According to the DeFi risk intelligence platform BlackHart, the Ethereum reward distribution system of the DeFi project Fluid was subjected to a hacking (exploit) attack, resulting in the theft of approximately $215,000 worth of assets.

The incident was analyzed to have been caused by an "operational key leak" rather than a vulnerability in the smart contract itself. It was determined that the attacker secured both operational keys used for creating and approving reward lists, then registered and approved a manipulated list designed to pay rewards solely to themselves to siphon off the rewards.

The stolen assets were confirmed to be 112,883 FLUID, 47,903 GHO, and a small amount of cbBTC. The hacker was tracked exchanging these assets for Ethereum (ETH) and subsequently transferring the funds through the privacy tool Tornado Cash.

Regarding the incident, the Fluid team stated, "Lending markets, vaults, DEX (decentralized exchanges), and user deposits were not affected and are safe." They added, "All compromised operational keys have been replaced, and the remaining reward funds have been moved to a secure address to prevent further damage."