Skip to content
Blockchain Posts

exploit

Namada MASP drained for ~$600K via IBC; stale indexer hid the loss

Attacker forged IBC transfers against Namada's shielded pool, swept liquid assets cross-chain and left staked holdings behind. A stale indexer kept showing balances while live RPC reported zero.

by 6 min read
exploitnamadacosmosibc

Namada's Multi-Asset Shielded Pool (MASP) was drained on June 19, 2026 of roughly $600,000 in IBC-bridged assets — ATOM, USDC, OSMO, TIA, NYM — via what DefiLlama classifies as a Protocol Logic / IBC Transfer Logic Exploit. The loss was missed for hours because a stale indexer kept reporting the shielded pool's balances as live, while RPC queries against the chain showed zero. The team acknowledged the incident on June 20, confirming the exploit and an active investigation with security partners and Cosmos validators (CryptoTimes write-up, Cointrust summary). Security firm F12 flagged the divergence between explorer state and live network state and shared the initial forensics.

What happened

The drained funds sat in Namada's shielded pool — the privacy primitive Namada uses for asset-agnostic shielded transfers, derived from Zcash's Sapling/Orchard lineage and extended to multi-asset bookkeeping. The pool accepts both native Namada assets and IBC-wrapped assets from connected Cosmos chains, then issues shielded notes against them.

What F12's reconciliation showed:

  1. Balances of liquid IBC assets held by the MASP — ATOM, USDC, OSMO, TIA, NYM — went to zero on-chain.
  2. Several block explorers and dashboards continued to show those balances as live for hours, because they read from an indexer cache that had not caught up with the chain.
  3. Staked positions and less-liquid holdings inside the pool were left in place. The attacker swept what could be moved out over IBC and ignored the rest.

The mismatch between explorer state and live RPC state is what first surfaced the loss. By the time the team confirmed publicly on June 20, the assets had already been swept across IBC into the broader Cosmos region.

Mechanism — shielded IBC transfer logic, not a key compromise

Namada's shielded IBC flow runs assets through a transparent IBC channel and then into MASP notes. The promise on the way out is that the shielded pool reconstructs a valid IBC packet for a withdrawal only when the prover-side accounting against existing notes balances. If the verification logic of those withdrawals does not pin every input to a real, spent note — or if it accepts a malformed packet path the way an under-strict ICS-20 implementation would — an attacker can synthesize withdrawals against assets they never deposited.

We do not have a public root-cause writeup yet, and Namada's update at time of writing labels the bug as a protocol exploit under investigation. What is verifiable is the shape of the loss: liquid IBC-wrapped assets cleanly removable across the canonical IBC channels, illiquid and staked balances left untouched. That pattern is consistent with a withdrawal-side logic bug rather than a key compromise or a validator-set takeover — those failure modes would not selectively spare staked balances.

On-chain trail — what's traceable, what isn't

Namada is a privacy chain. The shielded leg of the drain is opaque by design: the spent notes do not link to receiver notes in clear, and shielded-pool reconciliation is the only public surface from which the deficit can be inferred.

What is traceable is the IBC exit. The drained tokens left Namada through IBC into the Cosmos region — Osmosis is the natural hop for ATOM, OSMO, USDC, TIA and NYM — and from there can be tracked on Mintscan and Osmosis's standard explorers. No attacker-side address or specific tx hash has been published by Namada or F12 at the time of writing. We are not naming a wallet on speculation; that information will come out of the investigation.

Numbers

- Total drained                : ~$600,000 (DefiLlama / F12 estimate)
- Date of drain                : June 19, 2026
- Public confirmation          : June 20, 2026 (Namada team statement)
- Assets swept                 : ATOM, USDC, OSMO, TIA, NYM (liquid IBC assets)
- Assets untouched             : staked balances + illiquid holdings inside MASP
- Detection mechanism          : F12 — RPC live state vs stale indexer cache
- Classification (DefiLlama)   : Protocol Logic / IBC Transfer Logic Exploit
- Attacker address             : not published
- Drain tx hashes              : not published; shielded leg opaque by design

Skeptical attribution

No actor has claimed responsibility. The shielded leg removes the clustering signal a non-private Cosmos exploit would leave, and no labeler — Chainalysis, TRM, Arkham, an OFAC filing — has tied the IBC-exit addresses to a named group. The technique (target a privacy pool's IBC withdrawal path, sweep liquid wrapped denoms, leave staked balances behind) does not, by itself, fingerprint a specific actor.

Impact

  • Users holding shielded IBC assets in MASP carry the loss pro-rata against the deficit unless Namada Foundation or governance ring-fences a backstop. Nothing announced.
  • The privacy guarantee itself is intact — the shielded pool was not broken open in the sense that shielded notes' contents were revealed. The bug sits in the withdrawal/IBC seam.
  • Cosmos-region wrappers downstream of the IBC exit (Osmosis liquidity, CEX deposits) are now the forensic frontier. Exchange notifications were not detailed in the public statement.

What to watch

  1. Namada post-mortem. A reproducible explanation of the IBC withdrawal bug and the on-chain trail of exit hashes. The team has flagged a forthcoming statement.
  2. Patch + chain halt status. Whether IBC withdrawals from MASP have been paused at the protocol layer until a fix lands.
  3. Indexer hygiene across Cosmos. The detection lag here was an indexer-cache artifact, not a chain bug. Other shielded-pool dashboards on Cosmos using comparable indexers are exposed to the same blind spot.
  4. Reimbursement posture. Foundation backstop versus socialized loss is the policy decision watching here.

Context — second IBC-route exploit on a Cosmos privacy pool in under three weeks

This is the second IBC-route exploit on a Cosmos privacy or wrapped-asset surface in under three weeks. On June 10, the Secret-side ICS-20 contract on the Axelar ↔ Secret Network bridge was drained of about $4.67M via forged IBC packets — also a withdrawal-path bug, also unnoticed for days, also exit-routed through Osmosis. Different protocol, same uncomfortable seam.

The pattern: Cosmos's IBC stack is well-specified, but every chain that lands shielded or wrapped IBC assets ships its own bridging contract on top, and every fork that softens a check on the withdrawal side becomes free money for the first researcher who notices. Privacy-by-default makes that worse — not because the protocol is weaker, but because the public reconciliation that normally surfaces a drain quickly is exactly what privacy removes. Both exploits this month were caught by off-chain accounting, not on-chain monitoring.

Sources:

Related stories