The specter of the 2022 decentralized finance hacks has resurfaced as the Voltage Finance exploiter moved 100 Ether, worth approximately $182,783 at current prices, through Tornado Cash on May 7, 2025. The movement, flagged by blockchain security firm CertiK, represents a partial laundering of funds stolen in the original $4.67 million exploit that rocked the DeFi lending protocol more than three years ago.
The Exploit Mechanics
The original attack on Voltage Finance, which occurred in March 2022, exploited a fundamental vulnerability in the ERC-677 token standard. The hacker leveraged a built-in callback function within the standard to execute a reentrancy attack against the platform’s lending pools. This class of vulnerability allows an attacker to repeatedly call a function before the previous invocation completes, effectively draining funds from the contract before balance checks can catch up. At the time, the attacker made off with a mix of stablecoins and other crypto assets, including USDC, Binance USD (BUSD), wrapped Bitcoin (WBTC), and various Ethereum-based tokens. The total haul reached $4.67 million, making it one of the more significant DeFi exploits of early 2022.
Affected Systems
Voltage Finance was built on the Fuse network, a decentralized lending platform that allows anyone to create isolated lending markets. The protocol suffered a secondary breach on March 18, 2022, when its Simple Staking pools were compromised for an additional $322,000. In that incident, Voltage Finance suspected a developer who had worked on the Simple Staking pools may have been involved, though the connection was never confirmed. The company revoked the developer’s access and filed police reports. The address used in the latest Tornado Cash transaction had been dormant for 166 days, with its last recorded activity occurring in November 2024. Etherscan data shows the hacker carefully spaced out transactions to avoid detection, a tactic commonly employed by sophisticated DeFi exploiters seeking to gradually cash out stolen assets without triggering automated alerts.
The Mitigation Strategy
Tornado Cash remains the primary tool for laundering stolen cryptocurrency despite its designation by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in August 2022. The mixer’s smart contracts continue to operate autonomously on-chain, processing transactions regardless of sanctions. Blockchain analytics firms like CertiK and Chainalysis track funds moving through Tornado Cash by analyzing deposit and withdrawal patterns, timing correlations, and address clustering. In Voltage Finance’s case, the protocol flagged the attacker’s original address on Etherscan shortly after the exploit and contacted major exchanges to block any transactions originating from the compromised wallets. The team also attempted to negotiate a bounty with the hacker for the return of the stolen funds, though those discussions ultimately proved unsuccessful.
Lessons Learned
The Voltage Finance exploit highlights several enduring security concerns in the DeFi ecosystem. First, reentrancy vulnerabilities remain one of the most common attack vectors in smart contract exploitation, despite being well-documented since the infamous DAO hack of 2016. Protocols that implement callback functions in token standards must incorporate robust reentrancy guards, such as the checks-effects-interactions pattern or mutex locks. Second, the three-year gap between the exploit and the continued movement of stolen funds demonstrates that hackers are increasingly patient, holding stolen assets for extended periods before attempting to launder them through mixers or cross-chain bridges. This patience makes recovery efforts exponentially more difficult.
User Action Required
For users of DeFi lending platforms, the Voltage Finance case serves as a reminder to verify that any protocol you interact with has undergone comprehensive security audits from reputable firms. Check whether the protocol uses well-tested token implementations and has reentrancy protection in place. Monitor your wallet activity regularly and consider using hardware wallets for storing significant holdings. As Bitcoin trades at $97,032 and Ethereum at $1,811 on the day of this latest fund movement, the total crypto losses from exploits in April 2025 alone exceeded $330 million, underscoring the persistent security challenges facing the industry.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
the ERC-677 reentrancy vulnerability was well documented even in 2022. protocols ignoring known attack vectors is the real tragedy here
certik flagged it but who actually monitors alerts from 2022 exploits in 2025? respect for staying on it
3 years later and they are still slowly dripping through TC. the CertiK flag was fast though, caught it within hours
still dripping 100 eth at a time through tornado three years later
It’s wild how these exploiters just wait for years before moving the funds. Tornado Cash is still the go-to for obfuscation, but with better chain analysis tools these days, it’s getting harder to fully disappear. Hope Voltage Finance can recover some of this, but it’s not looking great for the victims.
DeFiWatcher_88 yeah 3 years is a long nap. wonder if sanctions on Tornado Cash made the exploiter nervous enough to finally move
$4.67M stolen and only moving 100 ETH at a time through tornado. at this rate it takes another decade to cash out
ERC-677 reentrancy was such a known attack vector even in 2022. the fact that Voltage got hit by it says everything about their audit process
erc 677 reentrancy was already a known vector back in 2022
Another day, another exploiter waking up from a nap. The audacity to route it through Tornado Cash right now is peak crypto drama. Just goes to show that if your code isn’t bulletproof, someone is going to find the hole eventually. WAGMI but only if we fix these security loops.
This really highlights the ongoing struggle for DeFi security protocols. Seeing stolen ETH move through mixers again is a stark reminder that we need more robust on-chain monitoring. It’s a cat-and-mouse game that never ends, and unfortunately, it’s the retail users who usually end up paying the price.
4.67m exploit and they waited three years to move anything