Shibarium Bridge Exploited in $2.4 Million Flash Loan Attack

The Shibarium bridge, which connects the Shiba Inu blockchain’s Layer 2 network to ETH, was hit by a flash loan exploit on Friday that drained about $2.4 million in crypto, prompting developers to freeze several key functions while they secure the system.

This marks the largest single exploit on the Shibarium network since its mainnet launch in August 2023, when it attracted more than 1 million wallets in its first two months of operation.

According to Shiba Inu developers, the attacker borrowed 4.6 million BONE tokens, the governance token of the network, to gain temporary control of Block confirmer keys and push through unauthorized transactions. With majority Block confirmer power, the exploiter drained 224.57 ether (ETH) and 92.6 billion SHIB tokens from the bridge contract, shifting the assets to an external wallet.

At Friday’s market prices, the stolen ETH was worth roughly $670,000 while the SHIB at just over $1.5 million, making SHIB the largest component of the theft.

Developers rapidly paused staking and unstaking functions, preventing the attacker from reclaiming or cashing out the borrowed BONE. The tokens remain locked because of a built-in unstaking delay. The attacker also ended up with around $700,000 worth of KNINE tokens linked to K9 Finance, but those tokens were blacklisted by the project’s DAO, making them untradeable.

Flash loan-based governance attacks have become more common in DeFi — similar exploits were used in 2023 against Euler Finance (losses of $197 million, later mostly returned) and Mango Markets ($114 million).

Developers Respond and Markets React

developer Kaal Dhairya described the incident as a “sophisticated” attack likely planned for months, in a post on X. He said the team has contacted law enforcement but is open to negotiating a . Security firms Hexens, Seal 911, and PeckShield have been enlisted to investigate. The use of outside security firms is notable, as PeckShield was also among the first to identify and trace the $600 million Poly Network hack in 2021.

The exploit triggered wild price swings in Shibarium tokens. BONE spiked 78% within an hour of the attack, jumping from $0.165 to $0.294 before falling back to $0.202 by Saturday. SHIB, meanwhile, gained about 4.5% in the past 24 hours, according to The Block’s pricing data. Despite the volatility, SHIB’s market capitalization remains above $10 billion, keeping it among the top 20 cryptocurrencies by size, according to CoinGecko.

Shibarium, launched in 2023 as a scaling answer for the , relies on Block confirmer consensus to secure its bridge to ETH. The exploit underscores vulnerabilities in governance-token-based security models, where flash loans can temporarily concentrate power. The Layer 2 network was designed to reduce and has processed more than 110 million transactions since launch, but Friday’s attack highlights how Block confirmer manipulation remains an Achilles’ heel in proof-of-stake and DAO-governed systems.

The developers said they are rotating Block confirmer keys and hardening security before restoring normal operations. According to Dhairya, the incident will delay several planned upgrades, including Shibarium’s integration with ShibaSwap V2, as resources are redirected to reinforcing bridge security.