The Exploit
Shiba Inu’s Shibarium bridge suffered a major breach on Friday, resulting in the loss of approximately $2.4 million through a flash loan exploit. The attacker borrowed 4.6 million BONE tokens, obtained control of 10 out of 12 validator keys, and used this majority to drain funds directly from the bridge contract.
Roughly 224.57 ETH and 92.6 billion SHIB were moved to the exploiter’s address before the developers intervened.
Developer Response
In the immediate aftermath, the Shibarium team paused certain network functions and secured remaining funds in a 6-of-9 multisig hardware wallet. This precaution aimed to prevent further losses while the team coordinated with security firms including Hexens, Seal 911, and PeckShield.
Shiba Inu developer Kaal Dhairya described the incident as “sophisticated” and likely planned over several months. The attacker used validator control to sign malicious state changes, highlighting the vulnerabilities of cross-chain bridge infrastructure.
🚨 Shibarium Bridge Security Update 🚨
Earlier today, a sophisticated ( probably planned for months ) attack was carried out using a flash loan to purchase 4.6M BONE. The attacker gained access to validator signing keys, achieved majority validator power, and signed a malicious…
— Kaal (@kaaldhairya) September 13, 2025
Locked BONE and Containment Efforts
Interestingly, the BONE tokens borrowed to execute the attack remain locked in Validator 1 due to unstaking delays. This mechanism could prevent the attacker from immediately profiting from the exploit. Developers are exploring options to freeze or recover those funds.
The team has also contacted authorities and indicated a willingness to negotiate with the attacker, even suggesting a potential bounty if the assets are returned.
Broader Context
Cross-chain bridges have become recurring targets in decentralized finance. Their complexity and large pools of assets make them attractive to hackers. The Shibarium case adds to the growing list of bridge-related exploits that have drained billions from the ecosystem in recent years.
For now, Shibarium remains in “damage control mode.” The network will not resume full functionality until key transfers are secured and the scope of validator compromise is fully assessed.
