Gyroscope Incident Analysis

Incident Summary

On 30 January 2026, Gyroscope announced via their X account that they had paused liquidity pools due to an issue with their cross-chain contract. The issue led to losses of 6M Gyro Dollar (GYD) tokens with approximately $807k of liquidity extracted by the attacker. gyro1 The issue was due to a an arbitrary input vulnerability in Gyroscopes bridge contract which allowed an attacker to grant themselves unlimited approval for GYD tokens on Ethereum. With unlimited approval the attacker used transferFrom() to obtain 6M GYD tokens.

Gyroscope has since offered the attacker a 33% white hat bounty, over three times larger than the widely offered 10% bounty. gyro2

Attack Flow

Addresses:

Exploiter:

0x7DD4075A6eAe9f18309F112364f0394C2DfA8102

Gyroscope:

0xe07F9D810a48ab5c3c914BA3cA53AF14E4491e8A

Step by Step Event Flow:

Jan-30-2026 08:07:51 PM - Txn

An attacker bridged 1 wei GYD from Arbitrum to Ethereum with the recipient address set to the GYD token contract and passed the following call data:

Jan-30-2026 08:27:59 PM - Txn

The 1 wei GYD was received on Ethereum but the attacker received unlimited approval for GYD that was not revoked at any point.

Jan-30-2026 08:40:59 PM - Txn

The attacker used their approval to withdraw 6,099,337.37 GYD tokens.

Vulnerability

The primary cause of the incident is due to arbitrary input when calling the BridgeToken() from contract 0xCA5. The function took 4 arguments:

Destination chain
Recipient
Amount
Call data

The attacker bridged 1 wei Gyro Dollar to the Gyro Dollar token address instead of a user address, which was necessary to execute the exploit, while they also passed in call data which was executed after the bridge procedure. gyro5 On the receiving end the bridging process completed as normal, however, in the _ccipReceive() function (which handles the transfer) then checked if data.length was greater than zero. gyro6 recipient.functionCall(data) then executed the call data passed by the attacker. As seen in the step by step process: gyro3 The call data passed triggered the approve() function on the recipient address, which the attacker had earlier specified was the Gyro Dollar token address, and gave unlimited token approval to 0x7dd. Restricting the recipient address and not allowing the Gyro Dollar token address could have prevented the exploit.

Fund Flow

Despite transferring over 6 million Gyro tokens the attacker was only able to extract approximately $807k due to the liquidity available.

In total, the attacker deposited a total of 300.2 ETH into Tornado Cash. gyro7 To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.

Related Blogs

New · Reports ·Incident Analysis

Resolv Protocol Incident Analysis

On 22 March 2026, the Revolv protocol was exploited, resulting in a loss of ~$26.8M due to a compromise of the project's cloud infrastructure which gave access to Resolv’s AWS Key Management Service (KMS).

Mar 23, 2026

New · Reports ·Incident Analysis

Movie Token Incident Analysis

On 10 March 2026, the Movie Token (MT) contract was exploited for approximately $242,000 due to a critical flaw in its 'sell' logic. The vulnerability stemmed from a double-counting error: when a user sold MT tokens, the contract simultaneously transferred them to the liquidity pair for the swap and added that same balance to a pendingBurnAmount variable. When distributeDailyRewards() subsequently burned those pending tokens, it created an artificial supply shock, inflating the MT price and allowing the attacker to drain value from the pool.

Mar 19, 2026

Reports ·Incident Analysis

SOF/LAXO Incident Analysis

In February 2026 two separate exploits occurred on the BNB Smart Chain (BSC), affecting SOF and LAXO tokens, leveraging the same class of vulnerability: a flawed token burn mechanism that allowed price manipulation within a single transaction.

Feb 26, 2026