BarnBridge Hack: Governance Attack and $776K Theft

How an attacker took control of BarnBridge, exploited old token approvals, and stole 776,600 USDC. Analysis of the attack and stolen funds flow.
Get advice from AML Crypto experts
On July 15, 2026, the BarnBridge DeFi protocol suffered a governance attack. The attacker gained control over the DAO’s voting process, passed a malicious proposal, and replaced one of the SMART Yield contracts with their own version. They then exploited previously granted user approvals for USDC transactions and withdrew approximately $776,000.

The stolen funds were later swapped for roughly 415 ETH and transferred to another address. In other words, this was not a typical exploit caused by a coding vulnerability, but rather a governance takeover of a poorly controlled protocol.

The AML Crypto team reconstructed the movement of the stolen funds using the Bholder tool:

Incident Summary

  • Victim:
    the BarnBridge SMART Yield (cUSDC) protocol and approximately 50 users with active USDC spending approvals.
  • Incident date:
    July 15, 2026
  • Total losses:
    776,600 USDC

What Happened

On July 15, 2026, BlockSec’s monitoring system detected suspicious transactions involving the BarnBridge SMART Yield cUSDC product on the Ethereum network. According to preliminary estimates, the attacker withdrew approximately 776,000 USDC. The incident was classified as an attack on the protocol’s governance mechanism—a governance attack.

BarnBridge was governed through a DAO: participants could vote on upgrades and changes to the protocol’s smart contracts. The attacker managed to obtain the permissions required to execute such decisions. It has not yet been publicly established exactly how control was obtained—whether through compromised keys, voting manipulation, or the use of an old DAO proposal.

After obtaining the necessary authority, the attacker upgraded the SmartYield/controller proxy contract. A proxy can be thought of as a permanent address behind which the underlying program logic can be changed. Under normal circumstances, a DAO uses this mechanism to deploy official upgrades. In this case, the protocol address remained the same, but the legitimate contract implementation was replaced with a malicious one.

Following the upgrade, the malicious contract gained access to the privileged _takeUnderlying function in the CompoundProvider component. This function made it possible to interact with the underlying asset—in this case, USDC. The attacker then used the transferFees function to collect the funds and transfer them to their own address.

Old token permissions—known as token approvals—played a key role in the attack. When users had previously interacted with BarnBridge, they granted related contracts permission to withdraw a specified amount of USDC from their wallets. These approvals are not automatically revoked after a transaction is completed and can remain active for years.
Token approval is a standard authorization transaction through which a user allows a service’s smart contract to spend a specific token from their address. Such permission is required to interact with decentralized exchanges, lending protocols, and other DeFi applications. The service does not gain access to the entire wallet—it can only use the specified token and only within the approved limit.

Some applications ask users to grant an unlimited approval. This is more convenient because the user does not need to authorize access again for every subsequent transaction. However, such permission can remain active for years. If the smart contract is compromised, upgraded by an attacker, or modified to include malicious logic, the user’s funds may be at risk.

For this reason, it is safer to approve only the amount of tokens required for a specific transaction rather than setting an unlimited allowance. Users are also advised to review their active approvals regularly and revoke permissions granted to services they no longer use.
The attacker exploited approvals that remained active across approximately 50 user addresses. This means the incident was not limited to withdrawing funds from a single protocol vault: the malicious contract was able to transfer USDC directly from the wallets of users who had previously granted BarnBridge the relevant permissions. Wallet owners did not need to approve any new transactions—the existing approvals were sufficient.

Shortly before the attack was confirmed, Blockaid warned about risks associated with old BarnBridge Smart Yield proposals numbered 14 and 15. One of them was already executable, while the other was queued. Researchers noted that, if executed maliciously or used to deploy a harmful upgrade, these proposals could put old approvals for USDC, DAI, USDT, GUSD, and RAI at risk. However, publicly available sources have not yet confirmed which specific proposal was directly used during the theft.
The attack did not exploit a conventional smart contract bug. Instead, the attacker took control of the DAO. They bought BOND tokens, acquired enough voting power, and submitted a proposal that appeared to be a routine proxy contract upgrade. Once the proposal passed, control of the authorized controller was transferred to a contract controlled by the attacker, who then replaced the protocol’s logic with a version capable of withdrawing USDC.

The new controller relied on old approve permissions that users had previously granted to BarnBridge and never revoked after the project shut down. Because those approvals were still active, the contract could continue transferring USDC from users’ wallets without requiring any new signatures. As a result, the attacker drained approximately $776,000 from dozens of addresses.

