Garden Incident Report — October 30, 2025

Summary

On October 30, 2025, Garden experienced a security incident involving one of its independent solver operators. An attacker gained unauthorized access to the solver’s infrastructure and drained approximately $11.4M in crypto assets belonging to the solver across multiple chains.

We have since verified that the vulnerability was fully isolated to the solver’s environment. No Garden protocol contracts were compromised, and no user funds were at risk.

Incident Response

Upon detecting the security breach, the team immediately activated the incident response plan and paused all user-facing services as a precaution. An on-chain message was issued offering a 10% whitehat bounty on behalf of our solver; a response was not received.

Recovery Efforts

Although the vulnerability does not affect the Garden protocol or its users, we continue to engage with law enforcement authorities and relevant third parties, including industry security teams, to trace and recover funds that have been drained.

After the attack, the stolen funds were consolidated at 0x98BCc6c34A489CEfdD9DfA8d792CFEFb02Ea2D12 (0x98BC) and WZy4xxpqktWa1b6MPMRiWsD487CT8mDcapB6GufBJCH (WZy4xx). The assets held on Solana were then bridged to Ethereum via Mayan, arriving at 0x862f02fAEA46d8455a6784665d1424676ed99701 (0x862f) and 0xa9a166fEBace09fD620A3b85CBC6d40e535FBdF1 (0xa9a16). The funds at 0xa9a16 were subsequently deposited into Tornado Cash. The funds held at 0x98BC were also bridged and swapped for ETH, except for the portion on BSC, which was transferred to 0x7D76Ee241512D1b2db5a7e09FD04F5dA71B31369 (0x7D76) and later deposited into Tornado Cash. Finally, 0x862f transferred its remaining balance to 0x98BC, consolidating the funds before depositing them into Tornado Cash.

zeroShadow’s initial analysis links the attack with high confidence to a known North Korea-affiliated threat actor (“DangerousPassword”).

“The incident originated from a leaked private key on a compromised device. While the exact method of compromise is still unknown, current indicators and on-chain laundering patterns are consistent with those of other attacks attributed to the North Korea-affiliated threat actor DangerousPassword (aka. CryptoCore, Sapphire Sleet, UNC1069).”

Vulnerability Breakdown

The compromise originated from the solver’s local device, which was used to operate the production executor services. The attacker obtained the solver’s SSH key, allowing them to authenticate and gain root access to the solver’s server. Once inside, the attacker located the private key stored in an environment variable and drained balances across multiple blockchains.

Server logs confirm unauthorized SSH sessions from IP addresses in Japan and China between 10:47 AM and 11:06 AM CET. These sessions correspond to filesystem access events beginning at 11:10 AM CET, which precede the first malicious on-chain transaction. We engaged with Ernst & Young (EY) for a forensics study, which mentions:

“The solver server was hosted with an open source self-hosted platform as a service named Coolify that was being used for managing the applications. Examination of SSH auth logs from the Solver server indicated suspicious access from four IP addresses with indicative locations as Japan and China on 30th October 2025.”

The forensic analysis identified the following suspicious IPs: 

• IP: 103.53.80.233 
• IP: 42.84.234.60 
• IP: 36.50.84.167 

• IP: 36.50.84.138 

Looking Ahead

Our top priority is strengthening Garden’s infrastructure to prevent future downtime for our users and partners. We have since implemented the following security measures:

1. Eliminated the requirement for solvers to be accessible via public IP addresses, preventing similar future attacks.
2. Engaged third-party solvers to expand from a single solver to multiple independent solvers, creating greater network resilience.
3. Established security guidelines for current and future solvers via a third-party security firm.
4. Implemented quarterly independent third-party VAPT across the Garden protocol and solver infrastructure.
5. Appointed a new CISO, bringing over two decades of experience leading security efforts at large organizations.
6. Hardened infrastructure security through encrypted tunnels with role-based access control, enhanced logging and security monitoring, and strengthened endpoint management. 

We continue to collaborate with security experts to improve our policies.