SubQuery Network confirmed that its staking contract was exploited, resulting in the loss of approximately 129 million SQT tokens. The team has paused withdrawals and deployed a fix while committing to full compensation for all affected users. No additional compromises have been identified as investigations continue.
Staking Contract Breached
A vulnerability in SubQuery Network’s staking contract was exploited on April 12, 2026, leading to the unauthorized removal of 129,364,800 SQT tokens. The blockchain data indexing protocol, which supports more than 300 networks including Ethereum, Solana, Polkadot, and Cosmos, responded rapidly by isolating the issue and applying a security patch. The primary attack transaction has been made public on BaseScan for transparency. Despite prior audits from two independent providers, the breach succeeded through highly sophisticated methods. The SubQuery team is actively reviewing the broader contract ecosystem for any residual risks while maintaining open communication with the community.
The incident highlights ongoing challenges in smart contract security, following similar cross-chain exploits like the recent Aethir hack where attackers moved stolen funds across chains, reinforcing the risks even for audited protocols.
Withdrawals Paused Amid Recovery Efforts
The staking contract has been impacted and withdrawals are currently paused. Functionality will be restored once the contract is fully refunded by the team. As of April 13, 2026, no other compromises have been reported, and the team continues to monitor the situation closely. SubQuery Network reiterated that all victims will be compensated in full. The incident has placed temporary pressure on SQT token holders involved in staking, highlighting ongoing challenges in smart contract security even for protocols with established audit histories. The project’s swift response aims to restore user confidence and network operations as quickly as possible.
Key Incident Summary
- Staking contract exploited on April 12, 2026, with 129.36 million SQT affected despite dual audits
- Withdrawals paused until contract is fully refunded and functionality restored
- Full compensation guaranteed for all affected users
- No additional compromises identified; team monitoring closely with ongoing investigation
