On October 17, a Fantom Foundation wallet with admin access was compromised. Per our statement at the time, the affected wallet was no longer utilized by the organization and had been reassigned to a Fantom employee. A security researcher identified an additional potential risk associated with the compromise and reached out promptly to alert us: the wallet in question held a dormant admin token for Fantom’s ERC20 FTM contract, giving the attacker the ability to mint a portion of FTM for themselves on Ethereum.
The risk was mitigated quickly, and in recognition of their contribution, the Fantom Foundation awarded the researcher a bounty of $1.7 million. With the attacker’s access to this wallet, the potential damage could have been $170 million (based on token price at the time), though this estimate does not consider the market’s insufficient liquidity to absorb the tokens fully.
The Fantom Foundation is dedicated to upholding the highest security standards for our platform, and we remain grateful for the security researchers who contribute to this effort. By addressing these weaknesses before they’re exploited maliciously, we ensure a secure platform for both developers and users. As such, the Foundation remains committed to rewarding those who bring network vulnerabilities to the team’s attention.