Foom Cash, a decentralized lottery protocol built on zero-knowledge proofs, said it has recovered the majority of funds lost in a $2.26 million exploit after a white hat hacker intervened. The protocol announced Monday that $1.84 million — roughly 81% of the stolen amount — has been secured.
According to the team, pseudonymous white hat hacker Duha identified the vulnerability and moved quickly to secure funds on Base before malicious actors could extract them. Crypto security firm Decurity handled recovery efforts on Ethereum, the protocol said in a post on X.
Foom Cash awarded Duha a $320,000 bounty for the intervention, while Decurity received a $100,000 security fee. In a public response, Duha wrote, “By honoring their bug bounty policy, @foomclub_ has proven that they take protocol security seriously and value the researchers helping them.”
Foom Cash attributed the breach to what it described as a “fatal” deployment oversight during its Phase 2 trusted setup process. The issue stemmed from a missing command-line interface step in the configuration of its zero-knowledge proof system.
“In Groth16, if you skip the circuit-specific contribution setup in snarkjs, the parameters γ (gamma) and δ (delta) remain set to the same default value (the G2 generator),” the team wrote in a follow-up post.
Because the placeholder values were never randomized, an attacker was able to exploit the configuration flaw. The protocol said this allowed forged proofs to be accepted by the system, enabling the unauthorized withdrawal of funds.
The incident underscores how highly technical setup errors — even those outside core smart contract logic — can create openings in zero-knowledge-based systems.
White hat interventions have become a recurring feature of DeFi incident response. As exploiters move funds quickly across chains or into privacy tools, ethical hackers often race to secure vulnerable assets before attackers can extract them fully.
In 2023, Paradigm researcher Samczsun helped launch the Security Alliance (SEAL), a collective of ethical hackers focused on responding to crypto exploits. Within its first year, the group reported involvement in more than 900 hack-related investigations.
The effort gained urgency following several high-profile breaches, including a $230 million theft from Indian exchange WazirX in 2024. More recently, on Feb. 10, 2026, the Ethereum Foundation partnered with SEAL to launch a “Trillion Dollar Security” initiative aimed at combating wallet drainers and other exploit vectors.
Zero-knowledge proof systems are designed to enhance privacy and cryptographic integrity, but they depend heavily on correct parameter generation and setup procedures. The Foom Cash exploit shows that deployment missteps in trusted setup phases can have financial consequences comparable to traditional smart contract bugs.
While the protocol recovered a majority of funds, the episode adds to the list of incidents in which operational oversights, rather than novel cryptographic breaks, exposed projects to risk. As more decentralized applications rely on advanced cryptography, scrutiny is likely to extend beyond code audits to include deployment workflows and ceremony execution.
