- A hacker took advantage of a legacy contract for Polygon royalties and drained $261,200 as a result of the vulnerability in the reward calculation.
- The security experts attributed the problem to flawed reward calculations leading to inflated ownership balances and exaggerated rewards.
A hacker used a legacy royalties contract on the Polygon platform and made away with about $261,200 worth of cryptocurrency in recent times. The security firm TenArmorAlert identified the unusual transaction on June 23 and tracked down the exploit transaction.
The blockchain shows that the hacker carried out the attack using the Polygon block 89,018,051 transaction. According to TenArmorAlert, the hacker managed to withdraw roughly $263,800 despite the relatively low initial amount of money. The attack was on the legacy royalties program and not the fundamental structure of the Polygon blockchain.
🚨TenArmor Security Alert🚨
Our system has detected a suspicious attack involving an old contract #Royalties on #Polygon, resulting in an approximately loss of $261.2K.
Attack transaction: https://t.co/C2TTD661uK
With TenArmor’s TenMonitor, you get early detection and… pic.twitter.com/nlh0fhBan4
— TenArmorAlert (@TenArmorAlert) June 24, 2026
Miscalculation in Reward Calculation Allowed for Overdraws
According to TenArmorAlert, the attack was possible due to issues in the reward calculation mechanism and reward accounting. Security company CertiK found out about an issue with the Royal1155LD.beforeLdaTransfer() function in the exploited contract.
#CertiKInsight 🚨
We have seen a $263K exploit on the Royalties contract at 0xfE16Ee78828672e86cf8E42d8A5119AB79877EC7 on Polygon.
Through 100 zero-value transfers, the attacker exploited flawed settlement logic to stack reward records and claim 100X reward.
Stay Vigilant! pic.twitter.com/Jjt2yNwZUc
— CertiK Alert (@CertiKAlert) June 24, 2026
Researchers state that the attacker made several zero-value transactions, manipulating reward calculation and ownership numbers. This vulnerability allowed the attacker to make the token balance higher under certain conditions.
The Defimon Alerts also provided other research by DecurityHQ. In this case, experts concluded that royalty miscalculations led to the exploit. This way, false ownership numbers were allowing for excessive reward claiming. In addition, the attacker used a flash loan to exploit this contract. After repaying the borrowed amount, the attacker got the rest of the money as a profit.
🚨 @join_royal – Loss $261K (2026-06-23)
Token: $USDC
Network: PolygonType: Logic Error (pro-rata royalty accounting)
Royal’s Royalties contract pays out claims as deposit × (LDA tier balance / tier supply). The attacker flash-loaned $USDC, acquired an outsized tier-42 LDA…
— Defimon Alerts (@DefimonAlerts) June 24, 2026
Still Vulnerable to Security Threats
The latest attack has come in light of other similar attacks on older versions of decentralized finance projects as well as dormant smart contract deployments. Attackers have recently carried out an exploitation of some old contracts of Huma Finance and have stolen roughly $101,400.
Researchers have been cautioning developers regarding the possible dangers of having old versions of smart contracts with available finances. The team should audit, update, deactivate, or completely remove the old deployment in order to mitigate the danger of any potential attacks. Polygon developers have confirmed that attackers have not been able to threaten the security of the main blockchain network.