HermesVault shuts down after $29K ALGO hack

Algorand-based privacy protocol HermesVault has shut down after approximately 261,000 ALGO ($29,466) was stolen from the service, lead protocol engineer Giulio Pizzini announced on X. He explained that while the zero-knowledge (zk) circuit itself was secure, a flaw in the key reset defense logic of the withdrawal verification script allowed a hacker to bypass zk verification and withdraw the funds. Pizzini added that the vulnerability has been patched and 230,000 ALGO has already been refunded. Victims of the remaining 30,000 ALGO theft can receive a full refund by proving ownership of their address and providing a secret note.