A targeted exploit against Goldfinch Finance has resulted in the loss of approximately $330,000 after an attacker leveraged a vulnerability in an older smart contract on the Ethereum network. The incident, flagged by blockchain security firm PeckShield on December 2, 2025, underscores the persistent risks associated with legacy DeFi contracts that remain active long after their intended lifecycle.
The Exploit Mechanics
The attack centered on Goldfinch user deltatiger.eth, whose wallet was drained through a compromised contract identified as 0x0689aa2234d06Ac0d04cdac874331d287aFA4B43. The vulnerability resided in the contract’s collectInterestRepayment() function, which allowed the transfer of USDC from any address that had previously granted approval to the contract.
According to PeckShield’s analysis, the attacker deposited 1,000 USDC into the contract and then repeatedly withdrew funds after artificially inflating the share price. This manipulation enabled the perpetrator to extract far more than the initial deposit, ultimately siphoning approximately $330,000 from deltatiger’s wallet. Following the attack, the hacker routed approximately 118 ETH through Tornado Cash, the popular crypto mixer, to launder the stolen funds.
Affected Systems
Goldfinch Finance is an Ethereum-based decentralized lending protocol that distinguishes itself by not requiring borrowers to provide collateral. Instead, borrowers submit loan proposals for review by backers and auditors, with loans issued when proposals secure sufficient support. The protocol counts a16z Crypto and Coinbase Ventures among its major investors.
The compromised contract represents an older iteration of Goldfinch’s infrastructure. While the protocol has evolved significantly since its February 2021 launch — issuing its first $1 million in loans, then raising $11 million from Andreessen Horowitz months later — legacy contracts from earlier versions remain active on-chain, creating a persistent attack surface for users who have not revoked outdated approvals.
The Mitigation Strategy
PeckShield issued an urgent advisory for all Goldfinch users to revoke approvals on the compromised contract immediately. The security firm warned that the attacker could continue stealing tokens from any address that still holds active approvals for the vulnerable contract.
For DeFi protocols more broadly, this incident highlights the critical importance of contract lifecycle management. When protocols upgrade or deprecate older contracts, users must be proactively notified to revoke token approvals. Automated revocation tools and regular security audits of legacy infrastructure can help mitigate the risk of dormant vulnerabilities being exploited months or years after a contract has been superseded.
Lessons Learned
This exploit shares a common pattern seen across multiple DeFi incidents in 2025: attackers targeting outdated approval mechanisms rather than breaking active protocol code. The approach is surgical — rather than attempting to compromise a well-audited, actively maintained contract, the attacker identified a legacy function with excessive permissions and exploited the trust users placed in it.
Goldfinch’s history also includes other credit-related challenges. In 2023, East African motorbike finance company Tugende Kenya defaulted on a $5 million crypto loan after diverting nearly $2 million to its Uganda-based parent company in violation of loan terms. In 2024, Singapore-based Lend East could repay only about $4.25 million of a $10.15 million loan. These incidents, while different in nature from the smart contract exploit, illustrate the multifaceted risks inherent in uncollateralized lending protocols.
User Action Required
If you have ever interacted with Goldfinch Finance, immediately check your token approvals using tools like Revoke.cash or Etherscan’s token approval checker. Search for the compromised contract address and revoke any active approvals. Additionally, review all legacy DeFi protocols you have interacted with over the past several years — stale approvals on deprecated contracts remain one of the most common vectors for wallet drains in the current threat landscape.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
legacy contracts from 2021 still active and draining funds in 2025. protocols need sunset mechanisms that automatically disable old versions after upgrades
rekt_db_ sunset mechanisms should be standard. goldfinch 2021 contracts still running in 2025 with $330K in them is negligence
a 2021 contract sitting live in december 2025 with transferFrom permissions on user wallets. sunset clauses should be mandatory for any deprecated contract
Multi-sig wallets should be the default for everyone in crypto
share price manipulation through deposit then inflated withdrawal. classic DeFi attack pattern. the real fix is to prevent deposit-then-withdraw abuse in legacy contracts
Bridge security is still the weakest link in the ecosystem
William Davis this was not a bridge exploit. the attacker manipulated share price in the collectInterestRepayment function. different vulnerability same result tho
The industry needs standardized security audit frameworks
deltatiger.eth approved that contract in 2021 and forgot about it. four years later it drained their wallet. revoke your old token approvals