Foom.Cash, an Ethereum-based privacy protocol that positioned itself as an evolution of the sanctioned mixer Tornado Cash, has reportedly lost approximately $2.26 million in tokens after an attacker exploited a flaw in its cryptographic verification system, according to alerts issued by multiple blockchain security firms.
The attack, which struck contracts on both the Ethereum and Base networks, drained 24,283,773,519,600 FOOM tokens, the platform’s native asset, in what security researchers have described as a copycat exploit replicating a near-identical vulnerability targeted in a separate protocol just days earlier.
A single transaction on the Base network accounted for approximately $427,000 in losses attributed directly to the malicious actor. Transactions on Ethereum totaling around $1.83 million appear to have been part of a white-hat rescue operation.
How did the exploit happen?
BinanceLabs-led Web3 security network, GoPlus Security, flagged the attack, reporting that an incorrect verification key configuration allowed the attacker to forge zkSNARK proofs. This allowed them to fabricate cryptographic credentials that the protocol accepted as valid and then extract large volumes of tokens from the compromised contracts.
Blockchain security platform, Certik, wrote on X, “The root cause may be the delta2==gamma2 setting of the Groth16 verifier at 0xc043865fb4D542E2bc5ed5Ed9A2F0939965671A6. This enables the exploiter to compute ‘pC’ needed for different ‘nullifierHash’ while all other inputs are the same, and repeatedly collect ZOOM tokens.”
In short, a protocol whose marketing emphasized the near-impossibility of reversing its cryptographic protections was undone by a misconfiguration.
BlockSec’s Phalcon monitoring system, which detected suspicious transactions across both networks in real time, stated that the incident appeared to be an imitation attack. The firm noted that the attack exploited the same root cause previously identified in the Veil Cash breach, which happened a few days prior.
Although it is worth mentioning that the Veil Cash breach was more limited in scale, with losses contained to a small number of ETH, reportedly 2.9 ETH.
What is Foom.Cash?
Foom.Cash positions itself as a “ZKProof-powered Private Lottery Protocol” that combines the anonymity of Zcash, which operates as a standalone privacy chain, the accessibility of Ethereum’s DeFi ecosystem, and a built-in randomized reward mechanism.
It is touted as an upgrade to Tornado Cash and an alternative to Zcash on Ethereum. Tornado Cash was sanctioned by the US Treasury in 2022, but the department lifted its sanctions on the platform in March 2025.
According to the platform, it processes more daily transactions than Tornado Cash, boasts over eight million dollars in liquidity, and generates annual returns of 50 to 80% for liquidity providers.
Privacy in DeFi has been experiencing renewed interest, with Zcash registering a significant price increase in recent months, and Foom.Cash sought to capitalize on that trend by offering privacy natively within Ethereum’s existing infrastructure.
The platform used a specific variant called zkSNARKs, which is one of the key ingredients behind privacy guarantees in well-established protocols such as Zcash.
What is Foom.Cash doing to recover funds and resolve the exploit?
So far, the only mention of a recovery is tied to the second transaction of about $1.83 million, which security firms report to have been part of a white-hat rescue operation.
However, the Foom.Cash team has yet to mention or acknowledge the hack. So, as of the time of writing, there is no information on the extent of the impact from the protocol or what the protocol is doing to mitigate future attacks.
The whitehat recovery hints that the team may be working behind the scenes to recover the funds and resolve the underlying issues.
Source: https://www.cryptopolitan.com/foom-cash-faces-2-3m-loss-in-exploit/
