LNDFi - Rekt

In DeFi, a single admin key can make you king - or a thief.

$1.18 million vanished into digital mist on May 9th, when LNDFi's Pool Admin role fell into the wrong hands - turning a modified Aave fork into a personal withdrawal service.

A carefully orchestrated contract modification, deployed 41 days before the heist, transformed pool management functions into an express lane for outbound funds.

The exploit didn’t rely on obscure math or oracle manipulation - just one extra condition in a core access check, giving any “Pool Admin” the ability to drain user funds.

Was it nation-state infiltration or plain old negligence?

ZachXBT points to DPRK, but the blockchain tells a simpler story - admin keys leaked, contracts modified, funds drained.

In the end, does it matter who squeezed the trigger if the gun was left loaded and unattended?

When the Sonic blockchain lit up with suspicious activity on May 9th, protocol watchers quickly raised the alarm.

LNDFi's team posted their first security alert: "We have detected a security issue on our platform. Please do NOT deposit into the platform it has been compromised. We are in talks with security teams to look into it further."

The next day, they followed up: "We are temporarily shutting down the website as people are still depositing."

Within hours, security researchers were dissecting the attack.

Tiancheng Mai published an unofficial post mortem detailing the technical exploitation, while the team scrambled to contain the damage.

When the on-chain smoke dissipated, it revealed $1.18 million funneled out through a hidden admin backdoor deployed just 41 days prior.

But was it an oversight, or a meticulously staged heist waiting for its cue?

From Role Grant to Runaway: Anatomy of an Admin Heist

The unofficial post-mortem pulls back the curtain on a vulnerability so precise it feels less like an accident and more like a heist rehearsed in slow motion.

Tiancheng Mai shows that, on March 29th, the deployer didn’t merely spin up an Aave fork - he injected a backdoor straight into the heart of the protocol.

Add Pool Admin: 0xd03b7d80cf7fcd4d14076ca53d42bcfac0115674699adecb99dd3a769d5ea41a

By adding || aclManager.isPoolAdmin(msg.sender) to the onlyPool modifier (view on Sonicscan), the team effectively gave any Pool Admin the power to call transferUnderlyingTo, a function that in genuine Aave deployments is strictly reserved for the protocol's pool logic.

In other words, what should have been an immutable safety check became an admin-run exit hatch.

The official post-mortem from LNDFi barely mentions this insertion, attributing the drain to “compromised keys” stolen by an outside developer, whereas the unofficial forensic account lays bare the exact lines of code and contract addresses where the privilege expansion occurred.

The unofficial post mortem walks us through a nearly month-and-a-half staging period.

In the space of 45 seconds on the evening of March 29, 2025, the deployer picked up the Pool Admin role, deployed two modified token contracts, and walked away - leaving a ticking clock buried in the blockchain.

AToken Modified Token Contract: 0xAA8cc9afE14f3A2B200CA25382e7C87CD883a527

VariableDebtToken Modified Token Contract: 0x0b1A51C5cbFfc636d79A072b8AA5a763CeC42eF2

Where Aave V3's onlyPool modifier guards its protocol with a single line - require(_msgSender() == address(POOL)) - LNDFi quietly rewrote the rulebook.

Their version added one tiny clause: ||aclManager.isPoolAdmin(msg.sender).

A five-word addition. A total permission collapse.

That change turned a security checkpoint into a red carpet for insiders.

Suddenly, anyone with the Pool Admin role could invoke transferUnderlyingTo - a function meant to move assets only within the protocol’s internal plumbing.

On LNDFi, that plumbing was wide open.

The key wallets in this heist: the deployer who created the backdoor and the wallet that received the stolen funds.

Deployer Wallet:
0xc0454e29835479ee80d6f42965a16dcee9bfd868

Funds directed to:
0x5149A7696188F083297281D10293a20476252CDD

Only 41 days later, at 2:29 AM UTC on May 9th, those dormant modifications were awakened: repeated calls to transferUnderlyingTo began emptying every pool through a series of transactions.

