Syndicate Labs suffered a private key leak attack, approximately 18.5 million SYND were transferred, and they promised full compensation to users

According to official news, Syndicate Labs disclosed that its cross-chain bridge contract was maliciously upgraded on two chains due to a private key leak. The attacker transferred and sold approximately 18.5 million SYND (about $330,000) and around $50,000 worth of user tokens. The incident only affected specific chains, while others were not impacted.

Syndicate Labs stated that this attack involved multi-stage reconnaissance, infrastructure mapping, and careful execution, demonstrating a high level of technical complexity, and ruled out the involvement of internal personnel. The root cause was that the private key was stored in a password management tool without an additional layer of encryption, and the upgrade process did not utilize multi-signature or hardware signature mechanisms, nor did it have early warning and circuit breaker measures for contract upgrades.

Syndicate Labs announced that it will fully compensate all affected users, including returning 18.5 million SYND and providing additional compensation, while also fully compensating affected application chain clients. The company has initiated security upgrade measures, including strengthening private key encryption, tightening access permissions, and plans to introduce hardware or multi-signature mechanisms and upgrade path monitoring to prevent similar incidents from occurring again.