On February 24, IoTeX announced it would offer a 10% white-hat bounty (roughly $440,000) to the attacker of its ioTube cross-chain bridge — with the condition that ~$4.4 million in stolen assets be returned within 48 hours — and pledged not to pursue legal action. The hack occurred on February 21, stemming from a leaked validator private key on ioTube’s Ethereum side, which granted unauthorized access to the bridge contract. IoTeX emphasized the issue was a cross-chain bridge operational security flaw, not impacting its Layer 1 mainnet or smart contracts themselves. IoTeX co-founder and CEO Raullen Chai said the team sent a non-liability statement to the attacker via on-chain messages, adding they’d traced related fund flows — including ~66.6 BTC (worth ~$4.3 million) across multiple Bitcoin addresses. Recharge addresses for affected exchanges have also been flagged and frozen. Security firm PeckShield estimated the incident involved over $8 million in assets, with some converted to ETH and cross-chain transferred to BTC via THORChain. IoTeX later revised the loss to ~$4.3 million, clarifying this figure excludes additional minted tokens. IoTeX also rolled out mainnet upgrade v2.3.4, adding a default malicious address blacklist. Node operators are required to complete the upgrade promptly. If assets aren’t recovered, the team will announce a compensation plan within 48 hours.
