Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
On April 12, 2026, attackers exploited a vulnerability in SubQuery Network’s Settings contract on the Base network (the setContractAddress() function missing the onlyOwner access control modifier). By repeatedly calling this function, the attacker set their address as StakingManager and RewardsDistributor, enabling drainage of pooled SQT from the Staking contract, impacting 272 individual staker/delegator wallets, RewardsBooster, and a small protocol Treasury. Approximately 382,433,441 SQT were drained (worth about $134,000 USD at the time). The team quickly responded by deploying a fix, pausing withdrawals, and committing to full compensation for all affected users. No user private keys were compromised. The root cause was a missing access control from a prior code refactor. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 134,000.
- chain
- base
- protocol
- SubQuery Network
- bug_class
- private-key
- date_occurred
- 2026-04-12
- loss_usd
- $134,000
- source_id
- sm:subquery-network::2026-04-12