How Odin.fun Lost 58.2 BTC in a $7M Liquidity Exploit

On 12 August 2025, Bitcoin meme-coin launchpad Odin.fun suffered a catastrophic liquidity manipulation attack resulting in the loss of 58.2 BTC (≈ $7M) in under two hours. The attacker exploited a fundamental design flaw by supplying liquidity with worthless tokens, conducting self-trades to inflate their prices artificially, and then withdrawing liquidity to extract disproportionate amounts of Bitcoin. Odin.fun operates on the Internet Computer Protocol (ICP), a high-throughput blockchain that enables fast, scalable WebAssembly smart contracts and uses a unique identity system based on principals, differentiating it from Ethereum’s account-based model.
 

Hack Analysis

1. The attacker first added liquidity to the SATOSHI/BTC pool.

   

2. They then executed self-trades with the memecoin to artificially inflate its price within the pool.

   

3. Finally, they withdrew their liquidity, receiving a disproportionately large amount of BTC compared to the worthless memecoins, to restore their liquidity share.

   

4. The attacker repeated the same manipulation cycle with the ODINPEPE/BTC pool as well.

   

The attacker initially acquired SATOSHI memecoins through an early deposit on June 21, 2025, and later exploited both the SATOSHI/BTC and ODINPEPE/BTC pools using additional BTC deposits on August 12, 2025.

Root Cause

The root cause of the Odin.fun exploit was a critical design flaw in its AMM liquidity model that trusted internal token ratios without any external price validation. This allowed attackers to deposit large quantities of worthless tokens like SATOSHI into user-funded BTC liquidity pools, manipulate the prices by self-trading to artificially inflate token value, and then withdraw disproportionate amounts of user-deposited Bitcoin. The core vulnerability was the absence of safeguards to verify token legitimacy or ensure deposits reflected real market value, exposing user funds to pump-and-dump style exploitation.

How It Could Be Prevented?

To prevent such exploits, the protocol must integrate external price oracles to validate token valuations before allowing tokens into liquidity pools. Enforcing strict value parity during liquidity providing, requiring deposits to represent balanced real-world token values, would prevent disproportionate token supply. Additional protections like slippage limits and minimum liquidity thresholds would mitigate manipulation risks. Monitoring for suspicious deposit patterns and conducting regular security audits are also essential to safeguard user funds and ensure the AMM’s pricing remains robust against manipulation.

Funds Flow After Attack

Following the attack, the stolen Bitcoin was swiftly transferred through multiple intermediary wallets to conceal its trail. While approximately 58.2 BTC was successfully extracted by the attackers, a significant volume of worthless memecoins, which facilitated the price manipulation, remains held within user accounts on Odin.fun. These tokens retain nominal value on the platform but lack genuine liquidity, leaving many users burdened with inflated assets despite the substantial loss of Bitcoin liquidity.

Relevant Address and Transactions

Attacker Address 1: urguz-m32zo-jlld6-pyy4l-z3c24-jv4pt-5fmll-gq2xd-6siiz-oxkao-xae

Attacker Address 2: jeypm-z6t4p-uqshx-dtay4-qgw5d-ca7j5-alviu-fch2d-nmsnc-c4k3k-aae

Affected Liquidity Pools :

• ODINPEPE/BTC Pool : https://odin.fun/token/25ds
• SATOSHI/BTC Pool : https://odin.fun/token/2jjh

Post Attack Mitigation

Following the exploit, Odin.fun immediately halted all trading and withdrawals while engaging third-party auditors to conduct a full code and architecture review. The team began collaborating with U.S. law enforcement, Chinese regulators, and major exchanges such as Binance and OKX to trace the stolen BTC. However, as the project’s treasury was not sufficient to cover losses, Odin.fun announced plans to draft a partial compensation scheme for affected users. In a public statement, founder Bob Bodily urged the attackers to return the funds, emphasizing, This is not a negotiation.

Conclusion

The Odin.fun exploit demonstrates that protocol design flaws can be just as dangerous as smart contract bugs. By failing to validate token legitimacy and exposing treasury BTC to user-created pools, the platform allowed attackers to convert worthless tokens into real Bitcoin. This highlights the need for rigorous threat modeling, stronger safeguards for treasury-backed systems and thorough independent security audits before launch. Until Odin.fun redesigns its liquidity model with proper validation and risk controls, its security and reliability remain in question. To learn how we help projects build trust and resilience in Web3, explore QuillAudits.