What makes the incident especially striking is how little the governance takeover cost. The attacker spent 0.335 ETH to acquire roughly 32,795 BOND, of which 32,000 were locked to obtain voting power. The purchase was worth about $596–598 at the time, or roughly $600 including transaction fees. So the widely cited figure of $625 is a reasonable approximation, although it is more accurate to say that control of the DAO was obtained for around $600.

In other words, a few hundred dollars were enough to pass a malicious proposal through an almost inactive DAO, upgrade a critical contract, and exploit token approvals that users had left active for years.
After obtaining the USDC, the attacker swapped the stolen assets for ETH. Approximately 415 ETH was received and then transferred to a separate address. At the time of publication, the funds remained stationary at that address.

The primary cause of the incident was therefore not a conventional vulnerability such as an incorrect calculation or a price-related failure. The attacker abused the DAO’s administrative capabilities, replaced the protocol’s underlying logic, and turned previously granted user approvals into a mechanism for withdrawing funds. This demonstrates that risks may arise not only from active DeFi positions, but also from old approvals left behind after interacting with a protocol.

Timeline of Events

From 2026-07-05 15:43:11 UTC to 2026-07-05 18:26:35 UTC
From 2026-07-05 15:43:11 UTC to 2026-07-05 18:26:35 UTC
the suspected attacker funded the exploiter address 0xdaa037f99d168b552c0c61b7fb64cf7819d78310 with ETH from Tornado Cash to cover subsequent transactions.
2026-07-15 02:39:47 UTC
2026-07-15 02:39:47 UTC
the suspected attacker carried out a governance attack against BarnBridge, receiving 776,600 USDC from victim addresses at 0xf908610e9174c7cd6e9dfd371e238be4511297a1.
2026-07-15 02:52:35 UTC
2026-07-15 02:52:35 UTC
the suspected attacker swapped the stolen USDC for ETH through Uniswap.
2026-07-15 06:45:47 UTC
2026-07-15 06:45:47 UTC
the suspected attacker transferred the ETH to 0x2c4c1848e22006d63ebb732b61edc871af30ef16, where the funds remained at the time the report was written.

Analyst’s Notes

Suspect #1

One of the key investigative leads was the connection between the address used in the BarnBridge attack and Tornado Cash. The first interaction with the mixer was recorded on July 5, 2026, at 15:43:11 UTC, approximately ten days before the incident.

This sequence of events may indicate advance preparation of the infrastructure and the funding of an address that was later used to carry out the governance attack. However, a connection to Tornado Cash alone does not constitute direct evidence of any specific individual’s involvement and should be assessed together with other on-chain and OSINT data.

The AML Crypto team analyzed Tornado Cash deposits and withdrawals to identify possible matches based on transaction amounts, timing, and behavioral patterns. As a result, the following address was identified:
0xef58f7b86ffa88faad4d45bc6435f984ad493595
According to the preliminary assessment, this address may have served as the source of funds used to finance and deploy the suspected exploiter’s infrastructure.
How the Suspected Connection Was Established

The address 0xef58f7b86ffa88faad4d45bc6435f984ad493595 made exactly four transactions involving Tornado Cash. Before that, the funds had been transferred to it from another network through Relay Link, which may have been used as an additional layer to obscure the origin of the assets.

The source address before the cross-chain transfer was:
0x535d261b36fd33759feeb7698fd6c82a4734debf
This address operated on the Base network. Approximately ten minutes elapsed between the source address’s transactions, the transfer through Relay Link, and the deposit into Tornado Cash. This close timing supports the assessment that these transactions may have formed part of a single, continuous chain of fund movements.

After the assets were deposited into Tornado Cash, they remained inside the mixer for approximately ten hours. They were then withdrawn to the address that was later used to carry out the governance attack against BarnBridge.

The suspected flow of funds can therefore be summarized as follows:
Base network address → Relay Link → 0xef58...3595 → Tornado Cash → BarnBridge exploiter address
Connection to the Baodegit Address

Further analysis of the address 0x535d261b36fd33759feeb7698fd6c82a4734debf on the Base network showed that it was actively used for token swaps and interacted with several centralized services.

A transactional connection was also identified with the following externally owned account, or EOA:
0x411c15706a74723c7d6752e6fafeda2b19016b3d
In the analyzed data, this address is labeled Baodegit.

The Baodegit node is highlighted in green on the graph.

A direct transaction of 0.1 ETH was made on the Base network between the address considered a possible original source of funds and the Baodegit address.

