Verify a decision

{"actor":"system:backfill","investigation_id":"e2cde9dd-d0ba-45e1-8daa-fb77b6e8957e","kind":"publish","page_slug":"fluid-instadapp","published_at":"2026-06-15T12:23:53.520Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fluid (Instadapp)","sections":[{"content":"Fluid (formerly Instadapp) is a decentralized finance protocol built around a shared Liquidity Layer that unifies lending, borrowing, and DEX trading into a single composable system. It was founded in 2018 at the ETHIndia Hackathon by brothers Samyak Jain (CTO) and Sowmay Jain (CEO). The project released its first product in August 2019 as a bridge between MakerDAO and Compound. The protocol raised a total of $24.5 million from investors including Pantera Capital, Coinbase Ventures, Naval Ravikant, and Balaji Srinivasan. After the launch of its DEX in October 2024, the project rebranded from Instadapp (INST token) to Fluid (FLUID token) in December 2024. As of June 2026, the protocol reports approximately $720 million in TVL across Ethereum, Arbitrum, Base, Plasma, and Polygon.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"What Is Fluid (FLUID)? Instadapp's Unified DeFi Liquidity Layer Explained - BingX","type":"other","url":"https://bingx.com/en/learn/article/what-is-fluid-instadapp-s-unified-defi-liquidity-layer-how-does-it-work"},{"credibility":2,"name":"Instadapp Proposes Rebrand and New Tokenomics Following Fluid Launch - The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/instadapp-proposes-rebrand-and-new-tokenomics-following-fluid-launch"},{"credibility":2,"name":"Fluid TVL, Fees, Revenue & Volume - DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/fluid"},{"credibility":2,"name":"Understanding Fluid: A Comprehensive Overview - Messari","type":"research","url":"https://messari.io/report/understanding-fluid-a-comprehensive-overview"}]},{"content":"On May 27, 2026, attackers compromised two operational keys within Fluid's off-chain Merkle rewards distribution infrastructure. Using these keys, the attacker submitted a fraudulent Merkle root and used empty-proof Merkle claims to drain multiple Fluid distributor contracts. The full exploit cycle — from Merkle root proposal submission to token claim — completed in approximately 24 seconds. The attacker's wallet (0x4925120CbE5A78Bf08F26f6E8cdF820f4c1D3dfB) claimed approximately 112,883 FLUID and additional assets, with total losses estimated at 125,000 FLUID tokens and 51,900 GHO. After claiming, the attacker swapped the stolen assets across Base and Arbitrum for ETH and deposited proceeds into Tornado Cash to obfuscate the trail. The exploit was not detected or disclosed publicly by Fluid for four days. On-chain researcher YAM (@yieldsandmore) surfaced the breach on May 31, 2026, prior to any official acknowledgment. Fluid published an official statement the same day confirming the breach but omitting specific loss figures and key-compromise details from the initial disclosure. The protocol stated that core contracts and user funds were unaffected and characterized the incident as limited to reward distribution infrastructure with 'minimal funds.' Merkle reward claiming was temporarily paused. A post-event report was promised but had not been published as of the investigation date. The total estimated USD loss was approximately $215,000 based on contemporaneous token prices.","heading":"May 2026 Key Compromise: Merkle Rewards Infrastructure Breach","severity":"high","sources":[{"credibility":2,"name":"Fluid Protocol Loses 125K FLUID & 51.9K GHO in Key Compromise Attack - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"credibility":3,"name":"YAM on X: Fluid lost 125k FLUID and 51.9k GHO due to a key compromise","type":"social_media","url":"https://x.com/yieldsandmore/status/2061100297502540145"},{"credibility":2,"name":"Fluid: Vulnerability in off-chain Merkle reward distribution infrastructure has been identified and controlled - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605437313"}]},{"content":"The four-day gap between the May 27 exploit and Fluid's May 31 public disclosure drew pointed community criticism. The incident was first surfaced by independent on-chain researcher YAM, not through a proactive communication from the Fluid team. Community observers further noted that a $77 million USDC withdrawal from the protocol began on May 28, 2026 — one day after the exploit and three days before public disclosure. Fluid was simultaneously promoting high USDC deposit rates during this period. These facts have fueled unverified speculation that certain parties may have had advance knowledge of the breach before retail users were informed. No evidence of insider trading has been formally established and these allegations remain at the community-level (Tier 3). Fluid's official statement described the incident in minimal terms, without specifying the dollar value of losses or the mechanism of the key compromise, which critics characterized as under-disclosure. A promised detailed post-event report had not been published as of the investigation