Legacy Polygon Royalties Contract Exploit Drains $261K Through Reward Logic Flaw

TheNewsCryptoPubblicato 2026-06-24Pubblicato ultima volta 2026-06-24

Introduzione

A hacker exploited a legacy Polygon royalties contract, stealing approximately $261,200 in cryptocurrency. Security firm TenArmorAlert identified the attack on June 23. The exploit was made possible by a flaw in the contract's reward calculation logic within the Royal1155LD.beforeLdaTransfer() function. By executing several zero-value transactions, the attacker manipulated reward accounting and token ownership data, artificially inflating balances to enable excessive withdrawals. The attacker also utilized a flash loan to amplify the exploit's profit after repayment. This incident highlights ongoing security risks associated with older, inactive smart contracts that still hold funds, following similar recent exploits. Developers are urged to audit, update, or decommission such legacy deployments to prevent future attacks. The Polygon blockchain's core infrastructure was not compromised.

A hacker used a legacy royalties contract on the Polygon platform and made away with about $261,200 worth of cryptocurrency in recent times. The security firm TenArmorAlert identified the unusual transaction on June 23 and tracked down the exploit transaction.

The blockchain shows that the hacker carried out the attack using the Polygon block 89,018,051 transaction. According to TenArmorAlert, the hacker managed to withdraw roughly $263,800 despite the relatively low initial amount of money. The attack was on the legacy royalties program and not the fundamental structure of the Polygon blockchain.

Miscalculation in Reward Calculation Allowed for Overdraws

According to TenArmorAlert, the attack was possible due to issues in the reward calculation mechanism and reward accounting. Security company CertiK found out about an issue with the Royal1155LD.beforeLdaTransfer() function in the exploited contract.

Researchers state that the attacker made several zero-value transactions, manipulating reward calculation and ownership numbers. This vulnerability allowed the attacker to make the token balance higher under certain conditions.

The Defimon Alerts also provided other research by DecurityHQ. In this case, experts concluded that royalty miscalculations led to the exploit. This way, false ownership numbers were allowing for excessive reward claiming. In addition, the attacker used a flash loan to exploit this contract. After repaying the borrowed amount, the attacker got the rest of the money as a profit.

Still Vulnerable to Security Threats

The latest attack has come in light of other similar attacks on older versions of decentralized finance projects as well as dormant smart contract deployments. Attackers have recently carried out an exploitation of some old contracts of Huma Finance and have stolen roughly $101,400.

Researchers have been cautioning developers regarding the possible dangers of having old versions of smart contracts with available finances. The team should audit, update, deactivate, or completely remove the old deployment in order to mitigate the danger of any potential attacks. Polygon developers have confirmed that attackers have not been able to threaten the security of the main blockchain network.

Highlighted Crypto News:

‌SecondFi Exploit Exposes Wallet Keys, Putting More Than $20M in Cardano Assets at Risk

Domande pertinenti

QWhat was the primary vulnerability that allowed the hacker to drain funds from the legacy Polygon royalties contract?

AThe primary vulnerability was a flaw in the reward calculation mechanism and reward accounting within the contract. Specifically, a miscalculation in the `Royal1155LD.beforeLdaTransfer()` function allowed the attacker to manipulate reward calculations and ownership numbers, enabling them to inflate token balances and withdraw excessive funds.

QHow much cryptocurrency did the hacker manage to steal in the exploit, according to the article?

AThe hacker stole approximately $261,200 worth of cryptocurrency. A specific transaction tracked by TenArmorAlert shows the hacker withdrew roughly $263,800 from the contract.

QWhat technique did the attacker use to exploit the contract, aside from manipulating the reward logic?

AIn addition to manipulating the reward logic, the attacker used a flash loan to exploit the contract. They borrowed funds to execute the attack and, after repaying the loan, kept the remaining amount as profit.

QAccording to the article, what action should developers take to mitigate the risk of similar attacks on older smart contracts?

