Feed Every Gorilla (FEG) is a DeFi project with a decentralized exchange (DEX), token launchpad, and a SmartBridge cross-chain bridge. In December 2024, it suffered a hack in which the attacker stole approximately $1.3 million in assets from the project’s bridge contract, causing the value of the token to drop by 99%.
Inside the Attack
FEG has been the victim of several hacks over the last few years. This includes some flashloan attacks in May 2022 and an issue with token locking that led to a $2 million hack (although nearly all of the funds were returned).
In the December 2024 incident, the attacker allegedly exploited an issue in how Wormhole bridge messages were handled within the smart contract. The attacker created a malicious bridge message on a different blockchain (such as Base), which was received by FEG’s SmartBridge.
FEG’s SmartBridge had access controls in place to ensure that withdrawals could only be registered in SmartBridge by the relayer. However, this relayer doesn’t validate that the source address of a Wormhole bridge message is authorized to trigger a withdrawal registration. This meant that the attacker could bypass the SmartBridge’s access controls by tricking the relayer — who was permitted to initiate withdrawals — into allowing the attacker to withdraw tokens from the project.
The attacker exploited this vulnerability across Ethereum, BSC, and Base. In total, an estimated $1.3 million was stolen from the protocol by tricking the relayer into accepting the malicious Wormhole bridge messages and authorizing withdrawals of assets from the project.
Lessons Learned from the Attack
The FEG hack demonstrates the importance of a comprehensive security audit that considers all aspects of a protocol and its deployment environment. While the project’s SmartBridge contract had previously been audited, the vulnerability exploited by the attacker allegedly involved a composability issue between it and the underlying Wormhole bridge. The relayer interface used by the attacker wasn’t supposed to be supported by SmartBridge and was out of scope of the audit.
The actual vulnerability exploited by the attacker was a failure to perform input validation for smart contract functions. While only the relayer was able to authorize withdrawals, it failed to properly validate that the source of a Wormhole bridge message had the right to initiate a withdrawal request. By identifying and exploiting this issue, the attacker stole over $1 million from the project.
When considering the security risks of smart contracts, it’s important to keep in mind how they might interact with other parts of the smart contract ecosystem. For help in securing your DeFi projects, get in touch with Halborn.