• GANA Payment hack: Attacker exploited contract ownership flaw to alter reward rates and invoke unstake function, stealing excess tokens.

• Stolen assets bridged from BSC to Ethereum, with 1,140 BNB and 346 ETH laundered through Tornado Cash in batches.

• Token value plummeted over 90% post-exploit; BSC DeFi projects lost nearly $10 million in the last two months of 2025.

GANA Payment exploit shocks DeFi: $3.1M stolen via smart contract flaw on BSC. Learn how the hack unfolded, laundering tactics, and 2025 DeFi security trends. Stay informed on crypto risks today.

What is the GANA Payment Exploit?

GANA Payment exploit refers to a security breach on the decentralized payment platform built on Binance Smart Chain, where an attacker stole more than $3.1 million in tokens around 5:00 AM UTC on Thursday. The vulnerability involved manipulating the smart contract’s ownership and unstake function, allowing unauthorized withdrawals of assets. Blockchain researcher ZachXBT detailed the incident, highlighting the rapid movement of funds to obfuscate trails.

How Did the Attacker Launder the Stolen Funds?

The perpetrator initiated the laundering by transferring 1,140 BNB, valued at about $1.04 million, into Tornado Cash on BSC, as noted by cybersecurity platform OnChain Lens. Funds were then bridged to Ethereum, where 346 ETH worth $1.05 million was deposited into the mixer. Blockchain records from ZachXBT identify the Ethereum address as 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca, with original theft addresses on BSC being 0x2e8a…aae5c38 and 0xd10e…cc8fa4d. Later, the hacker processed funds in incremental batches of 1 ETH, 10 ETH, and 100 ETH to evade tracking, a common tactic in DeFi attacks according to security experts.

Frequently Asked Questions

What Caused the GANA Payment Smart Contract Vulnerability?

The GANA Payment exploit stemmed from altered contract ownership, enabling the hacker to manipulate reward rates and trigger the unstake function for excess GANA tokens, per analysis from Web3 security firm HashDit. This allowed the theft of approximately $3.1 million without proper safeguards in place.

Has GANA Payment Released Updates on the Hack Investigation?

GANA Payment stated on X that their interaction contract faced an external attack leading to unauthorized asset theft. They committed to ongoing updates via official channels as the investigation progresses, advising users to monitor announcements closely for resolution details.

Key Takeaways

• Smart Contract Flaws Persist: The GANA hack underscores risks in unaudited contracts, particularly ownership manipulation on BSC projects.
• Laundering Patterns Evolve: Attackers increasingly use batch deposits to Tornado Cash, complicating recovery efforts across chains like Ethereum.
• DeFi Losses Mounting: With $10 million lost in recent BSC exploits, projects must prioritize audits to mitigate 2025 vulnerabilities.

Conclusion

The GANA Payment exploit exemplifies ongoing challenges in DeFi security, where smart contract weaknesses on Binance Smart Chain led to significant losses and token devaluation. As 2025 sees a surge in such incidents, including major hacks on platforms like Balancer and Moonwell, the industry must enhance auditing and oracle protections. Investors should conduct thorough due diligence on emerging projects to safeguard assets amid these evolving threats.

A decentralized payment project on Binance Smart Chain (BSC) called GANA Payment was exploited at around 5:00 AM UTC on Thursday, resulting in losses exceeding $3.1 million, according to blockchain researcher ZachXBT.

The crypto investigator’s findings showed that the attacker used a flaw in the project’s smart contract to steal tokens. They then moved them through Tornado Cash and other networks to set up money laundering operations.

“GANA’s interaction contract has been targeted by an external attack, resulting in unauthorized asset theft…We will continue to provide updates on the investigation progress and subsequent actions through official channels,” the DeFi platform wrote on X earlier today.

Several cybersecurity platforms on X, including OnChain Lens, reported that the exploit began when the attacker transferred 1,140 BNB, valued at approximately $1.04 million, into Tornado Cash on BSC.

The stolen assets were subsequently bridged to Ethereum, where another 346 ETH, worth $1.05 million, was deposited into the crypto mixer purportedly for laundering.

Blockchain records shared by ZachXBT show the Ethereum address used for laundering was 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca. The original theft addresses on BSC were identified as 0x2e8a…aae5c38 and 0xd10e…cc8fa4d.

Hacker exploited GANA’s ‘unstake function’ to steal coins

According to Web3 security firm HashDit, the ownership of the exploited contract had been altered, which the hacker used to manipulate reward rates and invoke the unstake function, receiving more GANA tokens than intended.

🚨HashDit Alert🚨

HashDit has monitored that @GANA_PayFi has been compromised for ~$3.1m $GANA.

Users should NOT trade with the $GANA token for the time being, and await for team announcement!

Funds have been deposited into TC:

Root cause: Ownership of… pic.twitter.com/XZzuoMmf8D

— HashDit | now with Pro Extension (@HashDit) November 20, 2025

The perpetrator then rapidly sold the tokens on decentralized exchanges, significantly devaluing the project’s currency. A total amount of 346 ETH held in the Ethereum address remained dormant for several hours.

However, beginning an hour ago, the hacker resumed laundering the funds through Tornado Cash in incremental batches of 1 ETH, 10 ETH, and 100 ETH, a method used by thieves during DeFi attacks to “shake-off” security researchers’ trail of stolen funds.

GANA Payment is a relatively small-scale payment token project built around the BEP-20 GANA token. Its operations are decentralized and use liquidity pools and exchanges, but no publicly available technical documentation was found.

The project, which launched in early November, has yet to publish formal audits or detailed security analyses. In the aftermath of the hack, data from GeckoTerminal showed that GANA’s token value dropped more than 90%.

DeFi exploits on BSC, Ethereum cooled in October

According to DefiLlama’s hack tracker, smaller BSC-based projects have collectively lost over $100 million in 2025 alone. The hack on GANA has taken the tally to almost $10 million in the last two months, including network breaches on OlaXBT, Evoq Finance, Seedify and GriffinAI.

Total losses from hacks amounted to just $18.18 million in about 15 incidents in October, an 85.7% drop from September’s $127.06 million. Major incidents that took place during the month included hacks at Garden Finance, Typus Finance, and Abracadabra, which together accounted for $16.2 million in stolen funds.

Abracadabra, a decentralized lending protocol and maker of the Magic Internet Money (MIM) stablecoin, suffered a $1.8 million loss when attackers used flaws in how the contract handled actions within the same transaction.

Typus Finance lost $3.4 million due to access control weaknesses in its custom price oracle, while Garden Finance experienced an $11 million loss through a single solver connected to several blockchain networks.

This month, Balancer was hit with one of the largest DeFi hacks of 2025, where wrapped ETH and other assets from multiple networks were swindled for several hours. Blockchain investigators had estimated losses of about $70 million, but when the network’s developers took back control, the bleeding had gone north of $116 million.

The following day, multi-chain lending protocol Moonwell was exploited via flawed oracle data, losing around $1 million. The attacker took advantage of price discrepancies to borrow and trade specific wrapped ETH assets, pocketing 295 ETH.

Per DefiLlama data, cross-chain bridge hacks in 2025 had resulted in over $1.5 billion in stolen funds by mid-2025, while reentrancy bugs accounted for $325 million in losses, particularly from older or forked contracts. Oracle manipulation accounted for 13% of attacks, while liquidity pool drains caused $103 million in stolen assets.