ADevelopers should audit, update, deactivate, or completely remove old deployments of smart contracts that still hold available finances. This is necessary to mitigate the danger of potential attacks targeting legacy code with known or newly discovered vulnerabilities.

QDid the exploit compromise the core security of the Polygon blockchain itself?

ANo, the exploit did not compromise the core security of the Polygon blockchain. The attack targeted a specific, legacy royalties program contract, not the fundamental structure of the Polygon network. Polygon developers confirmed that the main blockchain network's security was not threatened.

Letture associate

The Full Story Behind Encryption Unicorn Blockstream's Deep Entanglement in Serious Fraud Allegations

This article details allegations of serious fraud surrounding the crypto company Blockstream, founded by Bitcoin pioneer Adam Back. Investigation account NatInfoSec accuses Blockstream of raising billions through its Blockstream Mining Note (BMN) products, which offer high fixed yields of up to 20% from purported mining revenue. The core allegations are: 1) Blockstream's public mining hash rate (15 EH/s) appears insufficient to cover the massive payout obligations from sold BMN notes, raising questions about the true source of investor payouts. 2) Key executive Christopher William Cook, central to the mining operations, has a prior federal conviction for mail fraud, a fact not disclosed to investors. Cook's background and lavish lifestyle are highlighted as red flags. 3) The structure allows payouts from any source of BTC, not necessarily mining revenue, which critics argue gives it Ponzi-like characteristics. The controversy also touches on Bitcoin Standard Treasury Company (BSTR), a related entity planning a SPAC上市. Critics question whether BMN's liabilities and Cook's record should be disclosed in BSTR's filings. BitMEX Research offered a tempered analysis, confirming Cook's criminal record is likely true and the high yields concerning, but found other claims like insufficient抵押证据 less substantiated. Community debate centers on the need for verifiable proof of Blockstream's mining output and revenue. The article concludes that while fraud is not proven, BMN presents significant, unresolved questions regarding its actual scale, the source of its high fixed returns, the verifiability of its mining operations and payouts, and the full disclosure of associated risks and personnel backgrounds. Blockstream has not yet issued a formal response.

链捕手27 min fa

The Full Story Behind Encryption Unicorn Blockstream's Deep Entanglement in Serious Fraud Allegations

链捕手27 min fa

Crypto Lobby Pushes Congress To Keep Staking And Mining Tax Bill Intact

Crypto advocacy groups are urging U.S. lawmakers to pass the Tax Clarity for Mining and Staking Act (H.R. 9175) without changes. The bill seeks to clarify that rewards for proof-of-work miners and proof-of-stake validators are taxed only when the assets are sold, not immediately when received. This deferred tax treatment is crucial for operators' cash flow and profitability. The proposal faces opposition from banking interests, who argue it could give crypto yield products an unfair advantage over traditional savings. The outcome will impact network decentralization, as complex tax rules could push out smaller operators. The lobbying effort marks an expansion of crypto's policy focus beyond market structure into tax rules that underpin network economics. The bill's fate depends on whether Congress advances it as a standalone clarification or part of a broader digital-asset package.

