On Nov. 15, 2024, Thala Labs, a decentralized finance (DeFi) protocol built on the Aptos blockchain, faced a significant security breach. The hack resulted from an isolated vulnerability in its v1 mining contract, which allowed the attacker to withdraw a total of $25.5 million in liquidity pool tokens, according to The Block.

However, thanks to a swift response and assistance from law enforcement, the crypto community, and specialized recovery groups, Thala was able to recover the $25 million of the stolen funds just six hours after the exploit.

The Attack and Immediate Actions

In response to the attack, Thala's team paused all relevant contracts and froze approximately $11.5 million in Thala-related assets, including $9 million worth of Move Dollars (MOD) and $2.5 million in Thala’s native governance token, THL. 

According to the protocol’s statement, affected users do not need to take any action, as all positions will be restored to their full value.

“We are relieved to announce that affected users require no further action, and their positions will be made 100% whole,” Thala Labs stated. 

However, the protocol’s frontend and farming operations remain paused while a comprehensive review and re-audit of the system’s codebase are conducted to ensure the security of future operations.

Recovery Process and Negotiation

With the help of Seal 911 and Ogle, two crypto-focused theft recovery organizations, Thala was able to quickly identify the hacker. A member of Seal 911 stated that the hacker was easily tracked down due to obvious on-chain links, and the hacker contacted them willingly to negotiate the return of the stolen funds. In exchange for returning the assets, the hacker was given a $300,000 bounty.

The hacker returned the stolen funds just hours after the exploit, which was a highly unusual yet positive turn of events in the crypto security space. 

Worth noting, Thala emphasized that its users are not required to take any further action, and the protocol plans to ensure that all funds are restored. The protocol's codebase is under a thorough review to prevent similar vulnerabilities in the future. 

What is Thala?

Thala Labs offers automated market-making and a yield-bearing stablecoin, Move Dollar (MOD), within the Aptos ecosystem. MOD is named after Aptos' programming language and is designed to provide liquidity and stable yields for DeFi users. 

The protocol has recently launched ThalaSwap V2, but the breach was attributed to a vulnerability within the older v1 contracts. 

The Broader Crypto Landscape

Thala’s exploit is part of a growing trend of security incidents within the cryptocurrency space. According to CertiK, a blockchain security firm, crypto losses from hacks, exit scams, and flash loan attacks amounted to $129.6 million in October 2024 alone. 

While the industry saw a slight decrease in exploit-related losses compared to earlier in the year, incidents like these continue to pose a significant risk to decentralized protocols.

For context, the Radiant Capital hack in October 2024 saw over $50 million stolen, and a $36 million phishing attack on a crypto whale was also among the largest incidents. Although exploit-related losses have decreased by nearly 60% from May 2024, when $324.7 million was lost, they remain a major concern for DeFi platforms.