Blockchain company Garden admits it was compromised and temporarily shut down its app after approximately $11 million worth of assets were stolen.

In a statement issued on Friday, Garden again said that user funds were safe and that the attack exploited one of its solvers. 

In the context of decentralized finance, a solver is typically an algorithm or trading agent that’s relied on to execute transactions in the most efficient manner possible.

Garden is a blockchain bridge protocol company, and its solvers earn a small profit for carrying out transactions between blockchains. They often hold funds of their own – not the users’ – which are used to fulfill orders quickly.

Some controversy arose shortly after the initial announcement via X. Garden framed the disclosure in a way that suggested its compromised solver was truly autonomous, or perhaps external to its own infrastructure. However, one prominent blockchain infosec researcher, ZachXBT, has claimed it might have been managed by a team member. 

Those involved in the field tend to believe solvers should ideally be running autonomously – in keeping with the spirit of DeFi – although blockchain investigator ZachXBT alleged this was not the case. 

ZachXBT stated on X that they were not convinced, pointing to messages sent to the attacker that they said appeared to be from a Garden team deployer address, potentially suggesting the compromised solver was linked to and likely operated by a team member.

The message to the attackers offered a 10 percent reward for returning what they stole.

How the attackers exploited the solver is not yet known, not even to the Bitcoin bridge company, which said in its message that the 10 percent reward was conditional on the attacker “helping us understand the exploit,” as well as returning all the stolen funds to Garden.

In a statement shared by Garden cofounder Jaz Gulati, the company said it is working on identifying the root cause and working with outside security experts to prevent similar attacks in the future.

“Importantly, the Garden protocol remains unaffected no user funds were lost, and the system’s trustless design continues to work as intended. This incident was isolated to a single solver, with no impact on the protocol at all.

“Our immediate priority is to assess the root cause, restore operations safely and bring the app back online as soon as possible. From there, our focus will shift toward onboarding more independent solvers to ensure greater redundancy and resilience.”

Gulati cofounded Garden in 2023, alongside Susruth Nadimpalli, and since then it claims to have “bridged” $2 billion worth of cryptocurrencies – moving them from one blockchain to another.

Gulati announced the milestone on October 20, but drew criticism from the likes of Taylor Monahan, security researcher at MetaMask, who alleged that a sizable portion of these bridges were carried out by North Korean cybercriminals.

The cofounder responded saying that “user safety and compliance have always been our number one priority so we don’t take these claims lightly,” before explaining the other measures it takes to identify malicious users.

ZachXBT similarly accused Garden of ignoring victims days after Monahan’s post, citing incidents such as North Korea’s $1.5 billion raid on Bybit earlier this year, claiming that more than 25 percent of the funds bridged by Garden’s protocol were processed from stolen funds.

He said: “Garden raised the swap limit to 10 BTC (approx $1.1 million) earlier this year and it has since had a few illicit entities abusing large swaps. 

“Their silence to return the 6-7 figs in profits from the illicit actors flooding them is my biggest issue.” ®