Exploit Report: Sovryn Staking Contract on BOB Network

Sovryn App
1

Overview

On December 11 2025, the Sovryn Staking Contract on the BOB (Build on Bitcoin) network - an Ethereum-compatible optimistic rollup - was exploited, resulting in the unauthorized withdrawal of exactly 687,057.659502251559527287 SOV tokens (the full staked amount).

Root cause

A legacy shared deployment address, compromised in October 2024, was accidentally left as the proxyOwner of the upgradeable Staking proxy. The attacker used this role to upgrade the implementation to a malicious contract and withdraw the SOV. The regular administrative owner() role had been correctly transferred to the Contracts Guardian multisig and was never at risk.

The attacker sold the stolen SOV in 13 batches for ~11.168 ETH on the Sovryn DEX (BOB), bridged to Base via Meson Finance, swapped to ~35,348 Bridged USDT on Uniswap, and initially bridged to BSC via deBridge. Funds were consolidated on BSC with additional inflows, then split and bridged to Tron via Rango Exchange, where they were moved across multiple addresses on Tron during further consolidation and laundering.

Exploit and Initial Movements on BOB

Selling SOV for ETH on Sovryn DEX (BOB)

The attacker liquidated the stolen SOV in 13 separate swaps on the Sovryn DEX, accumulating approximately 11.168 ETH:

Transaction Hash SOV Sold ETH Received
0x09e7b7f6…0cfd 68,705 ~1.56
0x4e3d468a…dbb0 61,835 ~1.29
0x0225988c…58b9 55,657.65950225 ~1.07
0x007f1967…d478 50,086 ~0.91
0x68158c7a…c4e6 45,077 ~0.77
0x2b5d9c8c…2454 60,000 ~0.97
0xced72863…325d 65,697 ~0.99
0xd186e1b4…0324 50,000 ~0.71
0x54904fba…6023 60,000 ~0.80
0x90592546…7de7 60,000 ~0.75
0xe4de97c6…7cca 30,000 ~0.36
0x882a5994…6841 40,000 ~0.46
0xdacb8198…0065 40,000 ~0.44

Total SOV Sold: 687,057.65950225

Total ETH Received: ~11.168 ETH (approx. value at time of the exploit $35,670)

Bridging to Base (via Meson Finance)

Swap on Base / Uniswap V4

Laundering Path on BSC

Laundering Path on Tron:

Funds Flow Summary

  1. BOB: Proxy upgrade exploit β†’ Drain ~687,058 SOV β†’ Sell in 13 batches β†’ ~11.168 ETH

  2. BOB β†’ Base: Meson Finance bridge

  3. Base: Swap ETH β†’ ~35,348 Bridged USDT

  4. Base β†’ BSC: deBridge β†’ ~35,220 USDT received on initial address β†’ Transferred to consolidation address + additional ~15,000 USDT inflow β†’ Total ~50,220 USDT consolidated β†’ Outgoing splits including 49,000 + 1,000 USDT batches to intermediate addresses

  5. BSC β†’ Tron: Rango Exchange bridge β†’ 48,875 USDT (main) + 124.9 USDT (additional) β†’ ~48,870 USDT received on Tron β†’ Consolidated/split transfers β†’ Intermediary/split transfers β†’ Current holder TGc16KX4o4cyE6cS2vs1rhFQ9iuivCrDgY

All transactions are publicly verifiable on the respective chain explorers.

Attacker and Associated Addresses

These are all known attacker-controlled or associated addresses involved in the exploit and laundering flow (excluding bridge, DEX, router, or pool contracts). Addresses are grouped by chain for clarity.

BOB Network (Exploit Origin)

  • Setup/ProxyOwner Exploiter and Drainer EOA : 0xeB77354bf9CfB3035571A36096E8696C3c5f0B49

  • Main Consolidation/Laundering EOA (received from drainer, sold SOV, bridged via Meson): 0xBc3c27b12D67bbBF1D36079BDe7e6D3EA3836838

Base Network

  • Primary Laundering EOA (Received from Meson, swapped on Uniswap): 0xBc3c27b12D67bbBF1D36079BDe7e6D3EA3836838

BSC (BNB Smart Chain)

  • Initial Receiver (from deBridge): 0x23734be3b0b0f1d635fbb9cbffef4b87f1ed7890

  • Main Consolidation: 0xf1ac57274c8f02e3b21cb3e49a9d93db71082c3d

  • Associated Inflow Source (sent 15,000 USDT to consolidation): 0x11447856399307b8209f3e76a4be39022d4a25ae

  • Intermediate/Split Holders: 0x7D08D30f182859Fa65B796bEE6C3530cB3665415
    (received large splits including 49,000 + 1,000 USDT)

Tron Network

  • Initial Receiver (from Rango bridge): TXUZd3v1KsEX7Rdx6tsaUVoTeJzvSUtYP1

  • Intermediary Consolidation: TC9Hu3j414rSDZQQDtQWKq9wjK3EfNx4Yu (previously held 47,411.44 native TRC-20 USDT)

  • Partial Outflow Receiver: TGc16KX4o4cyE6cS2vs1rhFQ9iuivCrDgY (received 2,548 USDT)

Current Main Consolidation: TGc16KX4o4cyE6cS2vs1rhFQ9iuivCrDgY (holds 58,748.37 native TRC-20 USDT) https://tronscan.org/#/address/TGc16KX4o4cyE6cS2vs1rhFQ9iuivCrDgY
Received the bulk transfer of 48,870.30225 USDT from intermediary. Performed multiple large USDT transactions subsequently - primary current holder of laundered proceeds.

2 Likes
2

I always wonder how external people get so much knowledge on small, unpopular and basically unknown protocols to pull these things off.

1 Like
3

We’re pleased to confirm that all affected SOV stakers on BOB have now received their full principal (~687,058 SOV total) directly to the wallet addresses they used for staking.

This distribution ensures that no legitimate staker has lost funds from the December 11, 2025 incident. The return of these tokens in liquid form also simplifies the path forward as we prepare for the migration to Sovryn Layer.

A huge thank you again for your patience and trust through this challenging time!

1 Like