Subscribe to poidh
>400 subscribers
On Monday, December 8th, poidh was exploited for ~$500 worth of ETH (.17Ξ) via a flaw in our open bounty system. The attack happened at roughly 11 am PST and broke our indexer. The indexer had failed before, so our assumption was not that an exploit was underway, but that we had a simple backend issue that was stopping the website from displaying new information.
However, when the indexer restarted, we saw the updated front end with bounties that had been exploited. Immediately, we published a warning.
URGENT 
Aggregated Transfer of 69 NFTs Across 1 Token | Success | Dec-08-2025 07:46:37 PM (UTC)
On Monday, December 8th, poidh was exploited for ~$500 worth of ETH (.17Ξ) via a flaw in our open bounty system. The attack happened at roughly 11 am PST and broke our indexer. The indexer had failed before, so our assumption was not that an exploit was underway, but that we had a simple backend issue that was stopping the website from displaying new information.
However, when the indexer restarted, we saw the updated front end with bounties that had been exploited. Immediately, we published a warning.
URGENT
Aggregated Transfer of 69 NFTs Across 1 Token | Success | Dec-08-2025 07:46:37 PM (UTC)
After announcing what had happened, we were lucky to have horsefacts take a deeper look at the exploit (of his own accord). He then reached out and let us know how the vulnerability was executed (see breakdown from Claude here), and that there was another vulnerability that the hacker had not found. He asked if we wanted to run a white hat hack to remove all user funds.
We said yes, and horsefacts executed the transaction to rescue user funds on our Arbitrum and Base smart contracts—which held the majority of user funds.
Call 0x60806040 Method By 0x110E34A2...E149309d6 | Success | Dec-09-2025 02:27:33 AM (UTC)
URGENT We used these rescued funds to make all users whole who had bounties still in progress on the app via Arbitrum and Base.
At this time, the Degen Chain contract is still live and can have bounties finalized, but we ask that no one add more funds to the contract. There are minimal user funds still available (<$50) and, should the contract be exploited, we are fully prepared to refund users who did not retrieve their funds.
poidh is rebuilding and will launch a revamped, secure poidh v3 contract. If you are a smart contract developer who'd like to help, please reach out to us via X or on Farcaster.
While working on v3, we'll also be celebrating the accomplishments of poidh v2 and taking some time off for the holidays. We appreciate the entire community's response to this incident; everyone has been amazingly understanding and supportive. That support will always be remembered.
After announcing what had happened, we were lucky to have horsefacts take a deeper look at the exploit (of his own accord). He then reached out and let us know how the vulnerability was executed (see breakdown from Claude here), and that there was another vulnerability that the hacker had not found. He asked if we wanted to run a white hat hack to remove all user funds.
We said yes, and horsefacts executed the transaction to rescue user funds on our Arbitrum and Base smart contracts—which held the majority of user funds.
Call 0x60806040 Method By 0x110E34A2...E149309d6 | Success | Dec-09-2025 02:27:33 AM (UTC)
URGENT We used these rescued funds to make all users whole who had bounties still in progress on the app via Arbitrum and Base.
At this time, the Degen Chain contract is still live and can have bounties finalized, but we ask that no one add more funds to the contract. There are minimal user funds still available (<$50) and, should the contract be exploited, we are fully prepared to refund users who did not retrieve their funds.
poidh is rebuilding and will launch a revamped, secure poidh v3 contract. If you are a smart contract developer who'd like to help, please reach out to us via X or on Farcaster.
While working on v3, we'll also be celebrating the accomplishments of poidh v2 and taking some time off for the holidays. We appreciate the entire community's response to this incident; everyone has been amazingly understanding and supportive. That support will always be remembered.
Share Dialog
Share Dialog
Wow I wish we could develop an ai bot that can detect things like this before it even launches
ITS real good
Good 👍
gm put together a quick summary of everything that went down on Monday here if you're interested in learning more, this is the comprehensive resource https://words.poidh.xyz/poidh-december-8th-exploit
gm hoping poidh makes a comeback soon too 🤞
gm , Have to check it
good morning kenny
gm Mary!
gm kenny
dang that's really sad taking some rust classes might affiliate with blockchain tech abit. wish I could help
We’ve closed this bounty with the recommendation from @kenny following this https://words.poidh.xyz/poidh-december-8th-exploit We mark the bounty as a successful test following the submissions from both @mutheu.base.eth & @profian Both have been paid out the full share of the bounty in both usdc & degen. Transaction details below. Finally, this marks the end of the last two years of experimenting. In the coming weeks we’ll be soft launching the first versus a tv show, open and playable to anyone on the internet. Here’s to growing a forest of filmatrees 🌲🌴🌳🎋🏝️🏕️
To @profian https://basescan.org/tx/0x2de956212cf1b4084910809881e3fd01fdf3f576633c867be724687767064a4f https://explorer.degen.tips/tx/0x78fc8b41a6089c2a109f1fcdc5a5d029b824da84ce075de438cdf527490992fe
Thanks a lot sir🙌
To @mutheu.base.eth https://basescan.org/tx/0xcc0ad7bac28834b42544cc5e9739a51aa6ad9494498d2e55267fb2ede439a11d https://explorer.degen.tips/tx/0x760917dc6115d2ec211bb9c709c41af56bf83987a8142b8ad93b36ce2ebf7fa0
Tysm
Please check your inbox 🙏
On December 8, poidh’s bounty system was exploited for roughly 0.17 ETH, causing an indexer outage and a public warning. A white-hat intervention by horsefacts recovered funds on Arbitrum and Base and issued refunds to affected users. Authored by @kenny.