BlackHart (@BlackHartInc)

Exploit Alert 🚨 Fluid (@0xfluid) was drained of about $215K on Ethereum. Not a contract bug. Fluid pays out rewards from a Merkle list that one key proposes and a second key approves. An attacker held both of those operational keys, pushed a reward list that paid only themselves, approved it, and claimed with an empty proof. The two-person control meant nothing once one person held both keys. Taken from three reward distributors: 112,883 $FLUID, 47,903 $GHO, and a little $cbBTC. The tokens were swapped to ether and routed into Tornado Cash. Fluid's lending markets, vaults, DEX, and user deposits were never touched. The team removed the compromised keys and swept the remaining reward funds to safety within about ten hours. Public comms said only that claiming is paused for updates, with no mention of a key compromise or a loss. Full forensics: