IoTeX bridge hit by attack… “Recovery and compensation plan to be disclosed within 48 hours”

IoTeX said a security breach occurred on its multichain bridge, “ioTube.”

According to an announcement posted on IoTeX’s X (formerly Twitter) on the 23rd, the incident occurred on the 21st, and the Ethereum-side bridge contract for ioTube was targeted. The IoTeX team said it switched to an emergency response mode immediately after becoming aware of the incident. The attack occurred only on the Ethereum-side bridge contract, and it said the Layer 1 chain and key assets were not affected.

IoTeX stated that “the IoTeX Layer 1 chain, consensus mechanism, and native smart contracts were not compromised,” adding that “IOTX tokens on the IoTeX chain and assets held on centralized exchanges are safe.” It also noted that the bridge contracts on the BSC and Base chain sides were not affected.

The attacker is believed to have taken over the owner account of the Ethereum-side validator contract, then upgraded the contract to a malicious version to bypass signing and verification procedures. The attacker then seized control of MintPool and TokenSafe, minted 410 million CIOTX, and siphoned off assets worth about $4.4 million from the bridge reserves.

IoTeX said it has already locked or frozen more than 86% of the 410 million CIOTX minted. It explained that 52.4 million IOTX, equivalent to 12.8%, was confirmed to have been moved to Binance and that it is currently working with the exchange to freeze the funds. It added that only 1.7 million IOTX (0.4%) swapped on decentralized exchanges (DEXs) remains exposed to a material risk of loss.

The bridge reserve assets were converted into about 2,183 ETH, of which roughly 1,572 ETH is believed to have been bridged into bitcoin via THORChain. IoTeX said it has identified a total of 66.78 BTC across four bitcoin addresses and that those addresses are being monitored around the clock.

IoTeX said it is currently rolling out a chain patch, and that network operations will automatically return to normal once a sufficient number of validators complete the update. Exchange withdrawals are expected to resume within 24–48 hours, while the bridge will be suspended across all chains until an independent security audit is completed.

It also said it will announce a compensation plan for affected users within 48 hours and hold an online community Q&A (AMA). It added that it is working with law enforcement agencies and on-chain analytics firms, and plans to deliver a white-hat bounty offer to the attacker addresses via an on-chain message.

Meanwhile, IoTeX added that it will pursue additional security enhancements, including introducing multisig and a 24-hour timelock, accelerating the governance proposal (IIP-55) to decentralize bridge validators, setting transaction limits, and expanding its bug bounty program.