The small size of the transfer and the absence of an obvious commercial context support the hypothesis that both addresses may have been controlled by the same entity or may have belonged to related individuals.
OSINT Analysis Results

During the OSINT investigation, a public GitHub profile named Baodegit was identified:
https://github.com/Baodegit
Two repositories starred by the user were found in the profile. Both are related to smart contract development.

One repository is an educational collection of Solidity materials, including examples of smart contract deployment, wallet integration, proxy contracts, governance mechanisms, and access control.

The second repository is a framework for building confidential smart contracts and includes tools for programming access rules for encrypted data.

These findings may indicate that the profile owner has an interest in smart contract development and access-control mechanisms.
Preliminary Assessment

The combination of identified indicators supports the following working hypothesis:
the funds may have originally come from the address 0x535d...ebf on the Base network;
they were then transferred through Relay Link to 0xef58...3595;
the assets were subsequently deposited into Tornado Cash;
approximately ten hours later, the funds were withdrawn to the address used in the BarnBridge attack;
the original address on the Base network has a direct transactional connection to the address labeled Baodegit;
the public Baodegit GitHub profile demonstrates an interest in smart contracts, governance mechanisms, and access control.
This sequence provides grounds for further investigation but does not currently establish conclusively that Baodegit owns the exploiter address or was directly involved in the attack.

Suspect #2

An additional connection has been identified between the address
0xa8ce49a57400445c6a4118ae3460ed4e46c815b8
and the BarnBridge exploit. This address played a material role in advancing the DAO proposal associated with the attack. In particular, it provided the voting support required to move the proposal through the BarnBridge governance process. The proposal subsequently enabled the administrative changes used to compromise the protocol.

Based on this governance activity, the address is assessed as being affiliated with the attacker or with the infrastructure used to carry out the exploit.

The same address was funded with approximately 1 ETH withdrawn from Tornado Cash, apparently to cover deployment and transaction costs. Analysis of the corresponding Tornado Cash activity led to the identification of an additional address:
0xb604ce319449ed30af81da7321cc32e70152d8d8
According to the current working hypothesis, this address may have funded part of the infrastructure used in the BarnBridge attack. It is therefore designated as Suspect #2 for the purposes of further investigation.

This designation reflects an analytical assessment based on transaction timing, amounts, behavioral similarities, and infrastructure connections. It does not, by itself, establish the identity of the address owner or prove direct participation in the attack.
How the Suspected Connection Was Established

Blockchain analysis showed that Suspect #2, address
0xb604ce319449ed30af81da7321cc32e70152d8d8
made five deposits into Tornado Cash within a one-minute period between July 3, 2026, at 22:24:47 UTC and July 3, 2026, at 22:25:47 UTC, approximately twelve days before the BarnBridge incident.

The deposits consisted of:
  • one transaction of 1 ETH;
  • four transactions of 0.1 ETH each.

The 1 ETH deposit corresponds to the denomination later used to fund the address involved in advancing the BarnBridge DAO proposal. The four 0.1 ETH deposits are consistent with the funding pattern associated with the primary exploiter address and appear to have been intended to cover its operational transaction costs.

The timing also supports the suspected relationship. The main exploiter address received funds from Tornado Cash on July 5, 2026, at 15:43:11 UTC, approximately two days after Suspect #2 deposited the corresponding assets into the mixer. Although Tornado Cash breaks the direct on-chain connection between deposits and withdrawals, the relatively short time interval, matching denominations, and similar transaction structure provide a basis for treating the activity as potentially related.

A further similarity was identified in the way the Tornado Cash withdrawals were structured. In each relevant case, the transaction costs appear to have been deducted from the withdrawn amount. As a result, the recipient received the denomination minus the applicable relayer or execution fee, rather than receiving the full nominal amount with the fee paid separately.

The repetition of this funding pattern across both the governance-related address and the primary exploiter address strengthens the hypothesis that the transactions may have been coordinated or performed by the same entity or by closely associated parties.
Connection to KuCoin

Suspect #2 was also found to have interacted with a KuCoin hot wallet. This connection may provide an opportunity for further attribution through an official information request to the exchange.

Subject to the applicable legal process, relevant records may include:
  • account ownership and KYC information;
  • deposit and withdrawal history;
  • associated wallet addresses;
  • IP login records;
  • device and session data;
  • internal transaction identifiers;
  • linked accounts and funding sources.

Comparing the information provided by KuCoin with the identified on-chain activity could help confirm or disprove the suspected connection between address 0xb604...8d8, the Tornado Cash deposits, and the infrastructure used in the BarnBridge exploit.
Polygon and Rabby Wallet Connection

The Suspect #2 address was also active on the Polygon network, where it interacted with infrastructure labeled as Rabby Wallet fee activity.

