SwissBorg Loses $41.5M After Partner’s API Gives Hackers Full Access
Source: SwissBorg REKT
Swiss wealth management platform SwissBorg suffered a major security incident when their staking partner, Kiln, inadvertently handed withdrawal keys to hackers, resulting in a $41.5 million loss of SOL tokens. This breach reveals how much risk lies in outsourcing critical custody functions.
What Happened?
- On September 8th, SwissBorg announced that 192,600 SOL (about $41.5M) was stolen in a clever attack.
- The theft targeted the SOL Earn program, affecting less than 1% of SwissBorg’s users.
- SwissBorg reassured users that their main app and other funds remained secure.
- To cover the loss, SwissBorg committed to fully reimbursing affected users from its treasury – a costly gesture affirming their customer-first response.
Root Cause: API Compromise at Kiln
Kiln, SwissBorg’s staking infrastructure partner, disclosed an “unauthorized access” to a wallet managing withdrawal keys. Although their statement avoided the word “hack,” the blockchain traces show a clear malicious transfer.
- Hackers exploited a routine-looking unstaking transaction made eight days earlier.
- Buried within normal operations were hidden instructions granting withdrawal authority over multiple staking accounts.
- This “skeleton key transaction” allowed attackers to patiently wait before draining millions.
How the Hack Unfolded
- The hackers waited 8 days after the initial control transfer before moving the funds.
- They split the stolen SOL into two groups:
- $40.7 million moved once to a secondary wallet and left untouched.
- A smaller ~1,000 SOL batch moved through multiple wallets in complex patterns, likely testing laundering channels.
Notably, the small transfers included a deposit to the Bitget exchange after multiple hops - a cautious test to avoid detection.
SwissBorg’s Response
CEO Cyrus Fazel quickly promised no loss to users and stated that SwissBorg was covering the shortfall. Their official narrative:
- The breach occurred at an external counterparty (Kiln) handling the staking wallets.
- SwissBorg’s platform itself was not compromised.
- They deployed teams and security firms to recover what they could and track the stolen funds.
Meanwhile, Kiln has gone “full lockdown” to investigate and patch vulnerabilities.
The Bigger Picture: Trust Issues in Custody
SwissBorg’s ordeal highlights a crucial lesson:
- Security is only as strong as your weakest partner.
- When you delegate key access to third parties, you’re effectively outsourcing risk.
- Despite blockchain transparency, breaches like this expose how “institutional-grade custody” is fragile when partner APIs aren’t airtight.
Final Takeaway
SwissBorg’s $41.5 million loss wasn’t due to flaws in their own smart contracts or wallet systems, but a partner’s compromised API – hidden behind routine operations that masked authority transfers.
The incident underscores the challenges of Web3 security when trusted intermediaries introduce vulnerabilities.
As SwissBorg pledges to rebuild and Kiln patches up, this case reminds developers and founders:
Decentralization means little if keys still change hands carelessly. The real security question remains: who do you trust – and how tightly do you hold their leash?
