Fluid, a platform for lending and borrowing cryptocurrencies (previously called Instadapp), experienced a security issue. Someone gained unauthorized access to the system used for distributing rewards outside of the main blockchain.
An attacker stole around 125,000 FLUID tokens and 51,900 GHO from several Merkle distributor contracts. They then exchanged these stolen tokens for ETH and sent the ETH to Tornado Cash.
A researcher known as YAM (@yieldsandmore) first publicly revealed the security issue, pointing out that it happened on May 27th, before Fluid officially admitted it. YAM observed that a user began withdrawing $77 million in USDC on May 28th, the same day Fluid announced high deposit rates for USDC. This raised concerns about how long Fluid knew about the problem before telling the public.
YAM questioned why the security flaw, which occurred on May 27th, wasn’t revealed until today, May 31st, despite being discovered earlier. They posted this as a response to Fluid’s official announcement.
How the exploit unfolded
A hacker, using the wallet address 0x4925120CbE5A78Bf08F26f6E8cdF820f4c1D3dfB, exploited several Fluid Merkle distributor contracts by submitting claims with no actual proof. This happened very quickly on the Ethereum network – within about 24 seconds of a new Merkle root being proposed and approved, the attacker successfully claimed FLUID tokens. They then claimed GHO tokens a few minutes later.
The wallet involved in the recent exploit claimed the FLUID and GHO tokens, then quickly exchanged them for other cryptocurrencies. Some of these funds were moved from the Base and Arbitrum networks, and ultimately deposited into Tornado Cash, a service often used to obscure the origin of stolen cryptocurrency.
A few hours after the security breach, someone with administrator access used a special transaction to remove the previous owners of certain permissions within the Fluid rewards contracts. This showed they were replacing the compromised digital keys with new ones.
Fluid’s response: No mention of key compromise
On May 31, 2026, Fluid announced on X that they had detected and resolved a security issue affecting how rewards were distributed. They assured users that the main system was still secure, all smart contracts were working as expected, and no funds were at risk.
The affected contract wasn’t essential to how the system works; it was only used to give out rewards and didn’t hold much money. The team plans to share a full explanation of what happened soon.
Fluid didn’t share details about how the security breach happened or exactly how much money was lost. They informed users that claiming Merkle rewards would be paused for a few days, possibly up to a week, while they implement updates. The protocol assures users that rewards will continue to accrue and will be available to claim once the updates are finished.
Delayed disclosure draws community criticism
People in the community have criticized the four-day delay between the time the security issue happened on May 27th and when it became public on May 31st. Discussions showed the Fluid team didn’t reveal the problem themselves; it was discovered and brought to their attention by independent researchers analyzing the blockchain.
As an analyst, I’ve been looking closely at the recent exploit and noticed a concerning pattern. A large $77 million USDC withdrawal started just one day after the incident on May 28th. Simultaneously, Fluid was advertising unusually high rates for USDC deposits. This combination definitely raises a red flag and suggests someone may have known about the exploit before the general public did, allowing them to act accordingly.
A pattern in DeFi security failures
The recent Fluid exploit continues a difficult year for security in the decentralized finance (DeFi) space. So far in 2026, crypto exploits and hacks have caused over $770 million in losses, with April being particularly bad – totaling over $635 million from 28 different attacks. Major breaches at platforms like Drift Protocol ($285 million), Kelp DAO ($292 million), and THORChain ($10.8 million) have received significant attention.
As a researcher, I’ve been analyzing the recent Fluid breach, and while it wasn’t as large as some other DeFi incidents, it revealed a critical issue. The attack involved compromising a key that allowed attackers to make false claims for rewards, and it really underscored a pattern we’re seeing across decentralized finance: the security of powerful keys is a major weak point. It’s not just about the smart contracts themselves; the systems *around* them – how we manage access and trust – are also vulnerable.
Fluid successfully navigated the difficulties caused by the Resolv Protocol incident in March 2026. They paid back $70 million lost due to the Resolv exploit, which many saw as proof of their strong financial stability.
The Crypto Times will keep a close watch on how things unfold, looking for any new information about the stolen funds or details about what happened. This incident highlights that even if the underlying code of DeFi platforms is secure, weaknesses in related systems like key management and off-chain infrastructure can still be exploited.
Read More
- Off Campus Season 1 Soundtrack Guide
- Chainsaw Man Volume 24’s Cover Art Reveals a Brand-New Denji
- X-Men ’97 Finally Gave Gambit the Hero Moment He Deserved
- 46 Years Later, The Mandalorian & Grogu Answers A Major Empire Strikes Back Question
- 10 Worst End-Game Couples In Sitcom History
- HoI4 fans harsh reactions to the announcement of another DLC pack
- Katanire’s Yae Miko Cosplay: Genshin Impact Masterpiece
- Hatsune Miku cosplayer goes viral selling $15 cups of “foot juice” to thirsty anime fans
- Emily Henry Says to ‘Trust the Vision’ For Beach Read Adaptation
- DoorDash responds after customer uses AI to make food look bad and get a refund
2026-05-31 21:26