Foom.Cash, a next-generation privacy protocol, lost $2.3 million due to a zkSNARK vulnerability

Traders Union
All News
Crypto
Foom cash a next

Highlights

Foom.Cash loses $2.3M after zkSNARK exploit
White-hat hackers attempt rescue of compromised funds
Incident underscores urgent need for ZK protocol audits

The price of privacy

According to Cryptopolitan, citing several blockchain security firms, the Ethereum-based privacy protocol Foom.Cash, which positions itself as an upgraded next-generation Tornado Cash, lost approximately $2.26 million in tokens after an attacker exploited a flaw in its cryptographic verification system.

The attack, which affected contracts on Ethereum and Base, resulted in the loss of 24,283,773,519,600 FOOM tokens, the platform’s native asset. Security researchers claim they identified a nearly identical vulnerability in another protocol just days earlier.

One transaction on Base led to losses of about $427,000 directly tied to the attacker’s actions. Meanwhile, another Ethereum transaction worth roughly $1.83 million appears to have been part of a rescue operation conducted by white-hat hackers, though this has not been officially confirmed.

The attack was reported by Web3 security network GoPlus Security, backed by Binance Labs. According to the firm, an incorrect configuration of the verification key allowed the attacker to forge zkSNARK proofs, enabling them to create cryptographic credentials accepted as valid by the protocol and subsequently withdraw large volumes of tokens from compromised contracts.

What is Foom.Cash?

Foom.Cash describes itself as a “ZKProof-based private lottery protocol” combining the anonymity of Zcash, which operates as a standalone privacy chain, the accessibility of Ethereum’s DeFi ecosystem, and a built-in random reward mechanism. It markets itself as an improved version of Tornado Cash and an alternative to Zcash on Ethereum.

Amid renewed interest in privacy solutions and a surge in Zcash’s price, Foom.Cash claims it processes more daily transactions than Tornado Cash, holds more than $8 million in liquidity, and offers annual yields of 50% to 80% for liquidity providers.

Lessons from the incident

The Foom.Cash exploit once again highlights the need for rigorous audits of privacy-focused projects amid the growing complexity of cryptography and protocol architecture.

For investors and users, this underscores the importance of scrutinizing claims about “next-generation” solutions. For developers, it signals the need to allocate resources not only to yield marketing but also to deep cryptographic auditing.

From an industry perspective, such incidents may ultimately have positive effects. They can accelerate the standardization of independent audit procedures for ZK protocols, strengthen the argument that privacy must be accompanied by technical transparency and verifiable code, and encourage regulators and institutional participants to take a more balanced approach to privacy infrastructure risks — beyond sanctions considerations alone.

As we wrote, Tornado Cash wins legal fight with U.S. Treasury

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.