0G Foundation: Contract attacked, resulting in the theft of 520,000 $0G

0G Foundation posted on the X platform that a targeted attack compromised its reward contract. The attacker exploited the emergency withdrawal feature of the 0G reward contract used for distributing alliance rewards, stealing 520,010 $0G tokens, which were then bridged and dispersed via Tornado Cash.

The attacker obtained a leaked private key from an Alibaba Cloud instance responsible for managing NFT states and reward updates, which stored the key locally. Multiple Alibaba Cloud instances were breached due to a critical vulnerability in Next.js (CVE-2025-66478) that was exploited on December 5. The attacker moved laterally through internal IP addresses, affecting services including calibration services, validator nodes, Gravity NFT services, node sales services, computing, Aiverse, Perpdex, Ascend, and more. The confirmed total losses amount to: 520,010 $0G, 9.93 ETH, and 4,200 USDT. Core chain infrastructure and user funds were not affected, aside from the reward distribution contract.