October 19, 2025
Detections

Learning From the SwissBorg $41M Exploit: How Hypernative Protects Staking Ecosystems

Why both staking operators and yield platforms need to enforce real-time controls and pre-transaction safeguards across every flow.

Share article
TOC Link
TOC Link
TOC Link
TOC Link
TOC Link

On Sept. 8, 2025, SwissBorg suffered a major exploit resulting in the theft of 192,600 SOL tokens, worth $41.3M, across eight malicious transactions.

SwissBorg, a leading European wealth app, offers an Earn product that enables users to deposit funds and earn yield through staking. To provide this service, SwissBorg relies on Kiln, a professional staking operator responsible to manage staking operations, deposits, and withdrawals.

Kiln’s infrastructure was compromised prior to the attack. The attackers used their access to tamper with the payload of a legitimate unstake transaction.

What should have been a routine operation was silently modified: the transaction now included extra instructions to reassign the Withdrawer Authority of multiple SwissBorg stake accounts to attacker-controlled addresses.

This single injected change immediately handed full control of the wallets to the attacker. From that moment, neither SwissBorg nor Kiln could regain control of the affected funds.

Understanding Solana Staking Authorities

On Solana, each stake account has two distinct authorities:

  • Staker Authority: decides which validator the tokens are delegated to.

  • Withdrawer Authority: controls who can withdraw the funds.

By reassigning the Withdrawer Authority, the attacker effectively took ownership of the funds, gaining the ability to deactivate and fully withdraw the staked assets.

The Attack Flow

  • Aug. 31, 2025 — Initial Compromise and Payload Injection:
    The attacker, having already breached Kiln’s infrastructure, modified a transaction intended to perform a standard unstake operation for SwissBorg. The injected payload included instructions to change the Withdrawer Authority to attacker-controlled addresses. (See the transaction here.)

  • Sept. 8, 2025 — Funds Withdrawal:
    The attacker withdrew 192,600 SOL across eight transactions, stealing $41.3 million in total. (See the exploiter address here.)

Blind Signing

While the original compromise of Kiln API enabled the attackers to provide a malicious payload, the attack could still be prevented if Swissborg were able to review the transaction prior to approving it for execution.

This highlights a major vulnerability in transaction security - blind signing. Neither Kiln’s primary dashboard*, SwissBorg’s interface, nor the wallet software displayed the complete contents of the transaction or the hidden instructions, preventing the approvers from fully understanding and inspecting the impact of the transaction execution. 

* It should be highlighted that Kiln provides a separate open-source decoding tool for avoiding blind signing transactions: https://sol.minitel.app/


How Hypernative Guardian Could Have Helped

With Hypernative Guardian, this exploit could have been detected and stopped before any funds were lost. The Guardian provides full transaction visibility and security, including:

  • Full Payload Inspection: Guardian inspects the entire transaction payload, not just the visible top-level action. It interprets all embedded instructions and parameters, including those added by a potentially compromised system or API.
  • Transaction Simulation & Visibility: Before execution, Guardian simulates the transaction and provides human-readable visibility into what it will actually do onchain:
    • Which accounts will be modified;
    • Which authorities or balances will change;
    • What smart contract calls and functions are involved.
  • Risk Detection: Guardian automatically identifies deviations from policy or unexpected actions, such as, in this case, the reassignment of Withdrawer Authority, which would be recognized as a high-severity risk.
  • Real-Time Recommendation: Guardian generates a real-time recommendation on whether to proceed or deny. In this scenario, the transaction would have been flagged with a “Deny” recommendation and accompanied by a clear alert describing the unauthorized authority change.
  • Automatic Denial: Guardian can be configured to automatically block or reject transactions that violate security policies. The manipulated unstake transaction would never have been executed or signed, effectively preventing the exploit altogether.

The Core Lesson: Visibility Is Security

The SwissBorg exploit wasn’t caused by smart contract logic, but constituted a failure of transaction visibility. A hidden instruction inside a legitimate-looking payload went unnoticed because no system verified what the transaction actually did.

Hypernative Guardian solves this problem by bringing clarity and policy-based enforcement to every transaction. It ensures that no instruction is ever executed blindly, and that any anomaly, like an unauthorized authority change, is immediately detected and denied.

Closing Thought

The SwissBorg incident illustrates a growing challenge for all staking and custody platforms: complex, multi-instruction transactions are easy to abuse when their content isn’t fully transparent.

With Hypernative Guardian, operators and services like SwissBorg can make every transaction verifiable, interpretable, and policy-enforced, ensuring that even if an attacker compromises part of the supply chain, the transaction itself cannot be weaponized.

Hypernative Guardian brings the missing layer of trust through transparency, turning blind signing into secure signing.

If your team is assessing its security posture, we’re here to answer questions and show how real-time protection can prevent the next incident. Reach out for a demo of Hypernative’s solutions, tune in to Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.

Secure everything you build, run and own in Web3 with Hypernative.

Website | X (Twitter) | LinkedIn

The Latest From Hypernative

Resource
Tessera Selects Hypernative to Secure Token Issuance and Market Liquidity on Solana

The pre-IPO tokenization platform deploys real-time monitoring across its minting infrastructure and Meteora liquidity pools, where Solana's architecture makes detection speed the primary defensive variable.

Go to article
Resource
DORA Doesn't Ask Whether You Had a Security Incident. It Asks Whether You Knew in Time

The Digital Operational Resilience Act is in effect across the EU since January 2025. All financial entities are subject to it. Most have written the frameworks. Fewer have built the infrastructure to evidence them under examination.

Go to article
Resource
Multisig Wallet and Treasury Monitoring: What DeFi Teams Need to Know

How protocol treasuries, DAO operators, and institutional treasury operations teams detect governance attacks, vesting contract risk, and operational wallet anomalies before funds move.

Go to article

Stay ahead of the curve, subscribe for the latest in Web3 security

Primary Button

Ready to Do More Onchain?

Over 350 organizations trust Hypernative for end-to-end security.

Request a demo
Ecosystem
Partnership NetworkChain Integrations
Security Services
Security Council Participation
Custom Configurations
Expert Incident Response
Latest from Hypernative
The Ultimate Guide to Digital Asset Security
Download Report
Cover of a guide titled The Ultimate Guide To Web3 Security by Hypernative on safeguarding Web3 projects.