ATM Hack 2026 — $10M Exploit Analysis

Proxy delegatecall vulnerability allowed attacker to upgrade staking contract and drain $10M

Details

Full Description

On June 5, 2026, ATM protocol was exploited for $10 million through a delegatecall proxy vulnerability. The protocol used an upgradeable proxy pattern for its staking contract. The attacker discovered that the implementation contract had an access control flaw that allowed them to gain admin privileges through a carefully crafted delegatecall. With admin access, the attacker upgraded the contract logic to remove withdrawal limits and drain all staked funds. The exploit was executed in a single transaction, leaving no time for intervention.

Laundering Analysis

All stolen ETH and governance tokens were swapped for ETH within minutes. The attacker deposited into Tornado Cash using multiple addresses to avoid detection limits. The use of a single transaction for the exploit and rapid laundering suggested pre-planned infrastructure. No funds have been recovered.

Sources

Related Hacks

Back to Browse