Apr 2025 - Numa Money Collateral Loss via Flash Loan Price Manipulation - $530k (Global)
Numa Money is a decentralized finance (DeFi) protocol that offers synthetic assets backed by liquid staking tokens (LSTs), designed to deliver real-world asset exposure, sustainable real yield, and zero-slippage trading. Built as a non-custodial system, Numa leverages Ethereum-based staking derivatives like rETH to back its ecosystem, enabling users to mint synthetic stablecoins called nuMoney (e.g., nuUSD) by burning its native token, $NUMA.
At its core, Numa uses a burn-and-mint model to maintain transparent, on-chain collateralization. Users acquire $NUMA and burn it at a 1:1 USD value ratio to mint synthetic stablecoins. These nuMoney assets are then eligible for single-sided staking, where users can earn real yield from the staking rewards generated by underlying LSTs, such as rETH. This setup allows the protocol to offer sustainable yield without relying on inflationary incentives.
In addition to yield farming, the protocol enables zero-slippage trading between synthetic assets, offering a seamless and cost-efficient user experience. Numa’s roadmap outlines a progressive rollout of features including multiple synthetic stablecoins, staking options, and cross-chain compatibility.
Numa aims to create a robust financial layer for DeFi by bridging liquid staking rewards with synthetic asset generation—unlocking a new avenue for decentralized, real-yield financial products.
A vulnerability in the Numa Money protocol allowed the price to be manipulated.
"On April 18th at approximately 9:00PM UTC, a user was able to manipulate token prices to create excess personal gain. This resulted in unintended profit of approximately 292.96 rETH in protocol assets."
The exploit that affected the Numa protocol on April 18, 2025, was a targeted and complex manipulation of the lending system, centered around the price dynamics of the NUMA token. The attacker took advantage of a vulnerability that allowed them to artificially influence token prices within the protocol’s internal pricing mechanisms. By simultaneously opening large long and short positions, the exploiter was able to create significant price swings, which they then used to their advantage by strategically removing collateral and exiting the system before price normalization could occur.
The manipulation hinged on inflating the value of $NUMA to misrepresent the health of loan positions. As the manipulated price rose, the attacker’s loan positions appeared overcollateralized, allowing them to withdraw more collateral than should have been permissible under fair market conditions. Once sufficient assets were withdrawn, the attacker closed their positions, effectively draining the protocol of roughly 292.96 rETH in value. This process occurred quickly—within about an hour—before the manipulation was detected.
In response, the Numa team immediately paused key functions such as loan openings and liquidations to prevent further abuse. Security auditors, including Sherlock, were brought in to investigate and analyze the exploit’s mechanics. The team is currently working on patching vulnerabilities, recovering assets, and developing safeguards to prevent similar exploits in the future. Measures under consideration include migrating rewards to a secured vault, injecting personal and protocol capital to replace lost collateral, and potentially raising external funds to stabilize the system.
Losses reported by Cyvers Alerts: 82,279.85490689 $NUMA and 283 $rETH.
Numa Money reports that they acted quickly and decisively to contain the damage and begin remediation. The team discovered the issue about an hour after it occurred, thanks to unusual price activity spotted during UI work ahead of the Sonic launch. Upon discovery, they immediately paused vulnerable protocol functions, including lending and liquidations, to prevent further exploitation. They also engaged their auditing partner, Sherlock, and other independent security professionals to investigate the attack and identify the underlying vulnerabilities.
As part of the remediation effort, Numa outlined a detailed recovery plan focused on restoring the $NUMA token price and making affected users whole. This includes injecting approximately $100,000 from external sources and 35 rETH in protocol rewards into the vault, while team members and partners are foregoing compensation to cover the remaining gap. To prevent similar exploits in the future, they are implementing code changes—most notably disabling the ability to short $NUMA—and will have all updates audited before deploying them. The team is moving forward with the Sonic chain launch by late May and plans to reopen lending on Arbitrum after ensuring all positions are safely restored and secured.
Numa outlined a detailed recovery plan focused on restoring the $NUMA token price and making affected users whole. This includes injecting approximately $100,000 from external sources and 35 rETH in protocol rewards into the vault, while team members and partners are foregoing compensation to cover the remaining gap.
Numa Money is continuing to work on remediation and rebuilding the trust of their community.
Further Analysis
Numa Money is a decentralized finance protocol that creates synthetic stablecoins backed by liquid staking tokens like rETH, allowing users to mint stablecoins by burning its native $NUMA token and earn sustainable real yield through staking. On April 18, 2025, a sophisticated exploit targeted Numa’s lending system by manipulating the $NUMA token price via large long and short positions, enabling the attacker to withdraw excessive collateral and drain about 292.96 rETH before the manipulation was detected. In response, the Numa team quickly paused vulnerable functions, engaged security auditors, and launched a recovery plan involving vault injections of external funds and protocol rewards, disabling risky features like shorting $NUMA, and preparing for a secure relaunch on new chains. Numa is actively working on remediation efforts to restore the token price, compensate users, and rebuild community trust.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Zora BaseSettler BaseSettlerMetaTxn Mistakenly Claimable > > < < BTNFT Contract BTT Rewards Not Validating NFT Ownership
Sources/Further Reading
Vladimir S - "It looks like @numamoney on the @arbitrum chain on Apr-18-2025 09:10:28 PM +UTC got hacked for around $530K. The attacker swapped all assets to ETH, bridged to ETH and deposited the funds to Tornado Cash" - Twitter/X (Dec 31)
Cyvers Alerts - "Our system has detected a suspicious transaction involving @numamoney on the $ARB chain on Apr-18-2025 09:10:28 PM +UTC. (Dec 31)
A malicious address stole around $500K" - Twitter/X (Dec 31)
Numa Money - "Update on recent security incident affecting Numa" - Twitter/X (Dec 31)
Incident Update and Moving Forward - Numa Money Blog (Dec 31)
Skippy Brussels - "Hey @numamoney, I warned you the day the contract got deployed. You ignored me, blocked me, and then claimed it's intentional and no funds are at risk. Now you got exploited for the very same bug I warned about. I wrote a 17 page report for free and you still choose to ignore it" - Twitter/X (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|