First drain ($476k USDC): 0xd52f317b548bd0f67d32d35404d046e4e60f5af23dac8a502495a8714780bffe

Second drain (153.7 ETH - $389k): 0x0e192c6a1d4cad8feac85b2c5bdc5242a4ae336a5dd24ab2378d88f758e62dfa

Third drain (373,594 Wrapped Sonic - $202k): 0xf1b399290f027b46b517036cc65700fa61e123ff23af27dc7d009e3a72bb5034

Fourth drain:(189k Beets Staked Sonic - $105k) 0xf9c1afaf46425c922deac9ce677a4352adf305952cde79bda73c3cb1c7c73fb0

Fifth drain (4.51 Rings scETH - $11.5k): 0xbf7e41329a2752a3d74a53762d94c6ab4f51da7a990b0363288af4afc17b098a

Roughly Amount Stolen: $1,183,500

Within ten minutes, the funds were on the move through bridges to Ethereum and BSC, and not until 9:19 AM were the Admin rights finally revoked - long after the service had been turned into a withdrawal machine.

Admin Rights Revoked:
0x74fadb3d2bdbcc215485537b69c8f25c2562981eee37c7014931941bdb39b913

According to LNDFi, most stolen funds were later bridged to the following wallets…

Wallets on Ethereum:
0x5a94a3a114cf01f6a703dd8b840cf0a97cdf1434 0x2446f9528fbf55ccf5b3e7a22fc058bda7a12131

Wallets on BSC: 0x4b82e3485d33544561cd9a48410a605aa8892fb1 0x8148c4243f8cb49fe80d9e23df0bafc1c6732f3e 0x82be4fe84c2790023906c1648e0836ada67714d9

The official narrative glosses over the pre-drain deployments and never explains why the Admin role was granted or revoked multiple times.

The unofficial post mortem, by contrast, reads like a blueprint for a planned extraction, exposing the gap between what was publicly acknowledged and what appears to have played out on-chain.

Did the exploit begin with code... or with trust in the wrong hands?

The Blame Game

Two days after the drain, LNDFi’s team published their previously mentioned official post-mortem.

Their explanation? North Korean hackers.

The team pinned the exploit on an unwitting hire with state-sponsored ties.

“The incident was traced to a developer unknowingly hired by the team who turned out to be an undercover DPRK IT worker. This individual/team unlawfully accessed the project's administrative keys and executed a series of unauthorized transactions.”

ZachXBT confirmed the DPRK angle: “I helped initially attribute the incident to DPRK IT workers and flagged theft addresses.”

Though he clarified separately: “I am not formally engaged nor creating an investigative report for them.”

Technically, the timeline holds up. The contracts were modified. The access controls were compromised.

But the story still leaves questions in its wake.

Why were backdoored contracts deployed in March - and left untouched until May?

Why wasn’t a multisig used to protect admin permissions?

Why does the post-mortem gloss over the 41-day waiting period?

The blockchain leaves little room for interpretation: someone with admin access deployed compromised contracts, waited over a month, and drained the protocol in one clean sweep.

The DPRK angle may hold up - but LNDFi’s own security practices, and possible lack of transparency still leave the community with uncomfortable questions.

Blaming a ghost is easy. Explaining how it got inside is harder.

If it was all an accident, why did it play out like a script?

Another day in the DeFi minefield - one false step, and $1.18 million vanishes.

LNDFi lost it because someone handed out admin privileges to the wrong person.

The blockchain's immutable ledger leaves nowhere to hide: backdoor deployed March 29, protocol drained May 9. Forty-one days of silence between crime and punishment.

No multisig. No guardrails. Just trust in all the wrong places.

Strip away the North Korean hacker narrative, and you're left with a tale older than crypto itself - someone with the keys robbed the vault.

Call it a hack. Call it sabotage. Call it negligence. Call it what you want.

The outcome is the same: concentrated power will always attract exploitation - whether by hostile outsiders or those already inside the walls.

In an ecosystem built to eliminate trusted third parties, why are we still trusting protocols that can't keep their admin keys out of the wrong hands?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.