Fluid lost $215K after one attacker controlled both reward distribution keys, draining tokens through fake Merkle roots and routing proceeds to Tornado Cash.
The reward tokens were already gone. On May 27, an attacker who held both of Fluid’s operational signing keys pushed a fake reward list to the protocol’s Merkle distributors on Ethereum, Base, and Arbitrum.
Fluid, the Ethereum-based DeFi protocol, uses a two-step system for distributing rewards: one key proposes a Merkle root and a second key approves it. As BlackHartInc on X reported, both of those roles were held by a single actor. The two-person control meant nothing once one person held both keys.
One Person, Two Keys, Zero Resistance
The proposer key submitted a self-serving root to the FLUID distributor at 21:11:11 UTC. Twelve seconds later, the same attacker approved it using the approver key. Twenty-four seconds after the initial proposal, a claim went through using an empty Merkle proof.
That empty proof was not a bug. A single-entry reward list produces a root equal to its only leaf, so no proof path is needed. The contract verified it correctly. Nothing in the smart contract broke. Per forensic analysis by BlackHart, the entire failure was operational key custody.
The same propose-approve-claim cycle then ran against the GHO distributor at 21:13:59 UTC and a third distributor for a small cbBTC amount hours later. Across all three chains, the attacker walked away with roughly 125,109 FLUID and 51,946 GHO, plus trace cbBTC.
What Actually Left the Protocol, and What Did Not
Fluid’s lending markets, vaults, and DEX liquidity were never in scope for these keys. The drained contracts were reward distributors only. 0xfluid on X confirmed that core protocol smart contracts remained unaffected and user funds were not at risk from the incident.
The stolen FLUID and GHO were swapped for roughly 103 ether through the MetaMask swap router. About 142.6 ETH ended up in Tornado Cash, routed partly through relay wallets and partly by direct deposit. L2 proceeds from Base and Arbitrum were bridged back to Ethereum before mixing.
A large withdrawal of somewhere between $70 and $110 million from Fluid in the days following was not a second exploit. That was depositors pulling their own funds, a confidence-driven bank run. Unrelated to the theft itself, though not exactly unrelated to the disclosure timing.
The Cleanup, and What Was Not Said
About ten hours after the first theft, on May 28 at 07:05 UTC, the Fluid team removed the compromised proposer and approver roles from ten reward distributors in a single batched transaction. Around 314,000 FLUID and 7,400 USDC of remaining reward balances moved to a safe address.
Public communications from the team described only a pause on reward claiming for updates. No mention of a key compromise. No mention of a loss. The exploit itself surfaced publicly on May 31, four days after it happened, when one lender had already pulled $77 million in USDC beginning May 28.
Pablo Veyrat, co-founder of Merkl, addressed the episode on X. Speaking about his own protocol’s design choices, Veyrat noted on X that Merkl runs three independent dispute bots on fully separate infrastructure, each verifying new Merkle trees before a root becomes effective, with a minimum one-hour delay between a new root being posted and any claims going through against it.
Why a Timelock Changes Everything Here
The entire exploit ran in under 24 seconds from proposal to claim. That speed was only possible because no delay existed between root approval and payout. Admin key exploits have hit DeFi repeatedly this year, and the pattern keeps coming back to the same gap: privileged keys with no friction between access and action.
BlackHart’s assessment flagged operational security as the single weakest scoring area in its pre-hack evaluation of Fluid. The exact failure mode, two keys that could be turned into a payout without an independent custodian or a waiting period, was already what the score was warning about. Operational key compromises are not new to 2026, but the Fluid case adds a specific wrinkle: the two-key design looked like a safeguard until it was held by one person.
The attacker’s wallet, 0x4925120c…1d3dfb, claimed across chains within roughly the same minute. No velocity cap bounded what a single cycle could release. No real-time alerting caught the abnormal activity until hours later.
