DEV Community

Cryip profile image Saravana kumar
Saravana kumar for Cryip

Posted on • Originally published at cryip.co

Aethir Adapter Exploit : Complete Technical Postmortem Report

#aethir #adapter #exploit

Aethir, a decentralized GPU cloud computing platform focused on providing affordable AI and gaming compute resources, faced a security incident on April 9, 2026. The attack targeted the AethirOFTAdapter contract on BNB Chain. This contract acts as an omnichain bridge adapter for ATH tokens. The attacker successfully drained a substantial amount of ATH tokens. However, the Aethir team acted quickly to contain the damage. As a result, the main token supply on Ethereum stayed completely safe. User losses remained limited, and the project promised full compensation soon.

Technical Details:

Exploit Method: transferOwnership(address newOwner)
New Owner Address: 0xd5fa8ac45d6a0984d14f3b301b18910948deb11a
Total Drained: Approximately 423,000 ATH (PeckShield estimate ~$400K+)
Victim Contract: AethirOFTAdapter (Omnichain Fungible Token Adapter on BNB Chain)
Vulnerability Type: Access Control Failure (missing or bypassed onlyOwner modifier and weak ownership validation)
Bridge Used: Symbiosis Finance (cross-chain bridge)
Chains Involved: BNB Chain (exploit origin) to TRON (final destination)
Attack Complexity: Low – no flash loan, no price oracle manipulation, pure ownership takeover
The attack was simple yet effective. The attacker directly called the transferOwnership function on the AethirOFTAdapter smart contract. This function allowed them to become the new owner without proper authorization checks. Once they gained ownership, they could freely call sensitive functions like token transfers. They drained the available ATH tokens held in or controlled by the adapter contract. This highlights a common risk in bridge and adapter contracts that rely on ownership patterns for admin control, especially in omnichain setups using standards similar to LayerZero OFT.
After draining the tokens, the attacker did not hold them long on BNB Chain. They quickly routed the funds through multiple intermediate wallets to obscure the trail. Finally, they used the Symbiosis Finance bridge to move everything to the TRON network. This cross-chain move makes tracking and freezing harder across different blockchains.

On-Chain Funds Flow (Exact Verified Addresses):

  • Initial Receiver (Exploiter): 0xd5fa8ac45d6a0984d14f3b301b18910948deb11a received 423K ATH
  • Intermediate Wallet 1: 0x0BB5EC0B8931F3Ae1587F2b4c4f1885343B0BDC7 received 324K ATH
  • Intermediate Wallet 2: 0x3A94447A7a5e5a28326ebc6730C48b0c7092F963 received 324K ATH plus additional 202K movement
  • Bridge Step: Symbiosis Finance (green bridge in PeckShield diagram)
  • Final TRON Wallets:
  • TL38ssgWktRRfhdjGEyfVkPD8CdP2UPq18
  • TNC4wgK518RZdZVa6NPZLnqy6FEswA4G15 The funds are currently split and sitting dormant on these two TRON addresses. No further transfers, mixing services, or cash-out attempts have been observed as of April 10, 2026. This gives the Aethir team and supporting exchanges a window to coordinate freezes if possible.

Timeline of Events:

April 9, 2026 : Exploit executed and funds drained on BNB Chain.
April 9 evening : PeckShieldAlert publicly flagged the incident with flow diagram.
April 10 early morning : Full amount bridged to TRON.
April 10 : Aethir official statement released.

Aethir Official Response:

Aethir team confirmed the incident and stated that all compromised bridge contracts have been disconnected immediately. The main ATH token supply on Ethereum remains 100% intact and unaffected. The ETH-ARB bridge using Squid is also safe. They estimated user impact below $90,000 USD and announced that a detailed full compensation plan will be released next week. The team is also working with exchanges to help monitor and potentially freeze the attacker wallets.

Impact Assessment:

This exploit affected only the specific bridge adapter on BNB Chain. Core protocol operations, decentralized GPU network, and primary token reserves were not impacted. The quick response from both PeckShield and Aethir prevented wider damage. Compared to other recent bridge hacks, this one was contained relatively well with lower user loss. However, it still shows the persistent risks in cross-chain infrastructure.

Why This Vulnerability Matters:

Omnichain adapters like OFT are designed to make tokens move seamlessly across chains. But they often inherit ownership control patterns from standard ERC-20 or LayerZero implementations. If access control is not hardened with multi-sig, timelock, or renounceOwnership, a single function call can lead to total compromise. This case serves as a reminder for all DeFi projects using bridges.

Recommendations for Projects:

  • Implement multi-signature wallets with timelock delays for all admin functions including transferOwnership.
  • Consider full ownership renouncement after initial setup where possible.
  • Add 2-step verification or DAO governance for sensitive operations.
  • Integrate real-time monitoring tools like PeckShield, CertiK, or Forta.
  • Conduct regular third-party audits specifically focused on bridge and adapter contracts.
  • Test ownership-related functions thoroughly in staging environments.

Recommendations for Users:

  • Keep large holdings on the main Ethereum chain rather than bridged versions when not needed.
  • Be cautious with new or less-audited bridge integrations.
  • Monitor official project channels for security updates.

Top comments (0)