GANA Payment, a DeFi payment platform based on BSC, was the victim of a $3.1 million hack in November 2025. The attacker took control of a smart contract and exploited its unstake function to steal funds from users.
Inside the Attack
The attack, initially discovered and publicized by ZachXBT, was caused by an attacker taking over the project’s smart contract. This likely involved the theft of private keys used to transfer ownership to the attacker.
After seizing control of the contract, the attacker was able to manipulate reward rates on the payment platform. This allowed them to use the project’s unstake function to receive more $GANA tokens as rewards.
After exploiting the project, the attacker quickly worked to transfer their stolen assets to other chains and launder the funds with Tornado Cash. This included sending about a third to the mixer on BSC and bridging the rest to Ethereum, where another third was deposited into Tornado Cash. The 346 ETH remaining, worth approximately $1.05 million, was left in an Ethereum wallet.
Once aware of the attack, GANA Payment launched an investigation and promised a project reboot that would remap users’ asset addresses and associated permissions. However, the incident caused a 90% drop in the value of the project’s GANA token.
Lessons Learned from the Attack
The GANA Payment hack is yet another example of attackers using off-chain attacks to target DeFi projects. The fact that the attacker managed to take over the project’s smart contract likely indicates a compromised private key. Managing this type of threat requires implementing private key security best practices, such as multi-sig and MPC wallets and cold storage of private keys.
After taking over the contract, the attacker was able to exploit their stolen privileges to change the underlying rules of how the contract operates. Modifications to reward rates allowed them to drain value from the contract while exploiting legitimate functionality. These types can be made more difficult to perform by restricting the power assigned to a particular blockchain account and decentralizing control via a multi-sig wallet or similar means.
Defending against the latest iteration of DeFi hacks requires designing security programs and practices that reduce the likelihood of off-chain attacks and mitigate the damage that an attacker can do with a stolen key. To learn more about how Halborn’s advisory services help DeFi teams bake security into their projects from the beginning, get in touch.