The specter of the 2022 decentralized finance hacks has resurfaced as the Voltage Finance exploiter moved 100 Ether, worth approximately $182,783 at current prices, through Tornado Cash on May 7, 2025. The movement, flagged by blockchain security firm CertiK, represents a partial laundering of funds stolen in the original $4.67 million exploit that rocked the DeFi lending protocol more than three years ago.
The Exploit Mechanics
The original attack on Voltage Finance, which occurred in March 2022, exploited a fundamental vulnerability in the ERC-677 token standard. The hacker leveraged a built-in callback function within the standard to execute a reentrancy attack against the platform’s lending pools. This class of vulnerability allows an attacker to repeatedly call a function before the previous invocation completes, effectively draining funds from the contract before balance checks can catch up. At the time, the attacker made off with a mix of stablecoins and other crypto assets, including USDC, Binance USD (BUSD), wrapped Bitcoin (WBTC), and various Ethereum-based tokens. The total haul reached $4.67 million, making it one of the more significant DeFi exploits of early 2022.
Affected Systems
Voltage Finance was built on the Fuse network, a decentralized lending platform that allows anyone to create isolated lending markets. The protocol suffered a secondary breach on March 18, 2022, when its Simple Staking pools were compromised for an additional $322,000. In that incident, Voltage Finance suspected a developer who had worked on the Simple Staking pools may have been involved, though the connection was never confirmed. The company revoked the developer’s access and filed police reports. The address used in the latest Tornado Cash transaction had been dormant for 166 days, with its last recorded activity occurring in November 2024. Etherscan data shows the hacker carefully spaced out transactions to avoid detection, a tactic commonly employed by sophisticated DeFi exploiters seeking to gradually cash out stolen assets without triggering automated alerts.
The Mitigation Strategy
Tornado Cash remains the primary tool for laundering stolen cryptocurrency despite its designation by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in August 2022. The mixer’s smart contracts continue to operate autonomously on-chain, processing transactions regardless of sanctions. Blockchain analytics firms like CertiK and Chainalysis track funds moving through Tornado Cash by analyzing deposit and withdrawal patterns, timing correlations, and address clustering. In Voltage Finance’s case, the protocol flagged the attacker’s original address on Etherscan shortly after the exploit and contacted major exchanges to block any transactions originating from the compromised wallets. The team also attempted to negotiate a bounty with the hacker for the return of the stolen funds, though those discussions ultimately proved unsuccessful.
Lessons Learned
The Voltage Finance exploit highlights several enduring security concerns in the DeFi ecosystem. First, reentrancy vulnerabilities remain one of the most common attack vectors in smart contract exploitation, despite being well-documented since the infamous DAO hack of 2016. Protocols that implement callback functions in token standards must incorporate robust reentrancy guards, such as the checks-effects-interactions pattern or mutex locks. Second, the three-year gap between the exploit and the continued movement of stolen funds demonstrates that hackers are increasingly patient, holding stolen assets for extended periods before attempting to launder them through mixers or cross-chain bridges. This patience makes recovery efforts exponentially more difficult.
User Action Required
For users of DeFi lending platforms, the Voltage Finance case serves as a reminder to verify that any protocol you interact with has undergone comprehensive security audits from reputable firms. Check whether the protocol uses well-tested token implementations and has reentrancy protection in place. Monitor your wallet activity regularly and consider using hardware wallets for storing significant holdings. As Bitcoin trades at $97,032 and Ethereum at $1,811 on the day of this latest fund movement, the total crypto losses from exploits in April 2025 alone exceeded $330 million, underscoring the persistent security challenges facing the industry.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
a reentrancy bug from 2022 and the hacker is still slowly laundering through tornado 3 years later. persistence pays off unfortunately
3 years of laundering 100 ETH at a time through tornado. CertiK flagged this one fast though, on-chain monitoring has improved
on-chain monitoring has gotten way better since 2022. CertiK flagged this within hours. three years ago that same movement would have gone unnoticed for weeks
ERC-677 callback functions should be deprecated at this point. how many more reentrancy exploits do we need before the standard gets revised
Aisha D. the ERC-677 standard was designed for token transfers with callback notifications. blaming the standard for bad implementation is like blaming C for buffer overflows
ERC-677 reentrancy via callback is the same class of bug that hit earlier lending pools. youd think by 2022 nobody was building fallback() into token transfers anymore
It’s wild how these exploiters can just sit on funds for months or years and then pop back up like nothing happened. The fact that Tornado Cash is still the go-to for laundering even with all the regulatory heat is telling. Protocols really need to step up their security audits before launching; this ‘fix it later’ culture is exhausting for everyone in the space.
100 ETH moved through tornado after 166 days of dormancy. the hacker spacing transactions to avoid detection is patient opsec
Sarah Okwu 166 days dormant then 100 ETH in one move. classic noise generation strategy, dump a chunk right when gas spikes to blend with other txs
mixer_drain_ the 100 ETH batch is small enough to stay under tornado deposit thresholds. laundering $4.67M at 100 ETH per quarter takes decades lol
Man, another day and another hacker moving stolen ETH through Tornado. Honestly, until we have better on-chain privacy that doesn’t just get abused by bad actors, regulators are going to keep breathing down our necks. It’s really frustrating for the Voltage community and the ecosystem as a whole. Stay safe out there and watch your wallets!
$4.67M exploit from a callback function in ERC-677. the token standard itself was the attack vector, not just a sloppy contract