A legacy royalties contract linked to the music NFT platform Royal on Polygon was exploited on June 23, 2026, around 16:27 UTC, resulting in the loss of approximately $261,200 in USDC. The attack targeted an older smart contract that had been used for distributing royalties through tokenized music assets, known as Limited Digital Assets (LDAs).
According to CertiK, the incident stemmed from flawed settlement logic that allowed the attacker to stack reward records and claim roughly 100 times their actual share. The attacker took advantage of a vulnerability in the contract’s internal accounting system, using a flash loan and a series of carefully crafted zero-value transfers to manipulate ownership balances. Monitoring services flagged suspicious activity shortly after the transaction.
We have seen a $263K exploit on the Royalties contract at 0xfE16Ee78828672e86cf8E42d8A5119AB79877EC7 on Polygon.
Through 100 zero-value transfers, the attacker exploited flawed settlement logic to stack reward records and claim 100X reward.
Stay Vigilant! pic.twitter.com/Jjt2yNwZUc
— CertiK Alert (@CertiKAlert) June 24, 2026
The affected Royalties contract at 0xfe16ee…77ec7 acted as a proxy for royalty distributions. Its implementation at 0x1e05…c9074 contained custom accounting logic for LDA tiers. The attacker first borrowed around 2,638 USDC through a flash loan. They then carried out multiple zero-value transfers of the same asset tier. This created an inflated ownership record in the contract without changing the actual token balances. Using this artificial position, the attacker deposited funds and claimed a much larger share of the royalty pool, receiving about 263,809 USDC.
After repaying the flash loan, the net profit came to roughly $261,200. The main attacker address was 0xbd82…bd56, with a helper contract at 0x7fd7…ca52. Royal has not yet released an official statement. It is unclear whether the exploited contract remains part of active operations or represents deprecated infrastructure. Royal previously gained attention for enabling tokenized music ownership on Polygon, where fans could hold fractional song interests and receive streaming royalties through LDAs.
The event fits a recurring pattern of issues involving older or under-maintained contracts on Polygon. Security incidents have also been spreading across NFT-focused platforms this year. Earlier in June, NFT liquidity platform Gondi lost more than $230,000 worth of NFTs in an exploit that once again highlighted weaknesses in specialized digital asset protocols.
Legacy code in DeFi remains a persistent challenge. The latest breach comes during an already difficult year for crypto security, with industry losses from hacks and exploits surpassing $84 million in May as attackers continued to target weaknesses in smart contracts and protocol infrastructure. Many projects use proxy patterns for upgradability, yet abandoned or lightly maintained implementations can become targets when economic conditions make exploitation profitable, especially in royalty and reward systems. This highlights the risks of custom accounting logic in NFT/royalty contracts that doesn’t properly validate transfer amounts.
Developers have faced multiple reminders of these risks in recent weeks, including the exploit of Echo Protocol on Monad, where an attacker minted fake eBTC and stole more than $822,000 from the platform. The attack stayed isolated to this specific contract with no reported spillover to other parts of the Royal ecosystem. No immediate price movements in related assets were observed. Users holding positions in older royalty contracts on Polygon are reviewing their exposure.
