Poofknuckle Ancient Ethereum Mixing Test Contract Exploited
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Laundromat, a decentralized Ethereum mixer developed by BitBoost, aimed to provide transaction privacy by allowing users to mix ETH in sessions via smart contracts and ring signatures. Though initially well-received as an experimental privacy tool, concerns were raised about its security and effectiveness, particularly without wide adoption or expert audits, and a second smart contract was deployed by a user named poofknuckle. Years later, the new smart contract was exploited due to a vulnerability, resulting in the loss of 1 ETH stored there. The flaw was described as trivial by TenArmor. Given the contract’s age and its use for potentially illicit activities, no investigation or recovery is expected, and the matter is almost certainly permanently closed.[1][2][3][4][5][6][7][8]
About Decentralized Ethereum Mixer
aundromat is a decentralized Ethereum mixer developed by BitBoost, allowing users to anonymize their Ether transactions by participating in mixing sessions. In these sessions, a fixed number of users send a set amount of ETH to a smart contract, and after all participants have joined, each can withdraw the same amount to a different address, effectively breaking the link between sender and recipient. The mixer leverages ring signatures, a cryptographic technique inspired by Vitalik Buterin’s early work, to enhance privacy. The project is open-source, available via GitHub, and can be accessed through a downloadable app or a web-based interface using MetaMask.
The FAQ clarifies technical requirements and limitations: users can run the mixer using MetaMask or a local Ethereum node with RPC enabled. Funds may remain locked if the required number of participants isn't reached, though dummy participants can be created (with limited privacy effectiveness). The code is written in JavaScript with Solidity contracts, and no binary installation is needed since it runs directly in the browser. Users are advised to review the source code or seek expert audits for security, as even the developer acknowledges the experimental nature of the cryptographic techniques used.
Community reactions are generally positive but cautious. A quote from Vitalik Buterin emphasizes the importance of using well-audited cryptography, especially for high-value transactions, suggesting Laundromat is best suited for low-value, experimental use cases. Concerns are raised about the quality of privacy depending on participant diversity—if only questionable sources use mixers, it might taint otherwise clean tokens. The BitBoost team responds by noting that Laundromat is part of a broader initiative to improve Ethereum's privacy infrastructure, with hopes that increasing adoption will bring more legitimacy and utility to such tools.
About poofknuckle's Mixer Contract
An ancient legacy fund mixing contract was created by BitcoinTalk user poofknuckle on December 12th, 2026. As part of the creation, they left 1 ETH, which appears to be for testing.
The Reality
Unfortunately, the smart contract launched by poofknuckle had a vulnerability.
What Happened
A decentralized Ethereum mixer storing just 1 ETH was exploited 9 years after launch due to a trivial vulnerability in a user-deployed smart contract.
| Date | Event | Description |
|---|---|---|
| December 11th, 2016 12:46:24 PM MST | First Version Of Mixer | The BitcoinTalk user blackyblack creates the first version of their post on BitcoinTalk, which references the smart contract. |
| December 12th, 2016 1:32:16 PM MST | Test Contract Is Created | The test contract is created on Ethereum. It appears to have a purpose related to fund mixing. 1 ETH is deposited into the contract at this time. |
| December 12th, 2016 1:50:50 PM MST | Smart Contract Announced | The smart contract is posted on BitcoinTalk by user poofknuckle. |
| December 13th, 2016 2:29:11 AM MST | Final Version Of Post | BitcoinTalk user blackyblack creates the final version of their BitcoinTalk post with the smart contract. |
| April 8th, 2025 1:28:11 AM MDT | Attack Transaction On Ethereum | The attack transaction happens on the Ethereum blockchain. |
| April 8th, 2025 9:45:00 PM MDT | TenArmor Posts Tweet About | TenArmor posts a tweet about the incident, with details on how it's suspected to have happened and the really old smart contract. |
Technical Details
Technical details of the vulnerability have not been announced. TenArmor described the smart contract as "free money lying on the floor", so it appears that whatever vulnerability was fairly trivial.
Total Amount Lost
The losses are 1 ETH, which had a value around $3k at the time of the exploit.
The total amount lost has been estimated at $3,000 USD.
Immediate Reactions
There does not appear to have been any indication of a reaction to the exploit. That's not surprising, given that this smart contract was deployed roughly 8 years ago.
Ultimate Outcome
It is unlikely that any investigation will be performed, given that so much time has passed, and the smart contract's primary use case was for laundering funds.
Total Amount Recovered
There is no indication that any recovery will be possible. This is an old contract, and the creator may even have forgotten about their funds at the time.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
It's extremely unlikely that any aspect of this case is remaining to be resolved or developing further.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ TenArmor - "An ancient contract deployed 9 years ago on #ETH has been exploited. It seems the contract was designed for some kind of fund mixing. The deployer deposited 1 ETH and then just left it sitting there with no further interaction. Considering the price back then, it's very likely the deposit was just for testing." - Twitter/X (Accessed Aug 8, 2025)
- ↑ Attack Transaction - Etherscan (Accessed Aug 8, 2025)
- ↑ Week 15, 2025 - BlockThreat (Accessed Aug 6, 2025)
- ↑ Ancient Legacy Contract - Etherscan (Accessed Aug 8, 2025)
- ↑ Ancient Legacy Contract Created - Etherscan (Accessed Aug 8, 2025)
- ↑ [ETH][Mixer]Laundromat - decentralized Ethereum mixer - BitcoinTalk (Accessed Aug 8, 2025)
- ↑ Trezor Ethereum Explorer (Accessed Aug 8, 2025)
- ↑ [ETH][Mixer]Laundromat - decentralized Ethereum mixer (Accessed Aug 8, 2025)