Odin.fun, a Bitcoin-based meme token launch and trading platform, lost approximately 58.2 BTC (approximately $7 million) due to a critical vulnerability in its liquidity automated market maker (AMM) system, which was implemented in its latest update. Company CEO Bob Bodily stated that the vulnerability was exploited by China-based groups, and that funds were withdrawn from the platform within two hours.
The incident first came to light after a member of the Odin.fun community noticed it. In a post on social media platform X, Bodily admitted that the company's treasury could not cover the magnitude of the loss alone. This statement fueled concerns within the community about the platform's future.
Bodily stated, "The remaining funds on the platform are safe," and announced that a top-tier security firm had been assigned to audit all code.
The vulnerability was revealed in the latest update.
According to the CEO, the attack stemmed from a vulnerability in Odin.fun's liquidity AMM mechanism, which enables decentralized token swaps. However, a bug added in a recent update allowed attackers to withdraw BTC without depositing the equivalent asset by manipulating trading pairs.
Bodily stated that several groups with connections to China quickly discovered the vulnerability, withdrawing a significant amount of BTC from the platform and transferring it before the vulnerability was discovered. Withdrawals were immediately halted once the issue was identified.
The company contacted OKX and Binance to trace the stolen funds. Both exchanges began coordinating with Chinese authorities. US law enforcement was also involved in the process.
A clear warning to attackers
Bodily sent a direct message to the groups it claimed were involved in the attack:
“You have a short time to return the funds. This is not a negotiation. Most of you have already been identified, and we will use all necessary time and resources to recover the stolen assets.”
This isn’t the first security breach Odin.fun has faced. In April, the platform temporarily suspended withdrawals due to a vulnerability in its “Login with Bitcoin” feature. While the vulnerability was quickly patched at the time, the latest attack is much larger and has severely shaken user trust.
While Odin.fun hasn't yet announced a clear compensation plan, Bodily stated, "We are working on a concrete plan to compensate everyone affected." He stated that despite the limited funds, they aim to compensate all users. The CEO stated that they are also considering alternative recovery strategies, but will not provide details at this time.
Bodily claimed that despite the incidents, Odin.fun is the fastest-growing platform in the Bitcoin DeFi space and maintains its leading position. The company plans to utilize blockchain analysis, collaboration with major exchanges, and international legal processes to trace the stolen funds.
