# poidh december 8th exploit *a full account* By [poidh](https://words.poidh.xyz) · 2025-12-10 --- On Monday, December 8th, poidh was exploited for [~$500 worth of ETH (.17Ξ)](https://basescan.org/tx/0x0545a4e5800632ba2194fb9349264ff7f3d3bb18d28ee168d57369b14422f11f) via a flaw in our open bounty system. The attack happened at roughly 11 am PST and broke our indexer. The indexer had failed before, so our assumption was not that an exploit was underway, but that we had a simple backend issue that was stopping the website from displaying new information. However, when the indexer restarted, we saw the updated front end with bounties that had been exploited. Immediately, we published a warning. [![User Avatar](https://storage.googleapis.com/papyrus_images/95ebfe03520eddb320ecdb39cef1be598a6871b902d44b3ee591f3b93cffe385.png)](https://twitter.com/poidhxyz) [pics or it didn't happen](https://twitter.com/poidhxyz) [@poidhxyz](https://twitter.com/poidhxyz) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/poidhxyz/status/1998175448644329723) ![🚨](https://abs-0.twimg.com/emoji/v2/72x72/1f6a8.png) URGENT ![🚨](https://abs-0.twimg.com/emoji/v2/72x72/1f6a8.png) poidh experienced an exploit on our Base contract earlier today via this transaction: [basescan.org/tx/0x0545a4e58…](https://t.co/Hr3QGiqbaG) for the time being, DO NOT deposit any funds into the app it appears like this exploit targeted bounties where there was a single bounty contributor,[ ![](https://storage.googleapis.com/papyrus_images/ff488daac916538a78d849bdbcfd2e2e4aa63e0fc81a53441b6a73ab9c214451.jpg) basescan.org Base Transaction Hash: 0x0545a4e580... | BaseScan ------------------------------------------------- Aggregated Transfer of 69 NFTs Across 1 Token | Success | Dec-08-2025 07:46:37 PM (UTC) ](https://t.co/Hr3QGiqbaG) [![Like Icon](https://paragraph.com/editor/twitter/heart.png) 27](https://twitter.com/poidhxyz/status/1998175448644329723)[ 3:38 PM • Dec 8, 2025 ](https://twitter.com/poidhxyz/status/1998175448644329723) After announcing what had happened, we were lucky to have [horsefacts](https://x.com/eth_call) take a deeper look at the exploit (of his own accord). He then reached out and let us know how the vulnerability was executed ([see breakdown from Claude here](https://claude.ai/share/6f703914-c335-4928-85c8-895f1c52b49b)), and that there was another vulnerability that the hacker had not found. He asked if we wanted to run a white hat hack to remove all user funds. We said yes, and horsefacts executed the transaction to rescue user funds on our Arbitrum and Base smart contracts—which held the majority of user funds. [![User Avatar](https://storage.googleapis.com/papyrus_images/1184480ee9b770ee98a2a52c46365f52ccf3757de691f7536a273cffa8526ad8.jpg)](https://twitter.com/eth_call) [horsefacts](https://twitter.com/eth_call) [@eth\_call](https://twitter.com/eth_call) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/eth_call/status/1998226762770285030) I found another vuln in [@poidhxyz](https://twitter.com/poidhxyz) while helping investigate this exploit and we decided to whitehack the contracts and rescue remaining funds. If you had a balance on Base or Arbitrum, [@kennyistyping](https://twitter.com/kennyistyping) will send you a refund. [basescan.org/tx/0xdd1cb64cd…](https://t.co/aClnEwgvZz) [ ![](https://storage.googleapis.com/papyrus_images/c990faab9c574805335a83b7a8a5627c69c17ec89d62798edd76dafdf7142465.jpg) arbiscan.io Arbitrum One Transaction Hash: 0x6b5393a695... | Arbitrum One ------------------------------------------------------------- Call 0x60806040 Method By 0x110E34A2...E149309d6 | Success | Dec-09-2025 02:27:33 AM (UTC) ](https://t.co/rc19dfvS0G) [![User Avatar](https://storage.googleapis.com/papyrus_images/95ebfe03520eddb320ecdb39cef1be598a6871b902d44b3ee591f3b93cffe385.png)](https://twitter.com/poidhxyz) [pics or it didn't happen](https://twitter.com/poidhxyz) [@poidhxyz](https://twitter.com/poidhxyz) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/poidhxyz/status/1998175448644329723) ![🚨](https://abs-0.twimg.com/emoji/v2/72x72/1f6a8.png) URGENT ![🚨](https://abs-0.twimg.com/emoji/v2/72x72/1f6a8.png) poidh experienced an exploit on our Base contract earlier today via this transaction: [basescan.org/tx/0x0545a4e58…](https://t.co/Hr3QGiqbaG) for the time being, DO NOT deposit any funds into the app it appears like this exploit targeted bounties where there was a single bounty contributor, [![Like Icon](https://paragraph.com/editor/twitter/heart.png) 27](https://twitter.com/eth_call/status/1998226762770285030)[ 7:02 PM • Dec 8, 2025 ](https://twitter.com/eth_call/status/1998226762770285030) We used these rescued funds to make all users whole who had bounties still in progress on the app via Arbitrum and Base. [![User Avatar](https://storage.googleapis.com/papyrus_images/95ebfe03520eddb320ecdb39cef1be598a6871b902d44b3ee591f3b93cffe385.png)](https://twitter.com/poidhxyz) [pics or it didn't happen](https://twitter.com/poidhxyz) [@poidhxyz](https://twitter.com/poidhxyz) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/poidhxyz/status/1998637946673451259) UPDATE: all users on Arbitrum + Base who had balances >1 cent have been refunded Degen Chain users with bounties still active have been notified to cancel or finalize their bounties if you think you did not receive your full funds back, please ping us with your [![User Avatar](https://storage.googleapis.com/papyrus_images/95ebfe03520eddb320ecdb39cef1be598a6871b902d44b3ee591f3b93cffe385.png)](https://twitter.com/poidhxyz) [pics or it didn't happen](https://twitter.com/poidhxyz) [@poidhxyz](https://twitter.com/poidhxyz) [![Twitter Logo](https://paragraph.com/editor/twitter/logo.png)](https://twitter.com/poidhxyz/status/1998226972401627448) UPDATE: while investigating the original incident, [@eth\_call](https://twitter.com/eth_call) discovered another possible exploit we have emptied the contract of remaining user funds, and all users will have their funds returned in full users impacted by the original exploit will also be fully refunded please [![Like Icon](https://paragraph.com/editor/twitter/heart.png) 8](https://twitter.com/poidhxyz/status/1998637946673451259)[ 10:16 PM • Dec 9, 2025 ](https://twitter.com/poidhxyz/status/1998637946673451259) At this time, the Degen Chain contract is still live and can have bounties finalized, but we ask that no one add more funds to the contract. There are minimal user funds still available (<$50) and, should the contract be exploited, we are fully prepared to refund users who did not retrieve their funds. next steps ---------- poidh is rebuilding and will launch a revamped, secure [poidh v3 contract](https://farcaster.xyz/kenny/0x5ccbaa66). If you are a smart contract developer who'd like to help, please reach out to us via [X](https://x.com/poidhxyz) or on [Farcaster](https://farcaster.xyz/kenny). While working on v3, we'll also be celebrating the accomplishments of poidh v2 and taking some time off for the holidays. We appreciate the entire community's response to this incident; everyone has been amazingly understanding and supportive. That support will always be remembered. --- *Originally published on [poidh](https://words.poidh.xyz/poidh-december-8th-exploit)*