Shibarium, Shiba Inu’s Layer 2, was targeted in a flash loan attack, Resulting in $3M drain

Shiba Inu’s Layer 2 network, Shibarium, nearly lost $3 million after attackers used smart contract vulnerabilities using flash loans to drain the network’s liquidity pools. According to the recent information, the attack flushed out around $3 million in ETH, SHIB, and KNINE tokens. 

The attack carried out on Thursday manipulated the token prices via rapid transactions, and the stolen funds were distributed to multiple wallets to evade tracking. Despite the flash attack, the SHIB token and the mainnet were unaffected, but the security experts claim that the growing number and risks of flash attacks in decentralised finance show the need for stronger Layer 2 security protocols. 

The recent updates suggest that the developers have paused staking and brought security firms in. Shibarium is currently reviewing the smart contract vulnerabilities and considering implementing transaction limits to prevent future exploits.

Shibarium Flash Loan Attack: What Really Happened?

Shibarium, Shiba Inu’s Layer 2 network, suffered a flash loan attack on Thursday, resulting in around $3 million in digital assets, including ETH, SHIB, and KNINE tokens. As per the latest confirmation from the authorities, the reported incident occurred when attackers exploited Shibarium’s smart contract vulnerabilities.

By exploiting the smart contracts, attackers could execute a series of rapid transactions without any upfront capital. The attackers also manipulated the network’s liquidity pool by using flash, short, and unsecured loans. 

The attack was carried out by targeting Decentralised Exchanges (DEX) related to Shibarium, and during the attack, the attacker used the same flash loans to inflate the value of certain coins before executing trades at a manipulated price.

The attacker quickly moved the stolen funds across various wallets to evade tracking, and the amount that was lost will come close to $3 million, but the actual value might vary due to the token price fluctuations recorded at the time of the attack. 

Expert crypto analysts reported that the hack had resulted in the theft of 224.5 ETH (approximately $1.03M) and 92.6 billion SHIB (approximately $1.27M). It also mentioned that other tokens — Doge Killer (LEASH), Shiba Inu TREAT (TREAT), and Shifu (SHIFU) — had been affected but remained unmoved.

It added that the incident emphasised the growing threat of flash loan exploits and vulnerabilities in decentralised governance models.

They noted that while emergency measures had been taken, uncertainty remained over whether the stolen assets would be recovered or if they would become another high-profile Decentralized Finance (DeFi) loss.

After the incident, the Shiba Inu team has officially paused staking and withdrawals, and is moving the assets to a “secure 6/9 hardware multisig” wallet.

Following the theft, the developmental team urged an investigation and officially released a public statement confirming and acknowledging the security breach. They haven’t provided any information regarding the bug bounty claim or their attempt to recover the funds through their on-chain analysis.

Shiba Inu acknowledged the breach and responded that they were aware of the activity flagged by Peckshield and had engaged their internal team and external security partners to investigate thoroughly. They stated that their priority was the safety of the ShibArmy.

At that time, they were working to confirm the root cause and ensure all possible mitigations were in place. They affirmed their commitment to full transparency and mentioned that a comprehensive report with findings and next steps would be published once the investigation concluded.

“The attack was probably planned for months”, Opines Shiba Inu Developer

Earlier today, Kaal Dhairya stated that a sophisticated attack, probably planned for months, had been carried out using a flash loan to purchase 4.6M BONE. He mentioned that the attacker had gained access to validator signing keys, achieved majority validator power, and signed a malicious state to drain assets from the bridge.

He noted that because the BONE had been delegated to Validator 1, it remained locked due to unstaking delays, giving them the chance to freeze those funds.

Kaal Dhairya also stated that once secure key transfers were completed and validator control integrity was verified, the stake manager’s funds would be restored in full. He mentioned that their top priority was protecting the network and community assets.

He added that they would continue to provide transparent updates as the investigation progressed. He noted that they were currently in damage control mode and did not yet know if the breach had originated from a server or a developer machine.

He has officially confirmed through his X account and claimed that they were actively working with Hexens, Seal 911, and PeckShield to investigate the incident. He mentioned that authorities had been contacted, but they were open to negotiating in good faith with the attacker: if the funds were returned, they would not press any charges and were willing to consider a small bounty.

What are the Next Steps?

Shiba Inu has already announced that the firm has started an investigation and will take necessary steps to recover the funds. Here are the next steps that Shiba Inu is going to implement to safeguard the funds.

• Secure validator key transfers and confirm full chain integrity
• Restore the stakeholder fund when security is assured
• Continue the coordination with the partners to freeze attacker-linked funds
•  Officially publish a full incident report once the internal and external investigations are over.

Shiba Inu urged its users and stated that it was a fast-moving investigation and that they were working around the clock with leading security partners. They requested people to bear with them, stating that verified updates would be shared as soon as possible.

The post Shibarium, Shiba Inu’s Layer 2, was targeted in a flash loan attack, Resulting in $3M drain appeared first on BiteMyCoin.