Shiba Inu’s core team has issued a sweeping post-mortem update on the Shibarium bridge breach, detailing a multi-step attack that combined a flash-loan powered governance capture with compromised validator keys—followed by emergency protocol changes and a split bounty offer aimed at recovering user funds.
Shiba Inu Devs Speak Out On Shibarium Bridge Exploit
In an X post published on September 17, 2025, the official Shiba Inu account said the exploiter “executed a flash loan swap to acquire 4.6M BONE from ShibaSwap” and delegated them to “Ryoshi Validator 1,” which pushed their voting power “> 2/3 majority” across Shibarium validators. Using “compromised internal validators” to co-sign a malicious state, the attacker then drained assets from the L2’s canonical bridge. The team now pegs direct losses at $4.1 million.
The disclosure adds granular color on what left the bridge exposed and how responders moved. The Shiba Inu team says the “leading possibility for the root cause” was a compromise of internal validator keys—“either from the developer machine or the server’s KMS”—not a CCIP predicate path that “was unrelated.”
The team further says it suspended bridge operations, began forensic analysis, and initiated a hardening campaign: revoking root chain manager access on the PoS bridge, lengthening the half-exit time on the Plasma path, and removing a predicate burn-only entry from the Plasma registry to prevent withdrawals. “We have suspended bridge operations… there is a significant loss of user funds on Shibarium,” the update states.
According to the team’s accounting, 17 tokens were taken from the bridge, including roughly $1.0M in ETH, $1.3M in SHIB, $717K in KNINE, $680K in LEASH, and $260K in ROAR, alongside smaller balances of TREAT, USDC, USDT, BAD, SHIFU, FUND, DAI, LTD, xFUND, WBTC and OSCAR. The exploiter has so far sold only USDT and USDC into ETH; they attempted seven times to sell KNINE before the K9 Finance DAO blacklisted the attacker’s wallet. The rest of the assets remain under the attacker’s control and “at risk,” the team warned.
SHIB Team Ups Bounty To 50 ETH
The remediation push now includes two distinct bounty tracks. First, the bounty chronology began with K9 Finance DAO—the Shibarium-aligned liquid-staking project—publishing an on-chain 5 ETH offer to the attacker for the return of KNINE, structured to decay after seven days and expire after 30 days.
K9’s accompanying X posts stressed the “accept()” finality and “code-is-law” terms embedded in the escrow contract. The exploiter then replied publicly: “I can’t accept 5 ETH. The bounty I can accept is 50 ETH and I will not return KNINE for less.”
After that refusal did the Shiba Inu team transmit a separate, on-chain 50 ETH bounty message via its Deployer 2 address covering the non-KNINE assets, conditioned on full restitution and a whitehat disclosure, with a promise of a legal-action waiver upon verified return.
The Shiba Inu team’s on-chain message reads in part: “Offer: 50 ETH bounty via a new bounty smart contract escrow,” adding that the attacker must return WETH, SHIB, LEASH, ROAR, TREAT, USDC, USDT, BAD, SHIFU, FUND, DAI, LTD, xFUND, WBTC, and OSCAR, and submit a full technical disclosure; “upon complete restitution and accepted disclosure, we will issue a waiver of legal action (subject to applicable law).” Transaction records show the message was sent from shiba-swap.eth (Deployer 2) to the address labeled ShibaSwap Exploiter on September 17.
For now, bridge operations remain disabled, and users are cautioned that assets listed as “under attacker control” remain exposed until recovery or further containment.
At press time, SHIB traded at $0.00001346.
Related Posts
