.
Ultimate Outcome
As part of the remediation effort, Numa outlined a detailed recovery plan focused on restoring the $NUMA token price and making affected users whole. This includes injecting approximately $100,000 from external sources and 35 rETH in protocol rewards into the vault, while team members and partners are foregoing compensation to cover the remaining gap. To prevent similar exploits in the future, they are implementing code changes—most notably disabling the ability to short $NUMA—and will have all updates audited before deploying them. The team is moving forward with the Sonic chain launch by late May and plans to reopen lending on Arbitrum after ensuring all positions are safely restored and secured.
Total Amount Recovered
Numa outlined a detailed recovery plan focused on restoring the $NUMA token price and making affected users whole. This includes injecting approximately $100,000 from external sources and 35 rETH in protocol rewards into the vault, while team members and partners are foregoing compensation to cover the remaining gap.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
Numa Money is continuing to work on remediation and rebuilding the trust of their community.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Vladimir S - "It looks like @numamoney on the @arbitrum chain on Apr-18-2025 09:10:28 PM +UTC got hacked for around $530K. The attacker swapped all assets to ETH, bridged to ETH and deposited the funds to Tornado Cash" - Twitter/X (Accessed May 26, 2025)
- ↑ Cyvers Alerts - "Our system has detected a suspicious transaction involving @numamoney on the $ARB chain on Apr-18-2025 09:10:28 PM +UTC. (Accessed May 26, 2025)
- ↑ [A malicious address stole around $500K" - Twitter/X A malicious address stole around $500K" - Twitter/X] (Accessed May 26, 2025)
- ↑ Numa Money - "Update on recent security incident affecting Numa" - Twitter/X (Accessed May 26, 2025)
- ↑ Incident Update and Moving Forward - Numa Money Blog (Accessed May 26, 2025)
- ↑ Skippy Brussels - "Hey @numamoney, I warned you the day the contract got deployed. You ignored me, blocked me, and then claimed it's intentional and no funds are at risk. Now you got exploited for the very same bug I warned about. I wrote a 17 page report for free and you still choose to ignore it" - Twitter/X (Accessed May 26, 2025)