White-Hat Wizard Swipes Back 81% of Foom Cash Loot, Proving Bounties Beat a Rug Any Day

Foom Cash, the zero-knowledge lottery protocol that lets you lose money with cryptographic elegance, got hit by a classic $2.26 million exploit on Friday. The breach was due to a “fatal” deployment oopsie: a missing CLI step in the Phase 2 trusted setup left the Groth16 verifier’s γ (gamma) and δ (delta) parameters chilling at their default G2 generator, essentially leaving the front door wide open for an attacker to waltz in with forged proofs.

Enter Duha, a pseudonymous white-hat who apparently checks blockchain explorers more often than their Twitter feed. Spotting the flaw, Duha performed a digital heist reversal, moving the vulnerable funds to Base before the bad actors could bridge them out, while the security firm Decurity handled the heavy lifting of the rescue on Ethereum. The counter-exploit effort netted a recovery of $1.84 million – roughly 81% of the stolen stash, turning a total rug into a merely embarrassing stumble.

Foom Cash, perhaps realizing that paying a white-hat is cheaper than explaining a total loss to their community, rewarded the hero with a $320,000 bounty, while Decurity received a $100,000 security fee for their assist. “By honoring their bug bounty policy, @foomclub_ has proven they take protocol security seriously and value the researchers helping them,” Duha posted, in what might be the most polite "I told you so" in DeFi history.

The whole incident underscores a growing trend: ethical hackers are becoming the frontline responders in DeFi, basically the blockchain equivalent of a superhero squad that gets paid in stablecoins. Since August 2023, Sam czsun’s SEAL alliance has logged over 900 investigations, and on Feb 10, 2026 the Ethereum Foundation teamed up with SEAL for a “Trillion Dollar Security” push aimed at wallet drainers, because nothing says "serious business" like naming your initiative after a number bigger than most national GDPs.

In short, a deployment oversight cost Foom Cash $2.26M, but a swift white-hat intervention saved the bulk of it – a stark reminder that good bug-bounty hygiene can turn a total disaster into a merely expensive lesson, which in crypto terms is basically a win.