Thala Recovers $25.5M in Stolen Crypto After V1 Farming Vulnerability Exploit

Thala Labs, a decentralized finance (DeFi) platform on the Aptos blockchain, has successfully recovered $25.5 million in stolen funds after a security breach linked to a vulnerability in its v1 farming contracts. The exploit occurred on November 15, when a hacker was able to withdraw liquidity pool tokens due to an isolated weakness in the protocol.

In a post on November 16, Thala confirmed that it had promptly paused all affected contracts and froze $11.5 million worth of Thala-related assets. The platform quickly tracked down the hacker with the assistance of law enforcement and crypto investigators, including Seal 911 and crypto sleuth Ogle. Within six hours of the breach, the hacker returned the stolen funds.

Thala disclosed that the hacker received a $300,000 bounty in exchange for the full return of the stolen assets, although the attacker’s identity was not revealed. The company reassured users that “no further action is required” from affected individuals, and that all positions will be restored to their original state.

Despite the recovery, the Thala token (THL) has dropped approximately 35% since the incident, falling to $0.51, according to CoinGecko data. The attack also resulted in the theft of roughly $2.5 million worth of THL tokens and another $9 million from Thala’s Move Dollar (MOD) stablecoin.

Thala has resumed access to its platform's front end, but farming activities remain paused as the team conducts an "extensive review" and re-audit of the protocol’s codebase. Users are currently unable to stake or unstake positions until the audit is completed.

The exploit occurred in connection with Thala’s integration with Move, a modular blockchain network developed by Movement Labs. Thala’s CEO, Adam Cader, acknowledged the security challenge in a November 16 post on X (formerly Twitter), noting that while some security issues are inevitable in new technologies, the goal is to minimize their frequency and severity over time as related tools and infrastructure improve.

Following the incident, the total value locked (TVL) on Thala dropped from $240 million on November 15 to $195.6 million at the time of writing, according to DefiLlama data.

The breach is part of a broader trend of security incidents in the DeFi space, with blockchain security firm CertiK reporting that nearly $130 million was stolen in October 2024 alone. The largest incident involved lending protocol Radiant Capital, which lost around $54 million. Additionally, cybersecurity company Hacken reported that $460 million was stolen in Q3 2024 across 28 incidents.

While Thala has managed to recover the stolen funds, the incident underscores ongoing security risks in the DeFi ecosystem, prompting many platforms to reassess and strengthen their security measures.