# poidh december 8th exploit

> a full account

**Published by:** [poidh](https://words.poidh.xyz/)
**Published on:** 2025-12-10
**URL:** https://words.poidh.xyz/poidh-december-8th-exploit

## Content

On Monday, December 8th, poidh was exploited for ~$500 worth of ETH (.17Ξ) via a flaw in our open bounty system. The attack happened at roughly 11 am PST and broke our indexer. The indexer had failed before, so our assumption was not that an exploit was underway, but that we had a simple backend issue that was stopping the website from displaying new information. However, when the indexer restarted, we saw the updated front end with bounties that had been exploited. Immediately, we published a warning. pics or it didn't happen @poidhxyz URGENT poidh experienced an exploit on our Base contract earlier today via this transaction: basescan.org/tx/0x0545a4e58… for the time being, DO NOT deposit any funds into the app it appears like this exploit targeted bounties where there was a single bounty contributor, basescan.org Base Transaction Hash: 0x0545a4e580... | BaseScan Aggregated Transfer of 69 NFTs Across 1 Token | Success | Dec-08-2025 07:46:37 PM (UTC) 27 3:38 PM • Dec 8, 2025 After announcing what had happened, we were lucky to have horsefacts take a deeper look at the exploit (of his own accord). He then reached out and let us know how the vulnerability was executed (see breakdown from Claude here), and that there was another vulnerability that the hacker had not found. He asked if we wanted to run a white hat hack to remove all user funds. We said yes, and horsefacts executed the transaction to rescue user funds on our Arbitrum and Base smart contracts—which held the majority of user funds. horsefacts @eth_call I found another vuln in @poidhxyz while helping investigate this exploit and we decided to whitehack the contracts and rescue remaining funds. If you had a balance on Base or Arbitrum, @kennyistyping will send you a refund. basescan.org/tx/0xdd1cb64cd… arbiscan.io Arbitrum One Transaction Hash: 0x6b5393a695... | Arbitrum One Call 0x60806040 Method By 0x110E34A2...E149309d6 | Success | Dec-09-2025 02:27:33 AM (UTC) pics or it didn't happen @poidhxyz URGENT poidh experienced an exploit on our Base contract earlier today via this transaction: basescan.org/tx/0x0545a4e58… for the time being, DO NOT deposit any funds into the app it appears like this exploit targeted bounties where there was a single bounty contributor, 27 7:02 PM • Dec 8, 2025 We used these rescued funds to make all users whole who had bounties still in progress on the app via Arbitrum and Base. pics or it didn't happen @poidhxyz UPDATE: all users on Arbitrum + Base who had balances >1 cent have been refunded Degen Chain users with bounties still active have been notified to cancel or finalize their bounties if you think you did not receive your full funds back, please ping us with your pics or it didn't happen @poidhxyz UPDATE: while investigating the original incident, @eth_call discovered another possible exploit we have emptied the contract of remaining user funds, and all users will have their funds returned in full users impacted by the original exploit will also be fully refunded please 8 10:16 PM • Dec 9, 2025 At this time, the Degen Chain contract is still live and can have bounties finalized, but we ask that no one add more funds to the contract. There are minimal user funds still available (<$50) and, should the contract be exploited, we are fully prepared to refund users who did not retrieve their funds.next stepspoidh is rebuilding and will launch a revamped, secure poidh v3 contract. If you are a smart contract developer who'd like to help, please reach out to us via X or on Farcaster. While working on v3, we'll also be celebrating the accomplishments of poidh v2 and taking some time off for the holidays. We appreciate the entire community's response to this incident; everyone has been amazingly understanding and supportive. That support will always be remembered.

## Publication Information

- [poidh](https://words.poidh.xyz/): Publication homepage
- [All Posts](https://words.poidh.xyz/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@poidh): Subscribe to updates