Back

DeFi Protocol Fluid Suffers Backend Hack, Commits to Full Loss Coverage

Severity: Medium (Score: 51.9)

Sources: Bitget, Kucoin

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: fluid, defi, protocol, attack, reports, news, released

Severity indicators: ot

Summary

On June 2, 2026, the DeFi protocol Fluid reported a hack that exploited a vulnerability in its backend systems, specifically affecting the Merkle reward distribution system. The attacker stole approximately 163,706 FLUID tokens and 49,526 GHO tokens using a remote code execution vulnerability in their internally ported Livewire library. Importantly, the core protocol, smart contracts, and user funds were not impacted by this incident. The Fluid team has taken immediate actions, including rotating operational keys, transferring remaining funds, and isolating the affected systems. They are actively working to recover the stolen assets and have pledged to cover all losses incurred by users. The restoration of the Merkle reward claiming function is expected within 10 days, during which rewards will continue to accumulate without user intervention. Key Points: • Fluid protocol was hacked, resulting in the theft of 163,706 FLUID and 49,526 GHO tokens. • The attack exploited a remote code execution vulnerability in the Livewire library. • Fluid has committed to covering all user losses and restoring affected systems within 10 days.

Detailed Analysis

**Impact** The attack affected the backend automated systems of the Fluid DeFi protocol, specifically targeting the Merkle reward distribution system. Approximately 163,706 FLUID and 49,526 GHO tokens were stolen. The core protocol, smart contracts, and user funds remained unaffected, limiting the scope to operational backend components. The incident impacts users relying on the Merkle reward claiming function, which is temporarily disabled but will continue accumulating rewards. **Technical Details** The attacker exploited a remote code execution vulnerability in an internally ported Livewire library used by Fluid’s backend systems. This allowed the attacker to obtain operational keys and submit a fraudulent Merkle root to manipulate the reward distribution. The attack targeted the backend automation stage of the kill chain, bypassing the core smart contract layer. No specific CVE identifiers or malware names were provided in the articles. **Recommended Response** Defenders should prioritize rotating operational keys and isolating affected backend systems, as Fluid has done. Monitoring for unusual Merkle root submissions and unauthorized access to backend automation systems is advised. Restoration of the Merkle reward claiming function should be closely monitored for integrity. No patch details are available; therefore, organizations using similar internally ported libraries should review and harden their codebase against remote code execution vulnerabilities.

Source articles (2)

  • Fluid: The attack only affected back-end automation systems, and the team will fully cover the losses — Bitget · 2026-06-02
    Foresight News reports that the DeFi protocol Fluid has released an incident report on the recent attack. The attacker exploited a vulnerability in components related to the Merkle reward distribution…
  • DeFi Protocol Fluid Reports Hack Affecting Backend System, Promises Full Loss Coverage — Kucoin · 2026-06-02
    According to ME News, on June 2 (UTC+8), the DeFi protocol Fluid released a report on the attack incident. The attacker exploited a vulnerability in components related to the Merkle reward distributio…

Timeline

  • 2026-06-02 — Fluid reports hack incident: Fluid disclosed that a vulnerability led to the theft of tokens, affecting backend systems but not user funds.
  • 2026-06-02 — Immediate actions taken by Fluid team: The team rotated keys, transferred remaining funds, and isolated affected systems to mitigate further risks.
  • 2026-06-02 — Commitment to recover stolen funds: Fluid announced ongoing efforts to recover the stolen assets and promised to cover all losses for users.

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Fluid (Company)
  • Livewire (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed