A white hat hacker has helped Foom Cash recover $1.84 million stolen in a recent exploit. The decentralized and anonymous lottery protocol was built with zero-knowledge proofs, and recently, it was attacked by an exploiter who stole $2.26 million from the platform.
The incident raised concerns about the risks associated with smart contract deployment and also the technical complexity behind many privacy-focused Web3 projects.
The platform officially announced on Monday that it was able to recover $1.84 million, which represents about 81% of all the funds stolen from the platform. The recovery was made possible through the quick action of a white hat hacker and a security firm that stepped in before more damage could be done.
According to Foom Cash, an ethical hacker who is known as Duha discovered the vulnerability and quickly secured the funds on the Base network before the malicious actors could take advantage of the flaw.
At the same time, crypto security platform Decurity handled the recovery process on Ethereum and helped the protocol retrieve a large portion of the assets.
Source: Foomclub (X)
Also Read: Crypto Scams Hit Millions in 2025–2026 Through Pig Butchering and Long-Term Fraud
The protocol rewarded Duha with a $320,000 bounty for identifying and securing the vulnerability. Security was also given a $100,000 security fee for its role in the recovery operation.
In a public response, Duha praised Foom Cash for respecting its bug bounty policy and honoring the agreed reward. The hacker said that by doing so, the team showed that it takes protocol security seriously and values the researchers who help to protect the decentralized blockchain systems.
Error Behind the $2.26 Million Foom Cash Exploit
According to the details shared, the exploit was tracked back to a fatal deployment mistake that was made during the platform’s Phase 2 trusted setup process.
This process is typically part of the cryptographic system that supports zero-knowledge proofs, which in turn allows transactions to be verified without revealing any kind of sensitive information.
According to the team, a critical command-line interface (CLI) step was accidentally skipped during the deployment process. Because of this mistake, certain cryptographic parameters known as gamma (γ) and delta (δ) were not properly randomized and instead remained at their default values.
Source: Foomclub (X)
This technical error created an opening for the attacker to withdraw all the funds that should have been protected by the protocol’s privacy system. The incident shows how even small mistakes during deployment can lead to major financial losses in decentralized finance.
Also Read: Worldcoin (WLD) Holds Wedge Support: Is a Bounce Toward $0.62 Next?