May 2025 - LND Finance DPRK Worker Upgrades Contract Drains Funds - $1.27m (Global)
LNDfi is a non-custodial, modular money market platform engineered to improve capital efficiency and expand liquidity access across a wide array of digital assets. Its design enables seamless borrowing and lending while offering users a flexible framework for effective risk management. Operating in a multichain environment, LNDfi facilitates integration across various blockchain networks, which strengthens interoperability and broadens the availability of liquidity.
The protocol allows users to participate in financial operations through several core mechanisms. Liquidity providers can supply assets to the platform, contributing to market depth and earning passive yields based on the protocol’s utilization rates. Borrowers, on the other hand, have access to liquidity via two main borrowing models: overcollateralized loans that require securing assets to reduce risk, and flash loans, which are instantaneous, uncollateralized loans executed within a single transaction for specialized strategies like arbitrage and liquidations.
Risk management is central to LNDfi’s infrastructure, with advanced analytics and real-time assessment tools designed to help users monitor and mitigate exposure. The protocol prioritizes security, transparency, and scalability by leveraging blockchain’s inherent strengths. Its mission is to democratize financial access and enhance the decentralized finance ecosystem through flexible asset support and seamless integration with other DeFi platforms, ensuring both adaptability and user safety.
According to LND Finance, they accidentally hired a DPRK worker as part of their team. It appears that this worker made modifications to the AToken and VariableDebtToken portions of the smart contract, and also retained deployer access. These two factors combined to place the smart contract in a vulnerable position where it could be drained.
"A carefully orchestrated contract modification, deployed 41 days before the heist, transformed pool management functions into an express lane for outbound funds.
The exploit didn’t rely on obscure math or oracle manipulation - just one extra condition in a core access check, giving any “Pool Admin” the ability to drain user funds."
"The deployer created a modified AToken contract (0xaa8cc9afe14f3a2b200ca25382e7c87cd883a527) where the onlyPool access control modifier was altered to allow not only the Pool contract but also any address with the Pool Admin role to invoke restricted functions."
"In original AAVE, only Pool can invoke transferUnderlyingTo and Pool Admin cannot. However, since onlyPool modifier was compromised, this is now possible."
The LND Finance website presently reports the issue as "the loss of $1.27M funds".
Rekt News reports as "$1.18 million".
LND Finance posted an update on Twitter/X:
"We have detected a security issue on our platform. Please do NOT deposit into the platform it has been compromised. We are in talks with security teams to look into it further."
The LND Finance website is presently offline. It is unclear what lies ahead for affected users.
LND Finance appears to be attempting to recover the funds through investigation and legal recourse.
"We have communicated with the exploiter via an on-chain message, offering a 15% white-hat bounty in exchange for the return of the stolen funds. Should they choose to comply, 100% of the recovered amount will be distributed to affected users."
"We are actively investigating the incident with law enforcement and security partners to recover/freeze stolen funds.
Further updates will be shared on our community telegram group."
Given that the exploit was performed by DPRK, it is unlikely that any bounty will be accepted.
Further Analysis
LNDfi is a non-custodial, multichain money market platform designed to enhance capital efficiency and liquidity access through modular borrowing and lending mechanisms, including overcollateralized and flash loans. Despite its emphasis on risk management, transparency, and interoperability, the platform was compromised after inadvertently hiring a DPRK-affiliated worker who introduced a backdoor into critical smart contracts. This allowed any address with Pool Admin privileges to bypass standard access controls and drain funds. The exploit resulted in a loss of approximately $1.18–$1.27 million, prompting LNDfi to shut down its platform, alert users, and begin investigations with law enforcement and security teams. Although a 15% white-hat bounty has been offered, the likelihood of fund recovery remains slim given the attack’s origin.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
LotteryTicket50 Smart Contract Nalakuvara Tokens Frained > > < < BitoPro Multiple Hot Wallets Drained During System Upgrade
Sources/Further Reading
LNDFI - REKT (Dec 31)
LND Finance - "We have detected a security issue on our platform. Please do NOT deposit into the platform it has been compromised. We are in talks with security teams to look into it further." - Twitter/X (Dec 31)
LND Finance - "We are temporarily shutting down the website as people are still depositing." - Twitter/X (Dec 31)
LND Finance - "Announcing the Official Launch of LNDfi! ... This is just the beginning of our journey." - Twitter/X (Dec 31)
LND Finance - "We deployed 200+ contracts on @SonicLabs mainnet for testing" - Twitter/X (Dec 31)
LND Postmortem - HackMD (Dec 31)
LND Finance Homepage Archive April 7th, 2025 2:55:06 AM MDT (Dec 31)
Parked Domain Prior To LND Finance Launch January 25th, 2025 7:57:33 AM MST (Dec 31)
LND Finance Introduction - Gitbook (Dec 31)
LND Finance Homepage (Dec 31)
@Lnd_fi Twitter (Dec 31)
@Lnd_fi Twitter (Dec 31)
Tiancheng Mai - "LND @Lnd_fi recently experienced a security breach on 09/05/2025 resulting in the loss of $1.27M funds. (Dec 31)
The deployer 0x40c7...10c8 of LND swept all assets. Here is a postmortem I developed." - Twitter/X (Dec 31)
Pool Admin Permissions Granted - SonicScan (Dec 31)
LND Security Breach Post Mortem - LND Finance Medium (Dec 31)
ZachXBT - "I helped initially attribute the incident to DPRK IT workers and flagged theft addresses but I am not formally engaged nor creating an investigative report for them." - Twitter/X (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|