FOOMCASH Loses $2.26M in Copycat zkSNARK Exploit

Key Highlights

FOOMCASH lost ~$2.26M in a copycat zkSNARK exploit, highlighting risks in privacy-focused smart contracts.
Attackers reused proofs due to a Groth16 verifier mistake, while whitehats recovered part of Ethereum losses.
Even small cryptography setup errors can cost millions, urging platforms to double-check zkSNARK configurations.

A high-alert incident hit privacy-focused game project FOOMCASH on Ethereum and Base networks, resulting in an estimated $2.26 million loss. Blockchain security firm BlockSec identified the attack as a copycat exploit mirroring the earlier Veil Cash breach.

In an X post, BlockSec Phalcon said the exploit targeted misconfigured zkSNARK verification keys, allowing attackers to forge proofs and repeatedly drain funds. Notably, Ethereum saw a partial whitehat intervention, mitigating some losses.

BlockSec stated, “The incident appears to be an imitation attack exploiting the same root cause previously identified in the Veil Cash exploit (@Veildotcash), where attackers forged zkSNARK proofs due to misconfigured verification keys.”

ALERT! Imitation Attack Targets @FOOMCASH on Base & Ethereum: our monitoring system has detected suspicious transactions targeting @FOOMCASH on both the Base and Ethereum networks. The incident appears to be an imitation attack exploiting the same root cause previously identified… https://t.co/14APFLQ5XE
— BlockSec Phalcon (@Phalcon_xyz) February 26, 2026

Other than a financial hit, this exploit highlights ongoing weaknesses in privacy-focused smart contracts.

How the attack worked

The Veil Cash attack took advantage of a setup mistake in the Groth16 verifier, where two key points—gamma and delta—were accidentally made the same. Normally, the verifier ties each proof to specific inputs, stopping hackers from reusing it. But with gamma equal to delta, attackers could adjust the proof for any input they wanted. This let them repeatedly withdraw ZOOM tokens using the same original proof.

CertiK confirmed this in an alert: “The root cause may be the delta2==gamma2 setting of the Groth16 verifier at 0xc0..71A6. This enables the exploiter to compute ‘pC’ needed for different ‘nullifierHash’ while all other inputs are the same.” On-chain traces show the attacker adjusted C on the fly via elliptic curve computations, bypassing zkSNARK constraints entirely.

#CertiKInsight 🚨

We have seen a ~$1.8M exploit/whitehat rescue on @FOOMCASH lottery contract.

The root cause may be the delta2==gamma2 setting of the Groth16 verifier at 0xc043865fb4D542E2bc5ed5Ed9A2F0939965671A6.

This enables the exploiter to compute 'pC' needed for… pic.twitter.com/h9BEJruQij
— CertiK Alert (@CertiKAlert) February 26, 2026

Whitehat recovery efforts

Some of the Ethereum losses were recovered by whitehat hackers. Apex777.eth reported, “A whitehat (@DefimonAlerts) has recovered about 2 ETH. The current pools have not been affected by this.”

Therefore, while losses on the Base network are still significant, these actions show that a growing community of ethical hackers is actively watching DeFi platforms. Even a small mistake in cryptography can cost millions, so FOOMCASH and similar platforms need to carefully double-check their zkSNARK setups.

Also Read: Whale Loses $8.2M in Failed ARC Token Long Squeeze on Lighter

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!