Foom.Cash, an Ethereum-essentially essentially based privacy protocol that positioned itself as an evolution of the sanctioned mixer Tornado Cash, has reportedly misplaced roughly $2.26 million in tokens after an attacker exploited a flaw in its cryptographic verification machine, according to alerts issued by extra than one blockchain security companies.
The assault, which struck contracts on both the Ethereum and Scramble networks, drained 24,283,773,519,600 FOOM tokens, the platform’s native asset, in what security researchers believe described as a copycat exploit replicating a advance-identical vulnerability focused in a separate protocol correct days earlier.
A single transaction on the Scramble community accounted for roughly $427,000 in losses attributed on to the malicious actor. Transactions on Ethereum totaling round $1.83 million appear to believe been phase of a white-hat rescue operation.
How did the exploit occur?
BinanceLabs-led Web3 security community, GoPlus Security, flagged the assault, reporting that an unsuitable verification key configuration allowed the attacker to forge zkSNARK proofs. This allowed them to make cryptographic credentials that the protocol permitted as decent and then extract expansive volumes of tokens from the compromised contracts.
Blockchain security platform, Certik, wrote on X, “The root cause can also be the delta2==gamma2 setting of the Groth16 verifier at 0xc043865fb4D542E2bc5ed5Ed9A2F0939965671A6. This permits the exploiter to compute ‘pC’ important for diversified ‘nullifierHash’ while all other inputs are the same, and over and over fetch ZOOM tokens.”
In short, a protocol whose advertising and marketing and marketing emphasised the advance-impossibility of reversing its cryptographic protections changed into undone by a misconfiguration.
BlockSec’s Phalcon monitoring machine, which detected suspicious transactions across both networks in actual time, stated that the incident looked to be an imitation assault. The firm critical that the assault exploited the same root cause previously identified in the Veil Cash breach, which took build apart just a few days prior.
Even supposing it’s miles price pointing out that the Veil Cash breach changed into extra restricted in scale, with losses contained to a exiguous replacement of $ETH, reportedly 2.9 $ETH.
What is Foom.Cash?
Foom.Cash positions itself as a “ZKProof-powered Non-public Lottery Protocol” that mixes the anonymity of Zcash, which operates as a standalone privacy chain, the accessibility of Ethereum’s DeFi ecosystem, and a constructed-in randomized reward mechanism.
It’s touted as an enhance to Tornado Cash and another choice to Zcash on Ethereum. Tornado Cash changed into sanctioned by the US Treasury in 2022, nonetheless the division lifted its sanctions on the platform in March 2025.
Per the platform, it processes extra day-to-day transactions than Tornado Cash, boasts over eight million greenbacks in liquidity, and generates annual returns of fifty to 80% for liquidity suppliers.
Privateness in DeFi has been experiencing renewed ardour, with Zcash registering a gigantic sign amplify in unusual months, and Foom.Cash sought to capitalize on that pattern by offering privacy natively inner Ethereum’s existing infrastructure.
The platform feeble a selected variant called zkSNARKs, which is one in all the predominant ingredients in the relief of privacy guarantees in successfully-established protocols equivalent to Zcash.
What is Foom.Cash doing to fetch higher funds and resolve the exploit?
To date, the most efficient mention of a recovery is tied to the 2d transaction of about $1.83 million, which security companies document to believe been phase of a white-hat rescue operation.
However, the Foom.Cash crew has but to order or acknowledge the hack. So, as of the time of writing, there is no longer this sort of thing as a data on the extent of the affect from the protocol or what the protocol is doing to mitigate future assaults.
The whitehat recovery hints that the crew can also be working in the relief of the scenes to fetch higher the funds and resolve the underlying components.
