defirisk.co
rubric v1.7.0

GANA Payment: Leaked Owner Key + EIP-7702 Delegator Contract (onlyEOA Bypass)

GANA Payment lost $3.1M in nine days of life — a leaked owner key enabled an EIP-7702 delegator contract to bypass the staking contract's onlyEOA protection via an ownership rotation chain across eight addresses, then drain the pool in iterative stake-unstake loops.

Occurred 2025-11-20 Loss $3M Status closed

Summary #

GANA Payment suffered a Payment / Staking on 2025-11-20, resulting in a loss of approximately $3M.

What happened #

GANA Payment lost $3.1M in nine days of life — a leaked owner key enabled an EIP-7702 delegator contract to bypass the staking contract's onlyEOA protection via an ownership rotation chain across eight addresses, then drain the pool in iterative stake-unstake loops.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — no audit; off-chain key compromise as root cause]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — transferOwnership calls (8x) and reward rate manipulation are admin-level on-chain actions immediately preceding the drain]
  • RD-F-031 — causal : Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
  • RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: 9 days (launched November 11, 2025; exploited November 20, 2025)]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — transferOwnership calls (8x) and reward rate manipulation are admin-level on-chain actions immediately preceding the drain]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown — no verified identities; corporate communications were euphemistic ("interaction contract targeted by external attack")]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — entire protocol was 9 days old; all code was newly deployed]