Sonic-based LND (LND.fi) was the victim of a $1.18 million hack in May 2025. The attacker exploited a modification to the code of the Aave fork that permitted them to drain funds from the smart contract.
Inside the Attack
The root cause of the LND hack was an access control vulnerability introduced into the protocol’s smart contract 41 days before the hack. The protocol code is a fork of Aave that contained a modification to the privileges assigned to the Pool Admin role.
Normally, the onlyPool access control modifier is used to delineate functions that only the pool itself can access. However, the modified code extended this access to the Pool Admin role as well, enabling other trusted accounts to call these functions.
This was problematic because one of these restricted functions was the transferUnderlyingTo function, which is used to transfer the funds held by the pool to another address. With the modified access controls, this function — normally only accessible to the pool itself — becomes callable to anyone with the private keys of a Pool Admin account.
The deployer account that made this modification also held the Pool Admin 41 days before the attack. When the rogue external developer who inserted this backdoor executed it, they were able to drain all of the assets held by the pool to the tune of about $1.18 million.
After the incident was detected, LND froze its website and revoked the privileges assigned to the compromised account. The official postmortem states that the attack was carried out by a developer who was actually a DPRK IT worker.
Lessons Learned from the Attack
The LND hack is a lesson in the importance of strong off-chain security best practices. A rogue developer had full control over the project’s deployment address, allowing them to make malicious modifications to the project’s smart contracts. Additionally, these modifications were made and left untouched for over a month before the incident, despite being publicly visible on-chain.
Private key security best practices — such as the use of multi-sig or MPC wallets — and strong change management and monitoring processes for smart contracts could have prevented or mitigated this security incident. Halborn’s advisory services provide companies with the information and resources required to protect against these types of incidents. For more information about building a holistic security program and protecting your project against these types of off-chain hacks, get in touch.