Floki Responds to $BADAI LP Exploit: What Happened and What’s Next

On April 7, 2025, Floki identified suspicious activity linked to the BadAI LP vault. The initial signs pointed to a serious breach involving a part of the liquidity pool connected to the recent $BADAI airdrop. 

While community concern surged, Floki clarified that the issue did not originate from BadAI's protocol or smart contracts. Instead, the cause was traced back to a Floki team member with privileged access.

Now, in a recent official update, Floki confirmed that the exploit was executed by a rogue developer who had been working with the team for over two years. This individual leveraged backdoor access to manipulate liquidity pool (LP) locks and siphon off a portion of the BadAI LP.

The Role of a Trusted Hiring Platform in the Exploit

The developer in question was sourced through Toptal, a prominent talent platform that boasts an estimated $1.3 billion in annual revenue. Toptal markets itself as a premium network of vetted developers and requires clients to manage contracts within its ecosystem. Despite these safeguards, this particular developer was able to bypass Floki’s internal processes.

According to Floki, the rogue actor pushed an unauthorized update to the FlokiFi Locker, a DeFi tool for token and LP locking. The update allowed the deployer wallet to retract LP tokens from upgradeable vaults. Using this exploit, the developer extracted funds from the BadAI LP.

This wasn’t a smart contract vulnerability. The smart contracts performed as coded. The problem stemmed from a trusted actor misusing their privileged access—something harder to anticipate and prevent.

Action from the Floki Team

Upon identifying the breach, Floki wasted no time. They revoked access from the compromised deployer address and froze all new vault locks on the affected chain. Additionally, Floki initiated a comprehensive review of the platform’s internal control mechanisms to avoid similar issues in the future.

Further, Floki announced that it would reimburse BadAI in full. This includes the total value of the LP affected at the time of the exploit and an additional compensation package as a goodwill gesture.

Legal Steps Underway

The Floki team has launched a two-pronged legal strategy. Their lawyers are actively engaging with Toptal, holding the platform accountable due to its involvement in managing the developer's contract. At the same time, the team is coordinating with local law enforcement to investigate and potentially prosecute the rogue developer responsible.

“We have instructed our lawyers to immediately engage with the Toptal team since the dev was hired and managed through their platform,” Floki stated. “Our lawyers are also initiating engagement with local law enforcement in an effort to bring this rogue dev to book for his actions.”

BadAI Breaks Silence

After days of silence, the BadAI team issued a public statement acknowledging Floki’s findings and confirming the exploit's origin. They expressed appreciation for Floki’s transparent handling of the matter and the steps taken to mitigate damages.

“We’re grateful to our community for standing by us,” BadAI stated, recognizing the support from users even during the project’s most challenging phase. They further assured the public of their ongoing work and hinted at upcoming developments to move the project forward.

Despite the setback, the tone from BadAI pledged to continue building and promised future updates.

The $BADAI Airdrop

The exploit came a few months after Floki promoted a $BADAI airdrop to FLOKI token holders across BNB and Ethereum chains. To qualify, users only needed to hold at least one FLOKI token. The size of the airdrop was proportional to the amount of FLOKI held—larger holdings meant larger airdrop allocations.

In total, 40 million $BADAI tokens were allocated for Floki Trading Bot users and an additional 40 million tokens for TokenFi ($TOKEN) holders, both of which have significant on-chain communities.

The airdrop was intended to boost visibility for the $BADAI token, which was launching exclusively on the BNB Chain. FLOKI users on both BNB and Ethereum networks would receive their $BADAI allocations on BNB, regardless of where they held their original FLOKI tokens.