Vulnerabilities

Odin.fun’s $7M Bitcoin Heist: Third Hack in 6 Months Exposes Deadly AMM Flaws

Rapid Bitcoin Drain Shocks Users and Security Experts

On August 12th, Odin.fun-marketed by founder Bob Bodily as the world's fastest Bitcoin token trading platform-lost over $7 million in less than two hours. This devastating loss marks the third significant security breach the platform has suffered in just six months.

Despite promises of revolutionary speed and security, the platform’s AMM (Automated Market Maker) was manipulated through liquidity attacks that drained real Bitcoin-all while Bodily, with deep engineering expertise, watched from the sidelines.

How the Attack Worked: Simple Yet Effective AMM Manipulation

The attackers exploited Odin’s latest AMM design by:

Depositing worthless SATOSHI tokens to artificially inflate token prices.
Exploiting the AMM’s unverified price calculations to withdraw inflated amounts of actual Bitcoin.
Repeating this cycle rapidly across multiple wallets and tokens.

This pattern of draining liquidity pools has become alarmingly routine for Odin.fun, with each attack following the same playbook: buy cheap tokens, manipulate prices, withdraw value, repeat.

Identified “Sleeper Cell” and Fresh Wallet: Evidence of Pre-meditation

Analysis reveals two key attacker wallet types operating on the Internet Computer Protocol (ICP):

The “Sleeper Cell”: Created on June 20th, remained dormant for 53 days while quietly accumulating SATOSHI tokens.
The “Fresh Attack” wallet: Created just one hour before Bob Bodily paused trading on August 12th, quickly funded and launched the coordinated drain of Bitcoin.

The timing and coordination between these accounts strongly suggest months of planning rather than opportunistic exploitation.

Security Failures Linger Despite Known Vulnerabilities

The exploited vulnerability-overreliance on AMM self-price calculations instead of external data feeds-is a well-documented weakness in DeFi. Other protocols have faced similar issues and published effective fixes.

Yet Odin.fun:

Ignored published best practices and security advisories.
Experienced at least two previous hacks earlier in 2023 due to similar weaknesses.
Failed to implement audited, robust fixes.

Experts consider this neglect “inexcusable” given Bodily’s background and the platform’s history.

Crisis Response: Silence, Blame, and Empty Promises

Bob Bodily’s handling of the August attack followed a familiar pattern:

Eight hours of silence amid ongoing Bitcoin withdrawals.
A vague statement blaming “malicious users, primarily linked to groups in China,” deflecting responsibility to external actors.
Promises of compensation “coming soon,” without any clear timeline or concrete plan.
No immediate recoveries or law enforcement outcomes despite claimed collaboration with US authorities and major exchanges.

Meanwhile, stolen Bitcoin sits untouched in attacker wallets, fully traceable on-chain.

Past Breaches and Mounting Frustration

This latest loss builds on a disturbing record:

In February, 74 BTC disappeared due to a “technical glitch” that was quickly resolved.
Later, Bob Bodily’s own account was reportedly hacked, sparking platform-wide withdrawal freezes.
Over six months, three major hacks have cost users millions.

Questions now swirl over whether these repeated failures reflect gross negligence or something more calculated.

The Paradox of PhD-Level Leadership

Bob Bodily is no stranger to technology:

Holds a PhD in Educational/Instructional Technology from BYU.
Co-founded Toniq Labs and the Bioniq Bitcoin Ordinals marketplace.
Has extensive blockchain development experience since 2021.

Yet, despite these credentials, his platform repeatedly falls prey to elementary smart contract exploits-vulnerabilities that even first-year DeFi developers recognize and avoid.

Community members who warned of these issues were publicly blocked or ignored by Bodily, deepening distrust.

Community Impact: Loyalty Tested by Recurring Losses

Bob’s supporters cling to hope amid crisis, holding onto the “sophisticated attack” narrative and promised future compensation.

However:

Honest critics who flagged risks early were silenced.
Users have suffered heavy financial losses, sometimes doubling down on Odin.fun tokens only to be hacked again.
The platform’s rapid token launches and memecoin hype now resemble a cautionary tale more than a success story.

Odin.fun Joins the "Serial Offenders" Roster

Odin.fun now sits alongside other crypto projects notorious for repeated hacks and poor security, including:

Midas Capital - suffered multiple hacks across rebrands.
Onyx Protocol - exploited twice for the same vulnerability.
Radiant Capital and DeltaPrime - hit multiple times with similar attack methods.

Unlike some that have implemented compensation and remediation plans, Odin.fun’s trajectory is marked by zero accountability and ongoing vulnerability.

What’s Next for Bitcoin DeFi?

Bob Bodily insists Odin.fun will rebuild, tweeting that “the future of Bitcoin DeFi is massive.” But users and observers remain skeptical.

The attackers’ wallets remain active and untouched.
Compensation remains an empty promise.
No clear timeline or commitment to transparency has been offered.

Odin.fun’s saga highlights how academic credentials and ambitious promises cannot substitute for rigorous security practices and honest communication.

Final Takeaway

This third hack at Odin.fun is more than a technical failure-it exposes:

Systemic security neglect.
Poor crisis management.
A community left vulnerable and frustrated.

For developers, founders, and security researchers in Web3, this case serves as a stark reminder: ignoring basic DeFi security principles invites catastrophic losses, no matter your background.