Algorand-based privacy protocol HermesVault has permanently shut down operations after a security breach resulted in the theft of approximately 261,000 $ALGO tokens, valued at roughly $29,466 at the time of the incident. The news was confirmed by lead protocol engineer Giulio Pizzini in a post on X, detailing the technical nature of the exploit.
Technical Flaw in Withdrawal Verification
According to Pizzini, the zero-knowledge (zk) circuit at the core of HermesVault’s privacy mechanism remained secure. However, the vulnerability was found in the key reset defense logic within the withdrawal verification script. This flaw allowed the attacker to bypass the zk verification process entirely and withdraw funds without proper authorization.
Pizzini stated that the vulnerability has since been patched, and a significant portion of the stolen funds — 230,000 $ALGO — has already been returned to the project. The remaining 30,000 $ALGO is still unaccounted for, but the team has initiated a refund process for affected users.
Refund Process for Victims
Victims who lost funds in the remaining 30,000 $ALGO theft are eligible for a full refund. To claim compensation, users must prove ownership of their affected address and provide a secret note associated with their transaction. The team has not disclosed a specific deadline for refund claims but urged users to act promptly.
Implications for Privacy Protocols
The HermesVault incident underscores the complexity of securing privacy-focused DeFi protocols. While zero-knowledge proofs are widely regarded as robust, implementation errors in surrounding logic — such as withdrawal scripts — can still expose critical vulnerabilities. This case serves as a reminder that even well-audited zk-based systems require comprehensive security reviews of all auxiliary components.
For the Algorand ecosystem, the shutdown of a notable privacy protocol may raise questions about the long-term viability of privacy solutions on the network, especially as regulatory scrutiny around anonymous transactions intensifies globally.
Conclusion
HermesVault’s closure following the $29K $ALGO hack highlights the ongoing security challenges in decentralized finance. While the team acted swiftly to patch the flaw and initiate refunds, the incident has permanently ended the protocol’s operations. Users with affected funds are encouraged to follow the official refund process to recover their assets.
FAQs
Q1: What caused the HermesVault hack?
The hack exploited a flaw in the key reset defense logic of the withdrawal verification script, not the zero-knowledge circuit itself. This allowed the attacker to bypass zk verification and withdraw funds.
Q2: How much was stolen, and how much has been refunded?
Approximately 261,000 $ALGO ($29,466) was stolen. Of that, 230,000 $ALGO has been refunded, leaving 30,000 $ALGO still outstanding.
Q3: How can victims claim a refund for the remaining stolen $ALGO?
Victims must prove ownership of their affected address and provide a secret note associated with their transaction to receive a full refund.