date.","heading":"Disclosure Delay and Transparency Concerns","severity":"high","sources":[{"credibility":2,"name":"Fluid Protocol Loses 125K FLUID & 51.9K GHO in Key Compromise Attack - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"credibility":3,"name":"YAM on X: Fluid lost 125k FLUID and 51.9k GHO due to a key compromise","type":"social_media","url":"https://x.com/yieldsandmore/status/2061100297502540145"}]},{"content":"In late March 2026, Resolv Labs' signing infrastructure was compromised by an external attacker, resulting in the malicious minting of approximately $80 million in unbacked USR stablecoin tokens. The USR token subsequently depegged, causing approximately $25 million in extracted value across DeFi. Fluid had approximately $100 million in exposure to Resolv USR at the time, with roughly $21 million in bad debt accruing to the protocol as a direct result of the depegging event. On May 11-12, 2026, Fluid published a governance post-mortem and announced resolution. The total bad debt was distributed as follows: Resolv Labs contributed approximately $9.7 million, Fluid's governance treasury absorbed approximately $8.2 million, and the core team agreed to cover approximately $1.5 million from future revenue. The team used a pre-approved DEX Lite credit line from the shared liquidity layer to consolidate the bad debt before the governance vote was completed, drawing criticism that the action occurred prior to formal authorization. Critics argued this repurposed a DEX-scoped facility for bad-debt cleanup and shifted risk to USDC and USDT suppliers without prior consent. The team responded that the move was within multisig authority and that no funds left the protocol. Fluid stated that smart contracts were not compromised and all user deposit funds remained secure. Protocol TVL reportedly remained stable at approximately $970 million at the time of resolution.","heading":"March 2026 Resolv Incident: Third-Party Oracle Failure and Bad Debt","severity":"high","sources":[{"credibility":2,"name":"Fluid's $8.2M Bad-Debt Cleanup, and the Governance Fight It Triggered - DeFi Prime","type":"news_article","url":"https://defiprime.com/fluid-resolv-treasury-governance"},{"credibility":2,"name":"Fluid releases post-mortem of the Resolv incident - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605407851"},{"credibility":2,"name":"Fluid Repays $19.3M in Bad Debt Following March Resolv Hack - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/bae26-fluid-repays-resolv-hack-debt"},{"credibility":1,"name":"Post-Mortem, Treasury Actions, and Forward Strategy Following Resolv Incident - Fluid Governance","type":"official","url":"https://gov.fluid.io/t/post-mortem-treasury-actions-and-forward-strategy-following-resolv-incident/1774"},{"credibility":2,"name":"Explained: The Resolv Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-resolv-hack-march-2026"}]},{"content":"Fluid's smart contracts have undergone multiple security audits by recognized firms. MixBytes published a security audit report of the Fluid Vault Protocol dated June 25, 2024. Statemind has conducted multiple engagements covering Fluid's core contracts (December 2023, December 2024), the Liquidity Layer Update (October 2025), and validation audits in March 2026. OpenZeppelin previously audited Instadapp's proxy wallet and registry contracts during the earlier Instadapp era. The protocol also operates a bug bounty program on Immunefi. As of the investigation date, no smart contract exploit has been publicly confirmed against Fluid's core protocol. Both the May 2026 key compromise and the March 2026 Resolv bad-debt event arose from off-chain dependencies — compromised operational keys and third-party oracle/infrastructure failures — rather than on-chain contract vulnerabilities. The optimization of Fluid's code for maximum gas efficiency has been noted by auditors to significantly complicate the audit process.","heading":"Smart Contract Security and Audit History","severity":"medium","sources":[{"credibility":1,"name":"Instadapp Fluid Security Audit Report - MixBytes (June 2024)","type":"research","url":"https://docs.fluid.instadapp.io/Mixbytes_Fluid_Vault_Protocol_Audit.pdf"},{"credibility":1,"name":"Statemind Fluid Audit Report - Instadapp Docs","type":"research","url":"https://docs.fluid.instadapp.io/Statemind_Fluid_Audit.pdf"},{"credibility":1,"name":"InstaDApp Audit - OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/instadapp-audit"},{"credibility":2,"name":"Instadapp Bug Bounties - Immunefi","type":"official","url":"https://immunefi.com/bug-bounty/instadapp/"},{"credibility":1,"name":"Audits & Security - Fluid Technical Docs","type":"official","url":"https://docs.fluid.instadapp.io/audits-and-security.html"}]},{"content":"The FLUID token (formerly INST) has a maximum supply of 100 million tokens and a circulating supply of approximately 77.75 million as of mid-2026. The token reached an all-time high of approximately $24.40 and is currently trading approximately 90%+ below that level. As of June 2026, defillama.com