0G Suffers $0G Token and Crypto Theft via Contract Exploit

According to 0G Foundation, hackers exploited a Next.js vulnerability to steal tokens and other assets, later laundering them through Tornado Cash without impacting core infrastructure.

ETH

USDT

88d ago

Summary

0G Foundation reported that on December 11, attackers exploited Next.js vulnerability CVE‑2025‑66478 to target multiple services, executing an emergency withdrawal from the reward contract. The attackers stole 520,010 $0G tokens, 9.93 ETH, and $4,200 USDT, and laundered the funds via Tornado Cash. The incident did not affect the project's core chain infrastructure or user funds.

Terms & Concepts

Emergency Withdrawal: A function in smart contracts allowing rapid asset removal, often for security or technical purposes.
Next.js CVE‑2025‑66478: A specific vulnerability in the Next.js web framework, identified as CVE‑2025‑66478, that attackers exploited in this incident.
Tornado Cash: A blockchain privacy tool using smart contracts to mix cryptocurrency transactions, making tracing more difficult.