Thala Labs, a decentralized finance (DeFi) platform on the Aptos blockchain, has successfully recovered $25.5 million worth of liquidity pool tokens stolen during a farming contract exploit. The breach, caused by a vulnerability in Thala’s v1 farming contracts, was swiftly addressed with the help of law enforcement and blockchain investigators.
How the Exploit Happened
On November 15, Thala experienced a security breach that exploited a flaw in its v1 farming contracts, allowing the attacker to withdraw liquidity tokens. In response, Thala paused all related contracts, froze $11.5 million in assets, and immediately worked to identify the hacker.
Through collaboration with law enforcement and crypto sleuths, including Seal 911 and Ogle, the exploiter was identified within hours. The hacker returned the stolen funds six hours later after being offered a $300,000 bounty.
Impact on Users and Recovery Efforts
Thala assured users that their positions would be fully restored without requiring any additional action. While access to Thala’s front end has been restored, farming remains paused pending a comprehensive codebase review and re-audit.
Thala CEO Adam Cader highlighted the attack’s connection to the platform’s integration with Move, a blockchain ecosystem developed by Movement Labs. He noted that while occasional security issues are inevitable, they aim to minimize such vulnerabilities as the ecosystem matures.
The Fallout
The incident caused a sharp decline in Thala’s native token, THL, which fell approximately 35% to $0.51 following the breach, according to CoinGecko. Around $2.5 million in THL tokens and $9 million in Thala’s stablecoin, Move Dollar (MOD), were affected.
Additionally, the platform’s total value locked (TVL) dropped significantly, falling from $240 million on November 15 to $195.6 million as of November 18, per DefiLlama data.
Broader Context of Crypto Exploits
The Thala incident is one of many hacks that have plagued the crypto space recently. In October alone, nearly $130 million was stolen, primarily from exploits, according to blockchain security firm CertiK.
The largest attack during that period involved Radiant Capital, which lost $54 million. Across Q3 2024, hackers stole approximately $460 million in 28 separate incidents, reported cybersecurity firm Hacken.
