Post-Incident Report: February 2026 Exploit

TL;DR - On February 23rd, 2026, an exploit of the DGLD Ethereum smart contract led to the unauthorized creation of illicit, unbacked tokens on the Base network. Smart contracts on both chains were promptly paused, and the Ethereum ↔ Base bridge was frozen, the incident was contained within approximately 2.5 hours. The underlying physical gold was never at risk and all pre-exploit token holders retained their gold-backed holdings. The root cause vulnerability was fixed and verified, and enhanced 24/7 monitoring and governance measures were implemented across the system. Over the following weeks, two independent smart contract audits were completed, their recommendations implemented and DGLD smart contracts have been unpaused through a controlled, phased relaunch.

This report provides a clear account of what happened, how we responded, the root cause, and the actions we’ve taken to prevent recurrence. We committed from the outset to sharing this openly. Transparency and accountability are core to how we operate, and we remain focused on strengthening the trust our holders and partners place in us.

The Physical Gold Was Never at Risk

The most important fact: all physical gold reserves remained, and continue to remain, securely held in MKS PAMP's vault facilities. The incident was confined entirely to the smart contract layer. At no point was the integrity of gold ownership for legitimate DGLD holders compromised.

DGLD Operations

DGLD operates on two blockchains: Ethereum (Layer 1) and Base (Layer 2). Cross-chain transfers between the two rely on the standard Ethereum ↔ Base bridge, part of the widely used OP Stack infrastructure. DGLD maintains separate token contracts on each chain: the Ethereum contract and the Base token representation.

What Happened

At block 42497894, an exploiter conducted a test exploit with small transactions on Base, minting fractional amounts of illicit DGLD (0.001 and 0.002 tokens). At approximately 13:15 UTC (on February 23rd), at block 42529798, the main phase of the exploit started: over a period of approximately 2 hours and 25 minutes, three actors minted illicit tokens across a series of transactions, one of which was for 100 million illicit tokens - a grossly disproportionate quantity relative to the approximately 70.8 legitimate DGLD tokens in circulation on Base at that time (total supply across chains was 1603.7).

These illicit tokens were not backed by any corresponding physical gold. The exploiters extracted value by dumping some of these tokens into USDC liquidity pools on Base DEXs, primarily Aerodrome, effectively draining them.

Root Cause

The vulnerability was an edge case in legacy code inherited from an earlier codebase (the original Consensys implementation, introduced on February 16, 2022). Specifically, a non-standard transferFrom function behaviour in the Ethereum contract could report successful execution without enforcing the expected token movement. The Ethereum ↔ Base bridge relied on that success signal, which enabled a phantom deposit on Ethereum and unbacked minting on Base.

The vulnerability did not surface in prior audit scopes, including the external audit conducted in Q4 2025 ahead of the Base deployment. It involved a ERC-20 semantics edge case in an inherited code path that was not flagged by auditors at the time.

Immediate Reaction & Contracts Pausing

At 12:30 UTC, our automated monitoring system flagged abnormal trading activity on Base DEXes dislocating DGLD price and Spot Gold price. After a first qualification of price divergence (and initial mitigation actions), the malicious activity was detected and the DGLD Base smart contract was paused at 2:40PM UTC, halting the exploit. After containment, partners were activated on a live coordination group at 3:31PM UTC for advice. At 3:37PM UTC, bridge-related address restrictions were enforced on ethereum to prevent movement of illicit tokens from Base to Ethereum. By 3:54PM UTC, the Ethereum smart contract was also paused as a precautionary measure. The first public communication was issued via the official DGLD X account at 6:11PM UTC.

Once the exploit was stopped, DEXes (Aerodrome & Hydrex) were notified promptly and a dedicated live coordination group was stood up with internal teams, external security auditors, and technical partners. It remained in continuous operation throughout the remediation period (and further). CoinMarketCap, RWA.xyz and Coingecko were contacted so that they could implement a banner informing the users who came onto the DGLD page of the issue.

Coordinated Remediation & Audits

The response drew on a strong network of partners, which we want to thank for their diligence and help throughout the incident. Blockaid helped with initial detection and identification of the vulnerability. Nethermind validated the root cause and implemented fixes quickly. Two industry-leading auditors (Hacken and Halborn) were engaged to conduct independent smart contract vulnerability audits of both the Ethereum and Base contracts.

Their findings confirmed that the exploited vulnerability has been fixed. No other critical or high-severity findings were identified across any of the audits. All medium and low-severity findings were addressed and resubmitted for auditor review. For total transparency, we are releasing the full audits of our auditors, find them here.

In total, the remediated contracts received scrutiny from six independent parties as additional external reviews were conducted by two more partners for technical review and operational recommendations as well as security relaunch advisory and pre-exploit reset runbook review.

