đ Monitoring systems flagged abnormal withdrawals tied to the OG Labs reward contract, shortly followed by deposits into Tornado Cash. This wasnât a bug â it was a privileged function being used exactly as designed⊠just in the wrong hands.
đ An attacker executed emergencyWithdraw(), a high-level admin function, and pulled out roughly 520,000 OG tokens (~$516K) to a single address before routing the funds through Tornado Cash. Clean exit, zero noise, classic playbook.
đ This is the uncomfortable reminder nobody likes: when a contract has emergency or admin powers, security doesnât end at audits â it ends at key management and access control. One compromised role is enough to drain everything without exploiting a single line of code.
đ Mixing through Tornado immediately suggests thereâs no intention to negotiate or return funds. This wasnât an experiment, it was a cash-out.
â ïž In DeFi, âemergency functionsâ are double-edged swords. They save protocols in crises â and kill them when governance or keys fail. No exploit needed, just permissions in the wrong place.