Incident Report: Router Protocol Asset Bridge Exploit and Response

1. What Happened

On July 2, 2025, between 07:37–07:46 UTC, Router Protocol experienced a targeted exploit on its asset bridge module, resulting in the unauthorized transfer of multiple tokens amounting to over $1.1 million USD. The attacker exploited a vulnerability in our cross-chain request logic specific to Router Chain’s custom IBC implementation.

Root Cause:
The vulnerability stemmed from a missing validation check in outbound requests. Specifically, the system failed to ensure that RequestSender == TxSender, allowing an attacker to spoof the sender and craft malicious outbound token requests.

Exploit Flow:

• A forged cross-chain request was submitted to Router Chain.
• Orchestrators unknowingly signed this request.
• The Ethereum Gateway contract, trusting the RequestSender, processed the malicious request and released funds to the hacker.

This exploit was unique to Router’s custom implementation and not found in standard Cosmos SDK chains. Importantly, the affected codebase had been audited by multiple top-tier firms, including Oak Security and Informal Systems, and had been live for over two years.

You can access our previous audit reports here:
🔎 Audit Reports — Oak Security & Informal Systems

2. What We Did

Upon identifying the attack, our team took immediate steps to contain the damage, investigate the root cause, and coordinate response efforts with security experts, exchanges, and law enforcement.

Immediate Actions:

• Paused impacted asset bridge flows while unaffected services, such as Router Nitro, continued to function independently.
• Engaged security firms and audit partners to conduct detailed post-mortems.
• Published a full technical report in the Telegram community, outlining the vulnerability, timeline, and key transactions involved:
  → Full Internal Incident Report
• Read the official Oak Security post-incident analysis:
  → Oak Team Incident Report (July 7, 2025)

Key Findings:

• The bug resided in a custom cross-chain module in Router Chain, unrelated to Nitro or standard Cosmos chains.
• Audit firms had flagged the general issue class, but the exact exploit vector was missed during earlier reviews and incorrectly marked resolved.

Chain Status:

To mitigate any risk and conduct a thorough analysis, we have temporarily paused bridging operations on the following chains:

Arthera, DogeChain, JFIN, Matchain, Oasis, Nero, Redbelly, Saakuru, Tangle, and Vanar.

All other supported chains on Router Nitro remain fully operational.

3. What We’re Doing Next

This incident has reinforced our belief in rigorous, multi-layered security and the need for constant vigilance, even in long-standing audited systems.

Patches and Protocol Changes:

• Validation Fix Implemented: We added a strict msg.sender == RequestSender check in outbound logic.
• Reviewed and approved by three Oak Security auditors.
• Enhanced off-chain tooling for orchestrators to detect and flag forged requests.

Broader Ecosystem Coordination:

Due to the foundational nature of the vulnerability, our disclosure was initially delayed on advice from audit partners to allow time for similar patterns to be evaluated across other Cosmos-based ecosystems.

We’ve since:

• Notified similar Cosmos chains to audit and fix potential vulnerabilities.
• Fully briefed our investors and partners, maintaining transparency throughout.

While we work on a long-term fix, we are temporarily collaborating with another bridge provider to support bridging capabilities for a few impacted chains for provision of immediate alternative routes. We’re also in active discussions with the affected chain teams to explore this routing option and ensure users have continued access wherever possible.

Final Thoughts

This exploit serves as a hard reminder: security is never one-and-done. Even well-audited systems can have edge cases that go undetected. While the vulnerability affected a specific Router Chain module, we’re taking ecosystem-wide lessons from it.

We remain committed to full transparency, strengthening our infrastructure, and earning the trust of our community.

We’ll continue to share updates as the investigation and recovery efforts progress.

Thank you for your continued support.

— The Router Protocol Team

Update: Fund Recovery Progress — July 14, 2025

Over the weekend, we made substantial progress in tracking and securing the exploited funds. Our efforts have led to approximately 12.5% (~$150K) being successfully frozen across multiple sources.

We are actively working with centralized exchanges to ensure any incoming funds are promptly frozen and are coordinating with law enforcement authorities to initiate legal action against the attacker.