reports a protocol TVL of approximately $720 million, down from a peak closer to $970 million reported around the time of the Resolv resolution in May 2026. The protocol generates annualized fees of approximately $76 million and revenue of approximately $12.66 million, with DEX volume of $5.1 billion over the prior 30 days. Fluid is backed by Pantera Capital and Coinbase Ventures, among other investors, and has raised $24.5 million in total funding.","heading":"Token Performance and Market Position","severity":"low","sources":[{"credibility":2,"name":"Fluid TVL, Fees, Revenue & Volume - DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/fluid"},{"credibility":2,"name":"Fluid Price - CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/fluid"},{"credibility":2,"name":"Fluid Price, FLUID to USD - Messari","type":"research","url":"https://messari.io/project/fluid-instadapp"}]},{"content":"Two separate incidents in 2026 have exposed Fluid's reliance on off-chain infrastructure as a persistent risk surface. The May 2026 Merkle key compromise demonstrated that privileged operational keys controlling reward distribution were inadequately protected, enabling an attacker to execute a complete exploit cycle in approximately 24 seconds once keys were in hand. The March 2026 Resolv bad-debt event demonstrated Fluid's exposure to third-party protocol failures, including oracle manipulation and stablecoin depegging, given the protocol's significant collateral concentrations in newer asset types such as USR. Fluid has announced post-incident security improvements including per-key pricing controls, multi-leg oracle feeds, deviation checks, sequencer-uptime guards, and legal agreements with asset issuers. Whether the promised post-event report on the May 2026 key compromise was published and whether the new controls are sufficient remain open questions as of this investigation.","heading":"Operational Security Concerns","severity":"high","sources":[{"credibility":2,"name":"Fluid Protocol Loses 125K FLUID & 51.9K GHO in Key Compromise Attack - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"credibility":2,"name":"Fluid's $8.2M Bad-Debt Cleanup, and the Governance Fight It Triggered - DeFi Prime","type":"news_article","url":"https://defiprime.com/fluid-resolv-treasury-governance"},{"credibility":1,"name":"Post-Mortem, Treasury Actions, and Forward Strategy Following Resolv Incident - Fluid Governance","type":"official","url":"https://gov.fluid.io/t/post-mortem-treasury-actions-and-forward-strategy-following-resolv-incident/1774"}]}],"sources_used":[{"credibility":2,"name":"Fluid Protocol Loses 125K FLUID & 51.9K GHO in Key Compromise Attack - Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"credibility":3,"name":"YAM on X: Fluid key compromise disclosure","type":"social_media","url":"https://x.com/yieldsandmore/status/2061100297502540145"},{"credibility":2,"name":"Fluid: Vulnerability in off-chain Merkle reward distribution infrastructure - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605437313"},{"credibility":2,"name":"Fluid's $8.2M Bad-Debt Cleanup, and the Governance Fight It Triggered - DeFi Prime","type":"news_article","url":"https://defiprime.com/fluid-resolv-treasury-governance"},{"credibility":2,"name":"Fluid releases post-mortem of the Resolv incident - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605407851"},{"credibility":2,"name":"Fluid Repays $19.3M in Bad Debt Following March Resolv Hack - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/bae26-fluid-repays-resolv-hack-debt"},{"credibility":1,"name":"Post-Mortem, Treasury Actions, and Forward Strategy Following Resolv Incident - Fluid Governance","type":"official","url":"https://gov.fluid.io/t/post-mortem-treasury-actions-and-forward-strategy-following-resolv-incident/1774"},{"credibility":2,"name":"Explained: The Resolv Hack (March 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-resolv-hack-march-2026"},{"credibility":1,"name":"Instadapp Fluid Security Audit Report - MixBytes (June 2024)","type":"research","url":"https://docs.fluid.instadapp.io/Mixbytes_Fluid_Vault_Protocol_Audit.pdf"},{"credibility":1,"name":"Statemind Fluid Audit Report - Instadapp Docs","type":"research","url":"https://docs.fluid.instadapp.io/Statemind_Fluid_Audit.pdf"},{"credibility":1,"name":"InstaDApp Audit - OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/instadapp-audit"},{"credibility":2,"name":"Instadapp Bug Bounties - Immunefi","type":"official","url":"https://immunefi.com/bug-bounty/instadapp/"},{"credibility":1,"name":"Audits & Security - Fluid Technical Docs","type":"official","url":"https://docs.fluid.instadapp.io/audits-and-security.html"},{"credibility":2,"name":"Fluid TVL, Fees, Revenue & Volume - DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/fluid"},{"credibility":2,"name":"Fluid Price - CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/fluid"},{"credibility":2,"name":"Fluid Price, FLUID to USD - Messari","type":"research","url":"https://messari.io/project/fluid-instadapp"},{"credibility":2,"name":"Understanding