On September 8, 2025, SwissBorg, a leading crypto wealth management platform, suffered a major exploit that drained approximately 192,600 SOL (~$41M) from its SOL Earn staking program. Unlike typical smart contract exploits, this incident was triggered by a compromised API belonging to its staking partner, Kiln — highlighting the critical risks of third-party dependencies in DeFi.
Although less than 1% of users and 2% of platform assets were impacted, the attack underscores how vulnerabilities can extend beyond smart contracts into off-chain systems and integrations.
How the Hack Happened?
The attack began on August 31st when the exploiter embedded multiple hidden authorization instructions into an unstaking transaction. This quietly transferred withdrawal authority for several SwissBorg/Kiln stake accounts to the attacker’s wallet without raising alarms.
On September 8th, the attacker executed their “skeleton key” setup. With withdrawal authority secured, they initiated unstaking operations, draining nearly 192,600 SOL in minutes via Kiln’s compromised API.
Root Cause
The breach stemmed from Kiln’s staking infrastructure, not SwissBorg’s core platform. Attackers gained unauthorized API access, enabling them to manipulate stake account authorities without proper anomaly detection or multi-signature checks.
This was an off-chain API vulnerability that impacted on-chain authority controls, proving that even if smart contracts are sound, external integrations can still expose platforms to massive risks.
Want to dive deeper?
We’ve covered the full breakdown of the SwissBorg exploit, including transaction traces, detailed root cause analysis and lessons for the industry in our complete blog — SwissBorg exploit (Detailed Breakdown)
Funds Flow
$40.7M (~189,524 SOL) was moved in a single transaction to a dormant wallet, where the funds remain.
A smaller portion (~1,000 SOL) was funneled through multiple wallets and eventually deposited into Bitget exchange.
This movement suggests the attacker is holding the bulk of funds while testing liquidity channels with smaller amounts.
SwissBorg’s Response
SwissBorg acted quickly:
- Paused Solana staking operations.
- Confirmed that its core app and other strategies remained secure.
- Committed to fully covering affected users, with treasury funds allocated for recovery.
CEO Cyrus Fazel reassured users that no losses would be passed down, stressing that the breach was limited solely to the SOL Earn program.
Meanwhile, Kiln disabled its APIs, dashboards, and widgets during the investigation and initiated precautionary steps to protect validator operations.
Key Takeaway
The SwissBorg incident is a powerful reminder that DeFi security doesn’t end at smart contracts. APIs, external wallets, and third-party providers can all become weak points in the chain. Attackers exploited a four-day preparation window with clear on-chain signals that went undetected — showing the urgent need for better anomaly detection, simulation testing, and penetration checks across every layer of DeFi.
Top comments (0)