Fluid, the DeFi lending and borrowing protocol formerly known as Instadapp, has suffered a security breach involving a key compromise of its off-chain Merkle rewards distribution infrastructure.
The exploit drained approximately 125,000 FLUID tokens and 51,900 GHO from multiple Merkle distributor contracts, with the attacker subsequently swapping the stolen assets and funneling ETH into Tornado Cash.
The breach was first surfaced publicly by on-chain researcher YAM (@yieldsandmore), who noted that the exploit actually occurred on May 27, days before Fluid acknowledged it. According to YAM, a lender withdrew $77 million in USDC starting on May 28, and the Fluid team posted about high USDC deposit rates that same day, raising questions about the timeline between internal awareness and public disclosure.
“The exploit was on May 27th. This exploit was surfaced earlier today (May 31st) and only after that was it disclosed. Why was it only disclosed now?” YAM wrote in a reply to Fluid’s official statement.
How the exploit unfolded
The attacker, operating from wallet 0x4925120CbE5A78Bf08F26f6E8cdF820f4c1D3dfB, was able to claim rewards from multiple Fluid Merkle distributor contracts using empty-proof Merkle claims. The timeline on Ethereum was remarkably tight: a proposer submitted a Merkle root, an approver approved it, and the exploiter claimed FLUID tokens roughly 24 seconds after the proposal went through. The GHO claim followed minutes later.
After claiming both the FLUID and GHO tokens, the wallet swapped the stolen assets, bridged some proceeds from Base and Arbitrum, and later deposited ETH into Tornado Cash Router, a well-known privacy mixer frequently used to launder stolen crypto funds.
Several hours after the exploit, an admin-style batched transaction removed the old proposer and approver roles across multiple Fluid rewards contracts, confirming that compromised keys were being rotated out.
Fluid’s response: No mention of key compromise
Fluid acknowledged the incident in a post on X on May 31, 2026, stating that the team “identified and contained a compromise affecting our off-chain merkle rewards distribution infrastructure.” The protocol emphasized three points: the core protocol remains fully secure, all smart contracts are safe and unaffected, and user funds are not at risk.
“The impacted contract is not part of the core protocol infrastructure and was used solely for rewards distribution with minimal funds in its balance,” the team wrote, adding that a detailed post-mortem would follow.
Notably absent from Fluid’s statement was any mention of a key compromise or the specific amount of funds lost. The team told users that Merkle reward claiming would be temporarily paused for a few days, potentially up to a week, while updates are made. Rewards will continue accumulating retroactively, and claiming will resume once updates are complete, according to the protocol.
Delayed disclosure draws community criticism
The gap between when the exploit occurred (May 27) and when it was publicly disclosed (May 31) has drawn pointed criticism from community members. YAM’s thread highlighted that the exploit was only acknowledged after independent on-chain analysis brought it to light, not through a proactive disclosure from the Fluid team.
The fact that a $77 million USDC withdrawal began on May 28, one day after the exploit, and that Fluid simultaneously promoted high USDC deposit rates has fueled suspicion that certain parties may have had advance knowledge of the situation before retail users were informed.
A pattern in DeFi security failures
The Fluid exploit adds to what has already been a brutal 2026 for DeFi security. According to industry data, crypto exploits and hacks have exceeded $770 million in total losses this year, with April alone recording over $635 million across 28 separate incidents. High-profile breaches at Drift Protocol ($285 million), Kelp DAO ($292 million), and THORChain ($10.8 million) have dominated headlines.
While the Fluid breach is smaller in scale compared to these incidents, the nature of the exploit, a key compromise enabling fraudulent Merkle claims on off-chain reward infrastructure, highlights a recurring vulnerability across DeFi: the security of privileged keys and the operational trust layers that sit outside of smart contracts themselves.
Fluid had previously weathered the Resolv Protocol fallout in March 2026, when it repaid $70 million in bad debt from the Resolv exploit, a move that was widely praised for demonstrating financial resilience.
The Crypto Times will continue to monitor the situation closely for any further on-chain developments, post-mortem disclosures, or updates regarding the drained funds. This event serves as yet another reminder that off-chain infrastructure and key management remain critical weak points in DeFi, even when core smart contracts are technically sound.
Also Read: Alephium Reveals Cause of $815K Bridge Exploit, Promises Compensation
