Full Report
Bitcoin bridge biz offers 10 percent reward to attackers if they play nice Blockchain company Garden admits it was compromised and temporarily shut down its app after approximately $11 million worth of assets were stolen.…
Analysis Summary
# Incident Report: Garden Finance $11M Crypto Exploit
## Executive Summary
The blockchain bridge protocol Garden Finance suffered a security incident resulting in the theft of approximately $11 million worth of assets. The attack targeted one of the company's transaction solvers, which are used to execute cross-chain transactions. In response, Garden temporarily shut down its application and offered the attackers a 10% reward conditional on returning the stolen funds and providing details about the exploit.
## Incident Details
- Discovery Date: Friday, October 31, 2025 (Date inferred from announcement)
- Incident Date: Prior to Friday, October 31, 2025
- Affected Organization: Garden Finance (Blockchain bridge protocol company)
- Sector: Decentralized Finance (DeFi) / Blockchain Services
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Exploitation of a compromised "Solver."
- Details: An attacker successfully exploited a vulnerability within one of Garden's transaction solvers, which are algorithms or agents relied upon to execute efficient cross-chain transactions and sometimes hold operational funds.
### Lateral Movement
- Details: The article does not specify lateral movement, implying the attack was isolated to the compromised solver mechanism. An ongoing dispute suggests a team member may have managed the compromised solver, suggesting potential insider links or compromised employee access, rather than external network intrusion.
### Data Exfiltration/Impact
- Date/Time: Unknown
- Impact: Approximately **$11 million worth of assets** were stolen from the compromised solver. Importantly, Garden claimed **no user funds were lost**, and the core protocol remained unaffected.
### Detection & Response
- Date/Time: Friday, October 31, 2025 (Disclosure date)
- Detection: The incident was discovered internally, leading to the public disclosure via X.
- Response actions taken: Garden temporarily shut down its application. They sent messages to the attacker offering a 10% bounty ($1.1M) for the return of the stolen assets and information explaining the exploit. The company stated they are working with external security experts.
## Attack Methodology
- Initial Access: **Exploitation of a protocol component (Solver)**. The exact technical method is unknown, as Garden stated they were still investigating the root cause.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Assets held by the compromised solver were targeted.
- Exfiltration: Transfer of approximately $11 million in assets out of the affected solver address.
- Impact: Financial loss to the company/solver funds, operational disruption (app shutdown).
## Impact Assessment
- Financial: Approximately **$11 million** stolen from the solver mechanism.
- Data Breach: No user data breach explicitly reported. No user funds were reported lost.
- Operational: The Garden application was **temporarily shut down** pending investigation and remediation.
- Reputational: The incident followed prior criticism regarding the legitimacy of tokens swapped through the service and allegations of the protocol aiding illicit actors by ignoring victims or failing to block large swaps from suspicious entities.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: Unauthorized depletion of funds held within a specific Garden Finance *Solver* address/contract logic.
## Response Actions
- Containment measures: **Temporary shutdown of the Garden application.** Efforts made to isolate the compromised solver component.
- Eradication steps: Working to identify the root cause with outside security experts.
- Recovery actions: Plans to restore operations safely and onboard more independent solvers for redundancy.
## Lessons Learned
- Solvers, even those holding operational rather than user funds, represent significant single points of failure if not sufficiently isolated or secured.
- There is potential ambiguity regarding the operational control of DeFi components (solvers), with external researchers suggesting a team member may have managed the exploited component, contradicting the ideal of fully autonomous DeFi mechanisms.
- The urgency of mitigating risk from illicit actors was previously raised, indicating potential ongoing vulnerability management gaps.
## Recommendations
- Conduct a full audit of all operational (non-user-facing) smart contract components, especially solvers and bridge mechanisms, to confirm complete logical isolation from core user balances.
- Investigate and clarify operational ownership/management of all automated protocol components to ensure adequate control and monitoring, especially if they hold operational capital.
- Accelerate the roadmap for onboarding redundant, independent solvers to mitigate single-point-of-failure risks.