This connection may indicate that the address was operated through the Rabby Wallet interface. However, the presence of a Rabby-related fee transaction should be treated as an indicator of possible wallet usage rather than conclusive proof that a specific person controlled the address through Rabby.

An official request to the relevant service provider may help determine whether any associated technical records are available, including:
  • device or browser fingerprints;
  • session timestamps;
  • IP addresses;
  • application telemetry;
  • wallet-connection metadata;
  • other identifiers associated with the relevant activity.

Such records, where retained and legally obtainable, could be compared with data received from centralized exchanges and other service providers to support or challenge the current attribution hypothesis.
Preliminary Assessment

The available evidence supports the following working hypothesis:
Suspect #2 deposited one 1 ETH transaction and four 0.1 ETH transactions into Tornado Cash approximately twelve days before the BarnBridge exploit;
the denominations correspond to the subsequent funding of the governance-related address and the primary exploiter address;
the main exploiter address received Tornado Cash funding approximately two days after the suspected source deposits;
the number, denomination, timing, and fee structure of the transactions demonstrate notable similarities;
the governance-related address helped advance the DAO proposal associated with the malicious protocol changes;
Suspect #2 has additional connections to a KuCoin hot wallet and possible Rabby Wallet usage.
Taken together, these indicators justify further investigation into address 0xb604ce319449ed30af81da7321cc32e70152d8d8 as a possible source of funds used to finance the BarnBridge attack infrastructure.

Nevertheless, the evidence remains circumstantial. Tornado Cash is specifically designed to obscure direct links between deposits and withdrawals, and matching transaction patterns alone cannot conclusively establish common ownership or direct involvement in the exploit.

Recommended Further Actions

To test the working hypotheses, it would be appropriate to submit formal information requests to the centralized services Binance, Bitget, and KuCoin, with which the addresses considered possible sources of funding for the attack infrastructure interacted.

Requests to Binance and Bitget may help identify the owners of accounts linked to the suspected original source of funds on the Base network and verify the possible connection between that address, the Baodegit address, the subsequent transfer of assets through Relay Link, and their deposit into Tornado Cash.

A separate request should be submitted to KuCoin in connection with the identified interaction between the Suspect #2 address
0xb604ce319449ed30af81da7321cc32e70152d8d8
and the exchange’s hot wallet. The information obtained may help identify the owner of the associated account and test the hypothesis that this address served as the source of funds used to finance the governance-related address and the primary exploiter address through Tornado Cash.

The formal requests should seek the following information:
  • account ownership and KYC records;
  • deposit, internal transfer, and withdrawal histories;
  • sources of incoming funds and destination addresses;
  • associated cryptocurrency addresses and accounts;
  • IP addresses used for logins and transactions;
  • device, browser, and session information;
  • internal transaction identifiers;
  • information about linked or jointly operated accounts.
It is also recommended to submit a request to Rabby Wallet or the relevant infrastructure provider in connection with Suspect #2’s activity on the Polygon network and the interaction labeled as Rabby Wallet fee.

Where such data is retained and can be lawfully disclosed, it may include session timestamps, IP addresses, browser and device fingerprints, wallet-connection metadata, and other technical telemetry. The interaction with Rabby-related infrastructure does not by itself prove that a particular individual used the wallet, but it may provide grounds for additional verification.

The information obtained should be compared with on-chain activity to test two primary investigative lines:
1
the suspected connection between Baodegit, the address on the Base network, the transfer through Relay Link, the Tornado Cash deposits, and the funding of the primary exploiter address;
2
the suspected connection between Suspect #2, the series of 1 ETH and 0.1 ETH deposits into Tornado Cash, the funding of the governance-related address 0xa8ce...15b8, and the financing of the primary exploiter address’s operational expenses.
A more detailed comparison of transaction timing, denominations, fee structures, relayers, and the sequence of Tornado Cash deposits and withdrawals is also recommended. Particular attention should be paid to recurring behavioral indicators, including the same method of deducting fees from the withdrawn amount, short time intervals between related transactions, and the sequential funding of associated addresses.

Any information received from service providers should be assessed together with on-chain and OSINT data. This may help confirm or disprove the suspected relationships between Baodegit, Suspect #2, the sources of the Tornado Cash funding, the governance-related address, and the primary address used in the BarnBridge attack.

Until additional evidence is obtained, both attribution lines should be treated as working hypotheses based on a combination of circumstantial indicators rather than as conclusive proof of any specific individual’s involvement in the attack.
Want to learn more and get expert advice? Leave your email and we will contact you promptly!
We also recommend