Phased Relaunch

We have prioritised safety over speed. The relaunch proceeded through a controlled, staggered sequence:

Phase 1 on Wednesday, March 11th - Base pre-exploit reset

Balances were reset to their verified pre-exploit levels (except for pool tokens, handled separately), illicit tokens were removed from circulation, and exploit-related addresses were restricted on both chains to prevent any illicit tokens from bridging back to Ethereum. A goodwill claims process was opened the same day and an official communication announced the successful completion of this first step. (Other preparations for the unpausing of contracts were also completed during this phase.)

Phase 2 on Thursday, March 12th - Ethereum Contract Relaunch & Liquidity Reactivation

The updated and hardened Ethereum smart contract was deployed, effectively unpausing transactions on Ethereum. Enhanced real-time 24/7 monitoring and alerting was activated and tested. $200k of total liquidity was reintroduced on Uniswap, and exploit-related address restrictions on the bridge were double-checked on the Ethereum side. An updated communication was issued to the community via X. Other steps included initiating the re-establishment of accurate DGLD information on rwa.xyz, CoinGecko and CoinMarketCap.

Phase 3 Tuesday, March 17th - Base Contract Relaunch & Market Reactivation

The updated and hardened Base smart contract was deployed, effectively unpausing transactions on Base and restarting the bridge, restoring full cross-chain functionality. $100k of total liquidity was reintroduced on Aerodrome, and exploit-related address restrictions were double-checked on the Base side. Enhanced monitoring was confirmed active Base-side. A final communication was issued via X to signal the end of the incident and the full restart of operations.

Each phase proceeded cautiously, following a pre-written and validated runbook of actions defining gating criteria to be fully satisfied. At every step, the live coordination group ensured close coordination with partners and the ability to observe and act immediately. Strong 24/7 monitoring and alerting helped ensure unexpected disruptions happened.

Transparent communication

From the first public communication on February 23rd, DGLD maintained a consistent cadence of updates through the official X account, the single designated source of truth.

Communications were designed to be factual, measured, and issued only as material facts became available while offering transparency to the community. Over the whole event, 11 messages were posted to keep the community informed, and announce relevant steps. In addition to public updates on X, we handled inbound support proactively by replying to each email received at [email protected].

Impact, Mitigation & Claims Process

The economic impact of the exploit is estimated at USD ~250k, in very large majority borne by us, as we serve as the principal liquidity provider for the token. All pre-exploit DGLD holders on both Ethereum and Base were unaffected by the exploit and retained their gold-backed holdings.

Three categories of addresses were impacted: liquidity providers on Base, users who traded DGLD on Base during the exploit, and the exploiters. Approximately 180 addresses interacted with illicit DGLD (across more than 7,000 trades), the majority of which were likely arbitrage or other automated bots, as well as the exploiters. During the incident, 39 addresses attempted to bridge assets back to Ethereum to access liquidity, but these attempts were successfully blocked by our countermeasures.

Any affected users in the first two categories can access a goodwill claims process that was launched on March 11th for a duration of 45 days (until April 25th, 2026). It allows liquidity providers and users who were negatively impacted while trading DGLD during the exploit to submit claims. Eligibility requires KYC/KYB verification, proof of wallet ownership, acceptance of applicable conditions, and a forensics review. The process is accessible here. At the time of this writing, a total of 15 claims have been received.

We are cooperating with forensic partners and law enforcement, and will share additional details on the incident as appropriate.

What We Have Improved

The incident prompted a comprehensive review and further strengthening across all aspects of the project. The improvements implemented for the relaunch elevate DGLD’s security beyond standard industry practices.

On top of this, as DGLD works on the next update of the smart contracts, the technical roadmap has been edited to plan for additional, regular independent audits.

The new contract enforces strict token transfer verification and bridge accounting invariants, ensuring that minting on Base can only occur when a corresponding verified transfer occurs on Ethereum.

We have significantly expanded our monitoring and alerting coverage, with new detections focused on critical workflows and key points of failure. We have also strengthened our response model with 24/7 operational coverage and clearer escalation procedures, so alerts can be reviewed and acted upon at any time. Incident-response procedures will continue to be exercised regularly going forward.

While the incident demonstrated how the DGLD team responds to such events and the strong commitment of its corporate partners and support network, the team remains committed to keep improving continuously.

Back on Track

DGLD remains committed to building the tokenised gold standard for sophisticated crypto investors. The conviction that gold has found a home on the blockchain is unchanged, and reinforced by the strength of the response.

We want to deeply thank all the partners who helped us through this moment, internal and externals. Your support has been deeply appreciated and brought tremendous value in a moment where it was much needed. Thank you.

And now, we build. Onward!