GANA Payment suffered an exploit on the BNB Smart Chain that resulted in more than $3.1 million in losses — an event revealed by on-chain analyst ZachXBT and technically confirmed by HashDit. The attack granted unauthorized control of the staking module, drained GANA’s reserves, and triggered a liquidation that erased over 90% of the token’s value. The early findings offer a clear timeline of what happened, how the exploit unfolded, and where the stolen funds moved across BSC and Ethereum.

A detailed look at how the exploit unfolded

The incident took place on November 20, 2025, around 05:00 UTC. HashDit identified the root cause as a malicious change in contract ownership, which effectively handed the attacker full control over the staking mechanism. Once inside, the attacker manipulated reward parameters and called unstake functions in a way that allowed them to extract far more tokens than the protocol was designed to release. This triggered a massive market sell-off and a collapse of over 90% in GANA’s price.

The stolen assets were consolidated at BSC address 0x2e8e5c38. From there, roughly 1,140 BNB — worth around $1.04 million — were funneled into Tornado Cash on BSC. A large portion of the remaining funds was bridged to Ethereum, where 346.8 ETH (about $1.05 million) also passed through Tornado Cash, while another 346 ETH — valued at approximately $1.046 million — remain inactive at address 0x7a503b3cca.

Tornado Cash is a cryptocurrency mixer designed to obscure fund flows by breaking the link between sender and receiver addresses. Once assets enter a mixer, tracing them becomes exponentially more difficult, which severely limits recovery options for victims and investigators.

A key factor behind the breach was the absence of formal audits and lack of public technical documentation. Poor ownership-management controls placed GANA Payment squarely within the common “high-risk zone” that has led many unaudited DeFi protocols to suffer multimillion-dollar failures. The attack reflects recurring patterns in the sector, where governance mistakes or misconfigurations become catastrophic vulnerabilities.

After the exploit was exposed, the GANA team issued an emergency notice announcing a forensic investigation and a reset plan — including asset-address mapping for affected users. The communication was intended to calm the community, but the path to restitution depends on cross-platform cooperation and whether any portion of the funds can be traced beyond mixers and bridges. Independent on-chain investigations demonstrate how transparent blockchains can reconstruct events, while also exposing the real-world limits of asset recovery once laundering tools come into play.

The GANA Payment exploit reinforces a critical lesson for any DeFi project managing user capital: governance and auditing are non-negotiable. Losing ownership control opened the door to a complete drainage of staking funds and a cascade of losses that now challenge the project’s future. Next verified milestone: completion of GANA’s internal investigation and the rollout of its reset plan, which will be essential to determine whether meaningful recovery — technical, financial, or reputational — is possible.