The FoomCash Exploit: How a Faulty zk Verification Key Drained $1.6M
A single misconfigured Groth16 verifier constant broke proof soundness and let an attacker forge zkSNARK proofs—draining $1.6M from FoomCash across Ethereum and Base.
The FoomCash Exploit: How a Faulty zk Verification Key Drained $1.6M
In late February 2026, FoomCash—an Ethereum-based privacy protocol positioning itself as an "upgraded Tornado Cash"—suffered a critical cryptographic exploit that drained approximately $1.3M in FOOM tokens on Ethereum and an additional $316K on Base. No flash loans. No reentrancy. Just one misconfigured constant in a deployed Groth16 verifier.
What Is FoomCash?
FoomCash marketed itself as a ZK-based private transaction protocol that combined the anonymity model of Zcash with Ethereum's DeFi ecosystem and a built-in random reward mechanism. It used zkSNARK proofs—specifically the Groth16 proving system—to verify that users had legitimate deposits before allowing withdrawals, similar to how Tornado Cash operated with Merkle proofs.
Root Cause: gamma == delta
The vulnerability resided in the deployed Groth16 verifier contract at address 0xc043865fb4D542E2bc5ed5Ed9A2F0939965671A6. In a correctly configured Groth16 system, the verification key contains two distinct elliptic curve points: gamma and delta. These two constants serve separate mathematical roles—gamma binds public inputs, and delta binds the private witness. When they are equal, the algebraic separation between public input validation and witness validation completely collapses.
In FoomCash's deployed verifier, both gamma and delta were set to identical elliptic curve points (gamma == delta). This single misconfiguration broke the soundness guarantee of the proof system, meaning an attacker no longer needed to know any private witness—i.e., a real deposit—to generate a proof that the verifier would accept.
The Math Behind the Forgery
In a standard Groth16 verification equation, the check involves a pairing computation that validates both the public inputs via vk_x and the secret witness. When gamma equals delta, the equation simplifies such that the witness-binding term cancels out entirely. The entire verification reduces to a condition that only depends on vk_x—a value computed directly and deterministically from the public inputs alone.
Because vk_x is fully derived from public inputs, and all parameters passed to the collect() function were attacker-controlled, the attacker could calculate vk_x off-chain and then set the proof element pC algebraically such that the verification equation balanced. By simply incrementing the nullifierHash parameter for each call, the attacker produced a fresh valid vk_x, recomputed the corresponding pC, and submitted a completely forged proof—accepted by the verifier every single time.
Attack Execution
The attacker deployed a helper contract to automate the attack loop. Each iteration incremented nullifierHash, recomputed forged proof parameters off-chain, and called collect() with the new inputs. No real deposit was ever made. The verifier accepted every forged proof, dispensing FOOM tokens on each call.
The exploit was cross-chain. On Ethereum, approximately $1.3M worth of FOOM tokens were drained and subsequently swapped for USDT at discounted prices. On Base, a single attack transaction extracted approximately $427K. The Base-side FOOM tokens were then bridged back to Ethereum via FoomCash's own official bridge contract. Blockchain security firms BlockSec and GoPlus Security both independently flagged the attack in real time.
Notably, a portion of the Ethereum-side activity—approximately $1.83M in transactions—appears to have been a white-hat rescue operation by ethical hackers attempting to front-run the attacker and recover funds on behalf of the protocol, though this was not officially confirmed by the FoomCash team.
A Systemic Pattern: Veil Cash Before It
This was not an isolated incident. The identical vulnerability class—gamma equaling delta in a Groth16 verifier—was exploited in the Veil Cash protocol just days before the FoomCash breach. FoomCash's attack is widely described as a copycat exploit, demonstrating that teams cloning or forking privacy protocol infrastructure are copying the misconfiguration along with the code. This points to a systemic risk: when verifier contracts are deployed without dedicated cryptographic auditing, the same flaw propagates across the ecosystem.
Critical Security Takeaways
The FoomCash exploit demonstrates that zk-based protocols face a uniquely dangerous threat model. Unlike typical smart contract bugs where business logic is wrong, cryptographic misconfigurations can make security guarantees mathematically void—without producing any on-chain anomaly until funds are actively drained. The verifier appeared to function normally until the attacker struck.
Any protocol using Groth16, PLONK, or other zkSNARK backends must treat the verification key as mission-critical security infrastructure. Key invariants to enforce include: gamma must not equal delta, all curve points must lie on the correct subgroup, and the trusted setup ceremony output must be independently verified. These checks must be part of a mandatory pre-deployment cryptographic audit, not a post-deployment review.
Invariant testing frameworks should include explicit assertions for these conditions. Protocols that fork or clone existing verifier contracts must re-audit the cryptographic constants, not assume the upstream code was correctly configured.
The Protocol's Silence
FoomCash had shown no public activity from either its FoomCash or FoomClub accounts since November 2025—before the exploit even occurred. Following the breach, no official post-mortem, recovery plan, or communication was issued by the team. This absence of incident response compounded the reputational damage and left users without clarity on potential fund recovery pathways.
At 0xTeam, we specialize in the exact class of vulnerabilities that took down FoomCash—cryptographic misconfiguration, zk circuit under-constraints, and faulty verifier deployments. Our audit methodology combines automated scanning with deep manual cryptographic review, including explicit verification key validation and pairing equation analysis for all Groth16 and PLONK deployments. A single misconfigured constant cost FoomCash $1.6M and its community's trust. That's a cost no protocol should have to bear. Request an Audit
.png&w=3840&q=75)
