Decentralized finance never sleeps, and even platforms designed for secure treasury management can sometimes get caught off guard. On May 11, 2026, INK Finance became the latest project to suffer a security breach when an attacker drained roughly $140,000 in USDT from its Workspace Treasury Proxy contract on the Polygon network. Security firm Blockaid was the first to flag the incident.
What makes this exploit stand out is its clean and methodical execution rather than the size of the haul. The attacker didn’t steal private keys or tamper with oracles. Instead, they took advantage of a flaw in the whitelist validation and smartly combined it with a flash loan to drain the funds in a single transaction.
🚨 Community Alert@inkfinance‘s Workspace Treasury Proxy on Polygon was exploited a few minutes ago for ~$140K.
More details in🧵
— Blockaid (@blockaid_) May 11, 2026
What is INK Finance?
INK Finance is a multichain platform designed to serve as a financial operating system for DAOs, protocols, and Real World Asset projects. It provides tools for on-chain treasury management, governance, payments, fundraising, and compliance.
The platform allows teams to create customizable “workspaces” with different committees for treasury, investments, and community decisions. Its core offering includes the Universal Custodian Vault and Workspace Treasury Proxy, which many DAOs use to handle authorized transfers efficiently. The project is mainly active on Polygon and Avalanche.
The compromised contract (0xa184…96Ee4), an EIP-1967 beacon proxy deployed in late 2023, was the target of today’s attack.
How the Exploit Happened
According to initial findings from Blockaid and other security researchers, the attacker executed a precise and well-planned attack by following these key steps in a single atomic transaction:
- Deployed a Malicious Contract: The attacker first created and deployed a malicious smart contract that was carefully designed to satisfy the whitelist criteria in INK Finance’s Workspace controller. This allowed the contract to appear as a legitimate, pre-approved claimer.
- Triggered the Claim Function: Using this malicious contract, the attacker then called the claim(claimId) function on the controller. Because the whitelist check was passed successfully, the request moved forward and triggered an authorized withdrawal from the Workspace Treasury Proxy without raising any red flags.
- Used a Flash Loan for Amplification: To meet any required balance or collateral conditions inside the claim process, the attacker borrowed approximately $25,000 through a Balancer V2 flash loan within the same transaction. This temporary capital boost enabled the full drainage of around $140,000 in USDT. Once the funds were extracted, the flash loan was automatically repaid before the transaction concluded.
The full exploit transaction can be viewed on Polygonscan: 0xb469…6b982
Attacker address: 0x90b1…87ee2
Funding Trail
On-chain data shows the attacker received funds through Railgun on Ethereum for privacy before bridging to Polygon just 32 minutes before executing the exploit. This suggests the attack was carefully prepared in advance.
Current Situation and Advice for Users
INK Finance has acknowledged the incident, though a complete technical post-mortem and recovery plan have not yet been released.
Users and DAOs with active workspaces on Polygon or Avalanche are strongly advised to:
- Immediately revoke approvals tied to affected controller and proxy contracts.
- Audit all whitelisted claimer addresses and permissions.
- Monitor official INK Finance announcements before moving treasury assets.
- Increase monitoring for unusual proxy interactions or sudden treasury withdrawals.
Broader Implications
While a $140K loss is relatively small compared to some of the larger DeFi hacks seen in 2026, this incident once again highlights a persistent weakness across decentralized finance: flawed authorization logic inside treasury systems.
Whitelist-based mechanisms remain convenient for DAO operations, but they can become dangerous when protocols fail to re-validate transaction amounts, ownership, or destination addresses during execution. Similar vulnerabilities have also surfaced in other protocols, including the Aftermath Finance exploit, where attackers reportedly drained more than $1.14 million through weaknesses tied to smart contract execution logic.
The INK Finance incident serves as another reminder that security in DeFi is not a one-time checklist. Continuous audits, layered permission controls, real-time monitoring, and stricter validation mechanisms are becoming essential for protecting on-chain treasury infrastructure.
As the DeFi ecosystem matures, both builders and users will need to remain proactive and vigilant against increasingly sophisticated exploit strategies.
