The exploit was over in 24 seconds. The fallout took four days to surface.
On May 27, an attacker who held both of Fluid protocol’s reward distribution signing keys drained roughly $215,000 in FLUID tokens, GHO, and cbBTC from three separate reward distributors across Ethereum, Base, and Arbitrum. The core protocol remained untouched. Smart contracts, user deposits, lending markets, vaults, and DEX liquidity were never in scope. What broke was a layer most users never think about: the off-chain reward payout infrastructure.
Then the funds moved into Tornado Cash. And the team said nothing for four days.
When Silence Costs More Than the Hack
The sequence started at 21:11:11 UTC on May 27. A compromised proposer key submitted a self-serving reward root to Fluid’s FLUID distributor. Twelve seconds later, the same attacker used the compromised approver key to confirm it. Twenty-four seconds after the first transaction, 112,883.85 FLUID was claimed using an empty Merkle proof, technically valid because a single-entry tree’s root equals its only leaf.
The GHO distributor fell the same way minutes later. A third distributor holding cbBTC went at 22:57. All proceeds were swapped through the MetaMask router and deposited into Tornado Cash, roughly 142.6 ETH in total.
As @0xfluid posted on X, Fluid’s team identified and contained the compromise affecting its off-chain Merkle rewards distribution infrastructure, stressing that core protocol contracts were fully safe and user funds remained unaffected.
What that statement did not say was when the breach actually happened.
Two Keys, One Owner, Zero Window
Security researcher and firm BlackHartInc broke down the mechanics in detail. The attack did not exploit any smart contract bug or Merkle verification flaw.
“An attacker held both of those operational keys, pushed a reward list that paid only themselves, approved it, and claimed with an empty proof. The two-person control meant nothing once one person held both keys.” — BlackHartInc, on X
Both the proposer key (0x4f1047) and the approver key (0x85dc44) had been active since September 2024 as single-purpose operational signers. The exfiltration path is not publicly confirmed, though the pattern is consistent with a leaked deployment secret or signing service exposure.
Fluid’s team removed the compromised keys and swept roughly 314,000 FLUID and 7,400 USDC of remaining reward funds to a safe address about ten hours after the first theft, around 07:05 UTC on May 28. That response window, ten hours, is the number that matters. Under a different reward structure, the entire remaining balance was at risk the whole time.
BlackHartInc’s full forensic reconstruction put total confirmed losses at approximately $225,000 across all three chains, with the Ethereum drain accounting for around $215K of that figure.
What Merkl’s Pablo Veyrat Said the Industry Gets Wrong
Pablo Veyrat, co-founder of Merkl, responded to the Fluid incident directly. The Fluid team used their own custom Merkle distribution system, independent of what Merkl runs. But Veyrat’s comments pointed to a structural problem across the space.
“At Merkl, our setups are automated to push merkle roots, and we have EOAs on every chain with the right to post new roots. Without the proper safeguards, it would take just one compromised EOA to drain all the funds waiting to be claimed on Merkl.” — Pablo Veyrat on X
Veyrat described Merkl’s mitigation: a dispute system with a minimum one-hour delay between root submission and claim activation, backed by three independent dispute bots running on infrastructure fully isolated from core cloud systems. Any of the three bots can freeze an incoming root during that window by sending a single dispute transaction.
The delay hurts user experience. Instant airdrops become impossible. But Veyrat made the tradeoff explicit: the dispute window is the single most effective protection against a compromised EOA, a rogue team member, or a supply chain attack on cloud infrastructure.
Fluid had none of that. The gap between propose and claim on May 27 was 24 seconds.
A $100 Million Bank Run Nobody Named
The exploit itself was $215K. What came after was far larger, and it did not appear in the initial disclosure.
BlackHartInc noted a separate movement of $70 million to $110 million dollars out of Fluid in the days following May 27. That was not a second attack.
Users pulling their own deposits in response to news of the breach drove the outflow. On-chain data referenced by BlackHartInc showed a lender withdrew $77 million in USDC starting May 28, the day after the exploit. The team posted about high deposit rates for USDC that same day. The hack was not disclosed until May 31.
The timing is where the disclosure question gets pointed. Community account @jpn_memelord raised it directly on X, noting the exploit happened May 27, a major lender exited the following day, and the team only surfaced the incident after it was discovered externally on May 31.
User @eightlends pushed back, arguing the team caught it early and nothing critical was touched, and that the transparency demonstrated trust. That reading depends on what transparent means when a four-day gap sits between exploit and public statement.
What Fluid Has Not Said Yet
As of the time of writing, Fluid has not published a post-mortem that plainly states how both signing keys were obtained, what infrastructure held them, and what changed. The official statement confirmed the compromise was contained and that the incident affected only reward distribution.
BlackHartInc’s remediation checklist from the incident analysis calls for four things that remain unconfirmed publicly: key rotation with full infrastructure audit, independent multisig or threshold custody on both proposer and approver roles, a timelock between root approval and claim activation, and on-chain payout velocity limits with real-time outflow alerts.
The protocol’s core security, the 7/14 multisig governance layer over main contracts, held throughout. Nothing in the lending or DEX stack was compromised. But the reward layer, the part that touches user incentives and token distributions, ran on a two-key system where both keys could be held by one party.
That structure is not unusual in DeFi. It is how dozens of reward systems are built. The Fluid incident is useful not because the loss was large but because the failure mode is common and the ten-hour detection window shows how long a similar attack could run at a protocol with slower monitoring.
