SubQuery Network Security Incident: Full Disclosure and Recovery Plan

On April 12, 2026, five separate transactions exploited a vulnerability in the SubQuery Network’s Settings contract on the Base network, resulting in the unauthorized drainage of 382,433,441 SQT tokens (approximately $134,000 USD at the time). We take full responsibility for this incident. The exploit affected the Staking contract’s pooled SQT balances (TX1 and TX2), 272 individual staker and delegator wallets (TX3), deployment boosters (TX4), and a small protocol Treasury balance (TX5).

No user private keys were compromised. The root cause was an internal smart-contract configuration issue that we have now fully resolved. We are committed to transparency, rapid recovery, and preventing recurrence. Below is a complete, factual account based on our on-chain investigation (including full Tenderly traces).

Root Cause

The vulnerability was a missing onlyOwner access control modifier on the setContractAddress() function (selector 0xc413e5be) in the Settings contract implementation.

This function allows any caller to update the registered addresses for critical roles in the SQContracts enum (including StakingManager = sq=2 and RewardsDistributor = sq=8). The absence of the modifier meant the function could be called permissionlessly, bypassing the intended owner-only protection that existed elsewhere in the system.

The vulnerability has been present since the contract was deployed and was not introduced by any recent change. We have since added the onlyOwner modifier to both setContractAddress() and the related setBatchAddress() function.

Exact Contracts Affected

• Settings contract (implementation): The contract containing setContractAddress().
• Staking contract (TransparentUpgradeableProxy at 0x7A68b10Eb116a8b71a9b6f77b32b47eb591B6Ded): The contract that held all staked and delegated SQT.
• RewardsBooster contract: Drained via TX4 (SQToken swap vector).
• SQT token contract: Used for transfers and approvals.

No other contracts were modified or exploited.

Attack Path (Step-by-Step)

All three attacks used the same missing access-control gap but employed slightly different delivery mechanisms. The core path was:

1. Attacker calls setContractAddress(sq=2, attacker-controlled-address) to register themselves (or a temporary contract) as the StakingManager.
2. This unlocks two key functions in the Staking contract:
   • transferDelegationTokens(address _source, uint256 _amount) – moves SQT from any address that has approved the Staking proxy.
   • withdrawARequest(address _source, uint256 _index) – executes withdrawals.
3. Attacker also calls setContractAddress(sq=8, attacker-controlled-address) to register as RewardsDistributor.
4. Using RewardsDistributor privileges, the attacker calls unbondCommission() to create a Commission-type unbonding request (bypassing normal delegation checks).
5. The attacker then calls withdrawARequest() (still as StakingManager) to drain the accumulated SQT from the Staking contract, minus the standard 0.1% treasury fee.
6. After drainage, the attacker restores the original StakingManager and RewardsDistributor addresses to cover tracks.

TX1 & TX2 (pooled balance drain, ~230M SQT total) used temporary contract creation + selfdestruct.

TX3 (individual wallets, 129,494,294 SQT) used EIP-7702 code morphing on an address the attacker had owned for ~1.5 years. No phishing or key compromise occurred – the attacker self-authorized the morph.

Two additional smaller attacks used the same root vulnerability but different vectors: TX5 drained a small amount from the protocol Treasury via the spendQueryRewards function (StateChannel impersonation), while TX4 drained the RewardsBooster contract balance using a temporary SQToken address swap + booster manipulation.

Timeline of Events

• April 12, 2026 04:35 UTC: TX5 (small Treasury probe via StateChannel).
• April 12, 2026 05:04 UTC: TX1 drains ~218M SQT from the pooled Staking balance.
• April 12, 2026 05:28 UTC: TX2 drains ~11.8M SQT from the pooled Staking balance.
• April 12, 2026 06:05 UTC: TX4 drains ~22.8M SQT from the RewardsBooster contract.
• April 12, 2026 06:51 UTC: TX3 drains 129.5M SQT from 272 individual wallets into the now-empty Staking contract and withdraws the full amount.
• April 12–13, 2026: SubQuery team identifies the incident, simulates the full attack traces, restores original contract addresses, and deploys the fix (adding onlyOwner modifiers).

Audit History

The SubQuery ecosystem underwent two security audits:

• First audit: April 2022 – The settings contract was included in this audit and found to be secure at the time.
• Second audit: February 2024 – This was a targeted audit focused on specific components. The settings contract was not within scope.

The vulnerability was inadvertently introduced during a code refactor after the first audit. The second audit was scoped to other components and did not re-examine the settings contract.

We are now conducting a full review of all contracts to ensure no similar gaps exist.

Fixes Implemented

• Added onlyOwner modifier to setContractAddress() and setBatchAddress() in the Settings contract.
• Restored original StakingManager and RewardsDistributor addresses immediately after the incident.
• Deployed the patched Settings implementation via the existing proxy admin.
• The patched contract is now live and has been verified on BaseScan.

Preventative Measures Going Forward

The root cause of the vulnerability has been fixed. In addition, several other mitigations are being implemented to prevent similar issues in the future.

The following fixes are already planned or in progress:

Beyond these immediate code-level fixes, we have also performed an additional security scan using AI to identify potential vulnerabilities that traditional audits might miss.

Compensation & Recovery Plan

We are making whole every affected user. No staker or delegator will bear any loss from this incident.

• Who is eligible: All stakers and delegators whose SQT was held in the Staking contract (TX1 + TX2), the 272 individual wallets directly drained in TX3, and users with boosted deployments drained in TX4. TX5 affected only the protocol-owned Treasury (no user compensation required).Full victim list and amounts are available internally from the on-chain data.
• How compensation works: Automatic on-chain credit to affected wallets.
• Timeline for refunds: Compensation distribution will begin on 14 Apr and complete no later than 15 Apr.
• When functionality resumes: Withdrawals and normal Staking operations will resume once compensation distribution is complete and we have confirmed network stability.

Closing Statement

This incident is very unfortunate and we apologize to every member of the SubQuery community whose trust was impacted. We have acted swiftly to contain the exploit, restore the affected contracts, and prepare full compensation. 

We will continue to provide regular updates via our official channels. Thank you for your patience and continued support.

— The SubQuery Team

About SubQuery

SubQuery is building the foundational data layer of Web3 — open, scalable, and designed for the AI-driven future.

SubQuery Network provides decentralised data indexers and dRPCs that power thousands of dApps across nearly 300 networks. With AI-assisted tools in the SubQuery SDK and Model Context Protocol (MCP) integration, developers can easily build, deploy, and scale blockchain data infrastructure.

AskSubQuery.xyz provides graphql query MCP as a service. It is also the first product to connect to Hermes Subnet as an Authorized Caller.

With SubQuery, you can unlock intelligence in blockchain data.

​​​​Linktree | Website | Discord | Telegram | Twitter | Blog | Medium | LinkedIn | YouTube