Pundi AI Hack
Incident Overview
On July 12, 2025, Pundi AI suffered a security exploit when a vulnerability in the PUNDIAI token swap contract was exploited through a front-running attack during deployment, resulting in unauthorized minting of approximately 1 million PUNDIAI tokens valued at around $6 million.
The attack targeted a vulnerability in the PUNDIAI token swap contract through a front-running attack executed during the contract deployment phase. This exploitation allowed the attacker to mint approximately 1 million unauthorized PUNDIAI tokens with an estimated value of $6 million at the time of the incident. Pundi AI detected the unauthorized activity and immediately initiated recovery operations, pausing all on-chain transfers of PUNDIAI tokens on both ERC20 and Pundi AIFX Omnilayer networks within three hours of detection.
The team coordinated with major exchanges including Upbit, Bithumb, Coinone, Gate.io, MEXC, and Coinex to implement asset freezes. Through these coordinated efforts, approximately 87% of the affected funds were successfully recovered, leaving a remaining loss of nearly $2 million that the project team committed to fully cover from their own resources. Pundi AI executed a 1:1 airdrop of new PUNDIAI tokens to ensure no users experienced losses.
Incident Report
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Pundi AI, these are the critical security checks that could have prevented this incident (July 2025).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
-
01
Source 1 https://hacked.slowmist.io/
- 02
Learn to Prevent the Next Pundi AI
The Pundi AI hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.