Sweat Foundation Postmortem

Sweat Foundation Exploit — April 29, 2026 Post-Mortem (Aggregated)

The Incident

On April 29, 2026, at approximately 13:36 UTC, multiple Sweat Foundation accounts were drained to zero in a ~30-second window. Approximately 13.71 billion SWEAT tokens — roughly 65% of total supply — were extracted from foundation wallets associated with the move-to-earn project (built on the NEAR Protocol). Independent investigator SomaXBT estimated total losses around $2.5M; Blockaid later estimated the attacker controlled approximately 17.71 billion SWEAT tokens valued at ~$3.46M at the time.

How the Attack Worked

The attacker exploited a vulnerability in the NEAR-based SWEAT token contract that allowed draining funds from the top-100 SWEAT holder accounts — the foundation/treasury wallets concentrated almost all of the affected supply. Once drained on NEAR, the attacker quickly moved the funds:

• Through Ref Finance (NEAR's primary DEX) to begin liquidating SWEAT.

• Through Wormhole / Portal Bridge to move proceeds cross-chain.

• Onto centralized exchanges including MEXC to convert to other assets.

The Core Technical Issue

The exact contract-level vulnerability has not been disclosed in detail in public reporting at the time of this aggregation. The pattern (drain restricted to top-N holders, executed in a single ~30s window) is consistent with either:

• A privileged-function flaw that the attacker invoked with foundation-account authority compromised.

• A bug in the holder-iteration / batch-transfer logic that allowed unauthorized transfers from a defined holder set.

What is clear is that all affected balances were foundation-controlled, not regular user wallets — suggesting the attack vector was specifically tied to how foundation accounts were privileged in the contract.

Response (and why losses were partially contained)

The Sweat team executed an unusually fast incident response:

1. Paused the SWEAT token contract within minutes of detection.

2. Contacted MEXC, which froze the attacker's account before the bulk of the bridged tokens could be liquidated.

3. Contacted Rhea Finance (a NEAR-based on-chain liquidity provider), which paused SWEAT trading.

As a result, all user funds were ultimately restored and operations returned to normal. The Block reported the protocol "thwarted" the multi-million-dollar exploit and restored user balances.

Why This Matters

The incident underscores how on-chain reflexivity (DEX + bridge liquidity) can amplify a single contract bug into multi-million-dollar exposure within seconds — but also how fast off-chain coordination with CEXes (especially MEXC) can cap losses when the attacker funnels through known liquidation venues. The damage figure ($2.5–3.5M nominal) is misleading without the recovery context: net realized loss to users was effectively zero.