Gyroscope’s GYD stablecoin was exploited with $815,000 of funds illicitly extracted from the protocol on 30 January 2026 due to an unintended smart contract sequence.

GYD is a non-custodial stablecoin that is designed to be redeemable for $1 in the backing asset (e.g., USDC). The GYD system contains a bridge for moving GYD tokens across chains. The bridge allows users to lock GYD tokens into an escrow contract on Ethereum and create a representation of them on another chain while the original tokens remain locked in the escrow.

At the time of the hack, the majority of GYD tokens locked in the escrow contract were “unissued” tokens. They were available to be issued, in return for $1 of assets on other chains, but were restricted from being in circulation otherwise. The hacker exploited an unintended smart contract sequence to illicitly extract these unissued tokens from the escrow contract without giving $1 in backing per token. They then used the illicitly obtained GYD tokens to redeem for GYD’s backing assets and liquidity on DEXs. This resulted in a depletion of the backing assets supporting legitimately issued GYD tokens.

Root cause of exploit

The GYD bridge was launched before there was a well established cross-chain token standard to adopt. It used a custom implementation of a ‘lock-and-mint’ bridge using CCIP message passing. This implementation was used for Gyroscope’s stablecoin, GYD, and governance token, GYFI, and allowed locking assets on Ethereum to make them available on L2s.

The attacker exploited a sequence in this bridge code where user-supplied data is processed. The bridge had a function call feature where, if the recipient of the bridged funds was a smart contract, the user could include calldata with which this contract was then called in the same transaction immediately after bridging. One benign use case for this is to move GYD into a DeFi protocol on another chain.

    gyd.safeTransfer(recipient, amount);

    if (data.length > 0) {

      recipient.functionCall(data);

    }

However, the bridge executed the user-supplied call directly with the from address being the GydL1CCIPEscrow contract itself. In the unintended smart contract sequence, the attacker chose recipient equal to the GydToken contract itself and chose data to correspond to an approve(attacker_address, type(uint256).max) call to grant themselves an unlimited approval in GYD from the bridge contract (see tx 0x45739a92c2d99f172a74d8028736a2fd1b507ac6fc134680cd1dccd3c572c600; the bridge amount is 1e-18 here, i.e., the smallest non-zero denomination of GYD, but this is not relevant to the exploit) and subsequently obtain the GYD stored in it (see tx 0xe03ac744df1910a71fedab58bc6a32ab5afe1cb4fcad94a0e5c8d7edf0d7405c).

The exploiter used this to approve the GYD held in the escrow contract to be spent by the exploiter address 0x7dd4075a6eae9f18309f112364f0394c2dfa8102 on Mainnet.

With the illicitly obtained GYD in hand, the exploiter redeemed this GYD for the asset backing held in GYD liquidity pools on Ethereum, Arbitrum, Avalanche, Base, Polygon, and Gnosis Chain. See example tx on Ethereum redeeming illicitly obtained GYD for $213K of sUSDS backing: 0x909209998c3cb0a1a0bb5c47479de7d9b0ec4b31f5f58592ac13072d6a2e70f4.

About 6.01M GYD were illicitly obtained from the L1 escrow contract. However, since the majority of these were unissued GYD, the attacker could only redeem about $815k in backing and liquidity.

The exploiter then swapped these assets into ETH and sent them to Tornado Cash.

Impact

GYD remains paused. Nearly all of GYD’s asset backing was exploited from the protocol in the incident, including excess collateralization.

While GYD pioneered novel safety mechanisms and circuit breakers, these threshold-based protections are bypassed by this particular attack vector.

Following the exploit, the community’s emergency pause mechanisms granted by Gyroscope governance were triggered by FTL Labs to contain the incident. Affected liquidity pools were paused immediately. Both GYD and GYFI tokens were paused via emergency governance action as they both use the bridge code, although GYFI was not exploited.

FTL Labs has assisted in an active onchain investigation in coordination with forensics teams and relevant authorities. Details cannot be disclosed at this time to avoid compromising the ongoing investigation.

Further updates will be shared as circumstances permit. - FTL Labs

FTL Labs