bitcoinist56 min fa

Crypto Lobby Pushes Congress To Keep Staking And Mining Tax Bill Intact

bitcoinist56 min fa

a16z: In the AI Era, Company Competition for Talent Starts with Job Title Naming

The article discusses how companies in the AI era are competing for talent through strategic "title arbitrage," or the renaming of key roles to reflect and attract new, high-value capabilities. It uses Palantir's creation of the "Forward-Deployed Engineer" (FDE) as a prime example. This title reframed client-facing technical work from a peripheral "implementation" role into a core, high-status engineering function. The move was strategic, allowing Palantir to attract talent that blended technical skill with business acumen and to dominate the market's perception of this capability. The piece argues that job titles are an organizational language that signals the value and authority of certain work. Effective new titles, like "Data Scientist" or "Site Reliability Engineer," emerge when a role's strategic importance genuinely outgrows its old name. Conversely, mere title inflation without substantive change is ineffective. For AI companies, particularly in B2B, this is a crucial strategy. AI transformation creates new high-leverage roles (e.g., "Legal Engineer," "GTM Engineer") that combine domain expertise with technical automation. By naming these roles, a company can help clients internally legitimize these change-makers. This, in turn, builds market mindshare, associating the company with the new capability. In conclusion, as AI blurs the lines between product and service, the ability to accurately name and organize the critical, client-adjacent work that defines product learning will be a key competitive advantage. The first to define this new organizational language plants a flag in the market's mind.

marsbit1 h fa

a16z: In the AI Era, Company Competition for Talent Starts with Job Title Naming

marsbit1 h fa

CBRS First Post-IPO Earnings Report: Revenue Doubles but Gross Margin Guidance Plummets, OpenAI's Massive Order Faces a Long Road to Realization

Cerebras Systems (CBRS) released its first quarterly report since going public. Q1 core revenue of $191.3M beat expectations, surging 92% YoY, with full-year revenue guidance raised to $855-$865M. However, the company's Q2 gross margin guidance of 36%-38% represents a sharp drop from Q1's 47%, sending shares down over 10% after-hours. Management attributed the margin pressure to temporary costs from leasing back hardware to deploy capacity for OpenAI, highlighting a business model shift from selling chips to selling compute power. While growth is strong, key investor debates center on valuation, customer concentration, and long-term contracts. Revenue remains heavily concentrated (86% from two UAE-linked entities in FY25), though major deals with OpenAI (a $20B+ contract) and AWS provide a long-term growth narrative. Analysts are broadly bullish, citing Cerebras's unique wafer-scale chip architecture as a potential advantage in the AI inference market. However, skeptics point to the narrow moat of its speed advantage, uncertainties around margin recovery amid its business transition, and a high valuation (~50x forward sales) that prices in the flawless execution of its large, long-dated contracts.

marsbit1 h fa

CBRS First Post-IPO Earnings Report: Revenue Doubles but Gross Margin Guidance Plummets, OpenAI's Massive Order Faces a Long Road to Realization

marsbit1 h fa

Interview with Strategy CEO: Can STRC Recover After Selling Bitcoin?

Interview with Strategy CEO Phong Le on the recent sale of 32 Bitcoin and its impact. He clarifies the move was a small, strategic action to demonstrate liquidity to debt holders, test internal processes, and prove operational discipline—not a response to fears of a "death spiral" from DeFi protocols leveraging STRC (Strategy's preferred stock product), which he notes holds less than 10% of STRC. Le emphasizes Strategy’s long-term focus as the largest corporate Bitcoin holder, using the adage that markets are a "voting machine" short-term but a "weighing machine" long-term. Decision-making is data-driven, involving the board, complex modeling, and multiple stakeholder considerations, moving beyond a founder-centric model. He outlines various capital options but stresses the strategic importance of "doing nothing" as a valid choice, citing resilience built during the 2022 bear market. Le expresses unwavering belief in Bitcoin's foundational value for global sovereignty and its future role in an AI-driven economy with trillions of autonomous agents. Addressing STRC's current price below its $100 face value, Le explains recent pressure was due to using dollar reserves for bond buybacks. He expects STRC to return to par as reserves are replenished and its semi-monthly dividend payments begin, noting the product is heavily over-collateralized. Finally, Le confirms the company sold Bitcoin the week prior to May 31st, as disclosed in an 8-K filing, leaving prediction market interpretations to others. The overarching philosophy remains "Spread Bitcoin with love," embracing all methods of gaining Bitcoin exposure.

marsbit2 h fa

Interview with Strategy CEO: Can STRC Recover After Selling Bitcoin?

marsbit2 h fa

Trading

Spot

Futures