Fluid: A Comprehensive Overview - Messari","type":"research","url":"https://messari.io/report/understanding-fluid-a-comprehensive-overview"},{"credibility":2,"name":"Instadapp Proposes Rebrand and New Tokenomics Following Fluid Launch - The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/instadapp-proposes-rebrand-and-new-tokenomics-following-fluid-launch"},{"credibility":2,"name":"A comprehensive interpretation of Fluid: After rebranding, will it become the new king of DeFi? - PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/0p1weg2f"}],"summary":"Fluid, formerly known as Instadapp, is a DeFi lending, borrowing, and trading protocol founded in 2018 by brothers Samyak and Sowmay Jain. The protocol rebranded from Instadapp to Fluid in December 2024 following the launch of its DEX product. As of mid-2026, Fluid operates with approximately $720 million in TVL across multiple chains and has been subject to two notable security incidents: a March 2026 bad-debt event stemming from a third-party hack of the Resolv protocol (~$19.3 million absorbed), and a May 2026 off-chain key compromise of its Merkle rewards distribution infrastructure that drained approximately 125,000 FLUID and 51,900 GHO.","timeline":[{"date":"2018-01-01","event":"Instadapp founded by Samyak Jain and Sowmay Jain at the ETHIndia Hackathon.","source":"BingX explainer","source_url":"https://bingx.com/en/learn/article/what-is-fluid-instadapp-s-unified-defi-liquidity-layer-how-does-it-work"},{"date":"2019-08-01","event":"Instadapp releases its first DeFi product, a bridge between MakerDAO and Compound for optimizing lending and borrowing rates.","source":"BingX explainer","source_url":"https://bingx.com/en/learn/article/what-is-fluid-instadapp-s-unified-defi-liquidity-layer-how-does-it-work"},{"date":"2021-01-01","event":"Pantera Capital and Coinbase Ventures invest in Instadapp as part of a $24.5 million total fundraise.","source":"Messari project page","source_url":"https://messari.io/project/fluid-instadapp"},{"date":"2023-12-29","event":"Statemind publishes first Fluid smart contract audit.","source":"Statemind public audits GitHub","source_url":"https://github.com/statemindio/public-audits/blob/main/Instadapp/2023-12-29_Instadapp_Fluid.pdf"},{"date":"2024-06-25","event":"MixBytes publishes Fluid Vault Protocol security audit report.","source":"Fluid Technical Docs","source_url":"https://docs.fluid.instadapp.io/Mixbytes_Fluid_Vault_Protocol_Audit.pdf"},{"date":"2024-10-01","event":"Fluid DEX goes live on Ethereum.","source":"The Defiant","source_url":"https://thedefiant.io/news/defi/instadapp-proposes-rebrand-and-new-tokenomics-following-fluid-launch"},{"date":"2024-12-01","event":"Instadapp officially rebrands to Fluid; INST token rebranded to FLUID.","source":"CoinCarp","source_url":"https://www.coincarp.com/currencies/announcement/instadapp-is-rebranding-to-fluid/"},{"date":"2026-03-22","event":"Resolv Labs' signing infrastructure is breached; approximately $80 million in unbacked USR tokens are minted, causing USR to depeg. Fluid holds approximately $100 million in USR exposure, resulting in roughly $21 million in bad debt.","source":"Halborn - Explained: The Resolv Hack","source_url":"https://www.halborn.com/blog/post/explained-the-resolv-hack-march-2026"},{"date":"2026-05-11","event":"Fluid publishes governance post-mortem on the Resolv incident; proposes absorbing $8.2 million in bad debt from treasury. Community criticism emerges over the team's use of a credit line prior to the governance vote.","source":"Fluid Governance Forum","source_url":"https://gov.fluid.io/t/post-mortem-treasury-actions-and-forward-strategy-following-resolv-incident/1774"},{"date":"2026-05-12","event":"Fluid announces resolution of Resolv bad-debt situation: ~$19.3 million absorbed by Resolv, treasury, and team.","source":"Bitget News","source_url":"https://www.bitget.com/amp/news/detail/12560605407851"},{"date":"2026-05-27","event":"Attackers compromise two operational keys in Fluid's off-chain Merkle rewards distribution system and drain approximately 125,000 FLUID and 51,900 GHO from multiple distributor contracts using empty-proof Merkle claims. Proceeds are laundered through Tornado Cash.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"date":"2026-05-28","event":"$77 million USDC withdrawal from Fluid begins one day after the exploit, prior to public disclosure. Fluid simultaneously promotes high USDC deposit rates. Community members later raise concerns about potential advance knowledge.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/31/fluid-protocol-loses-125k-fluid-51-9k-gho-in-key-compromise-attack/"},{"date":"2026-05-31","event":"On-chain researcher YAM publicly surfaces the May 27 Fluid exploit on X. Fluid issues an official acknowledgment the same day, confirming the breach of off-chain Merkle reward infrastructure and stating core contracts and user funds are safe. Fluid promises a detailed post-event report.","source":"YAM on X; Bitget News","source_url":"https://x.com/yieldsandmore/status/2061100297502540145"}]},"v":1}