GANA Payment, a DeFi payment platform based on BSC, has been hacked into, losing USD 3.1 million in November 2025, with the attacker taking control of a smart contract and exploiting its unstake function to steal funds from users.
The hack was initially discovered and published by ZachXBT and was likely caused by the theft of private keys utilised to transfer ownership to the attacker. After gaining control, they were able to manipulate reward rates on the payment platform, allowing them to use the project’s unstack function and get more GANA tokens as rewards.
How the attack took place
After taking these steps, the attacker transferred the stolen assets to other chains and laundered the funds using Tornado Cash, sending almost a third to the mixer on BSC and bringing the rest to Ethereum, where another part of the funds was deposited into Tornado Cash. The 346 ETH remaining, valued at approximately USD 1.05 million, was left in an Ethereum wallet.
When they took over the contract, the attacker was able to exploit stolen privileges to modify the underlying rules of how the contract works. Changing reward rates enables them to drain value from the contract while exploiting legitimate functionality. High-level authority-abuse attacks such as these can be prevented by restricting the power assigned to a particular blockchain account and decentralising control via a multi-sig wallet or similar measures.
GANA Payment launched an investigation the moment it became aware of the attack, saying a project reboot would remap users’ asset addresses and associated permissions. Yet, the incident caused a 90% drop in value for the company’s GANA token.
The GANA Payment hack is another instance where attackers used off-chain schemes to target DeFi projects, likely using a compromised key to take over the project’s smart contract. To avoid similar cyberattacks in the future, companies have to implement private key security procedures, including multisignature wallets, MPC wallets, and cold storage of private keys.
