PeckShield flags $2.8M Shibarium exploit

Blockchain security firm PeckShield tagged Shiba Inu’s pseudonymous lead developer Shytoshi Kusama to suspicious activity on Shibarium late ￰1￱ sleuths found leaked validator keys on Shibaswap that led to an estimated $2.8 million loss through Shib token ￰2￱ Shiba Inu team posted on X at around 9:00 PM UTC, saying it “was aware of the activity flagged by PeckShield,” and had contacted both internal developers and external security partners to investigate the exploit. “At this time, we are working to confirm the root cause and ensure all possible mitigations are in place. A comprehensive report with findings and next steps will be published once the investigation concludes,” the Shiba Inu team wrote. 10 of 12 SHIB validator approved malicious transactions Web2 and web3 auditor Tikkala Security has confirmed that an attacker hacked Shiba Inu’s token system by submitting valid Merkle leaf exit requests signed by multiple ￰3￱ attacker’s wallet address withdrew funds in several instances by bypassing protections meant to safeguard the root chain ￰4￱ to Etherscan data, the address now holds over $700,000 worth of ERC-20 tokens.

“The hack appears to involve 10 out of 12 Shibarium validator signing keys being compromised, which allowed a malicious root state to be approved,” Tikkala explained, providing images of the ￰5￱ validators operated by K9 Finance and UnificationUND have been confirmed to have stepped away from signing the malicious ￰6￱ attack originated from a compromised checkpoint, where a seemingly legitimate Merkle root was ￰7￱ data from Etherscan shows that once the malicious root was added, the attacker drained another $1 million through a subsequent large transaction. 3/ Shibaswap rootchain manager contract ￰0￱ uses the stored root Merkle hash in each checkpoint.

Somehow, an attack could add a "legit" checkpoint root hash with signatures from 10 ￰8￱ — Tikkala Security (@TikkalaResearch) September 12, 2025 Investigators also uncovered that the attacker used a flash loan from Shibaswap to borrow 4.6 million BONE ￰9￱ celebrated by some as a large $1 million BONE purchase, it was instead part of the ￰10￱ temporarily acquiring the tokens, the attacker gained majority voting power over Shibarium’s validators, enabling them to approve a malicious state on the ￰11￱ the same transaction, the attacker repaid the flash loan by liquidating assets taken from the ￰12￱ sold Shiba Inu tokens and Ether obtained during the exploit to cover the borrowed funds, and drained 224.57 Ether and approximately 92.6 billion Shiba Inu ￰13￱ this amount, 216 Ether was used to settle the flash loan, leaving the remainder as ￰14￱ Shibaswap rootchain manager contract, which verifies withdrawals against stored root Merkle hashes, gives the attacker leeway to manipulate withdrawal requests indefinitely, and losses could continue if the Shibarium team does not act ￰15￱ issues pointed towards governance Naysayers on X are arguing that Shiba Inu has “fake decentralization,” because other protocols have faced the same validator dominance issues without losing funds.

“Qom devs saw this issue in QL1 as ￰16￱ tried to sabotage the network by controlling 60% of ￰17￱ QL1’s developers quickly removed the bad ￰18￱ Inu developers and Shibarium failed to do the same,” a critic ￰19￱ the security breach, Shiba Inu’s token was trading at $0.00001416 at the time of this publication, up 0.50% over the past hour and 5.25% over the past 24 ￰20￱ token’s market capitalization saw a 5.24% uptick, clocking $8.26 ￰21￱ Cryptopolitan’s September analysis, Shiba Inu faces a critical test at its 200-day exponential moving average of $0.0000138. A decisive breakout could push prices toward the $0.000020 to $0.000024 range, while failure at this level means more consolidations and negative price ￰22￱ seen where it ￰23￱ in Cryptopolitan Research and reach crypto’s sharpest investors and builders.