SWEAT Loses Control of 65% of Supply for 30 Seconds — and Wins It All Back Within Hours

An attacker exploited a vulnerability in the SWEAT token contract on the Near Protocol at approximately 13:36 UTC on April 30, 2026, draining funds from the top 100 SWEAT holder accounts in a coordinated 30-second window. At the peak of the attack, the exploiter controlled roughly 13.71 billion SWEAT — about 65% of total supply, worth approximately $3.5 million at the time. By end of day, the SWEAT team had reversed virtually all damage. The post-incident outcome was the rare case in DeFi exploits where the response — rather than the attack — became the story.

How the attack unfolded

The exploit was flagged by crypto security firm Blockaid, which observed multiple SWEAT Foundation accounts being drained completely within roughly 30 seconds. The attacker then began moving the captured tokens through Ref Finance, a Near-native DEX, with apparent intent to liquidate into other assets, and used Wormhole / Portal Bridge for cross-chain movement. The contract vulnerability allowed access to balances held by what the team described as "a small set of high-value holder accounts," concentrated by design in protocol treasury and reward-pool wallets — which is why a 30-second window was enough to capture two-thirds of supply.

How the response actually worked

Three defensive moves in rapid sequence. First, the SWEAT team paused the token contract directly, freezing further transfers — a centralized control surface that, in this case, was the entire reason the attack didn't end in catastrophic loss. Second, the team contacted MEXC, a centralized exchange where the attacker had attempted to deposit drained tokens; MEXC froze the attacker's account before any liquidation could clear. Third, Rhea Finance, a Near-based on-chain liquidity provider, paused SWEAT trading on its venue, removing the secondary on-chain liquidity path. The combination of a contract pause, an exchange freeze, and a DEX trading halt within minutes meant the attacker controlled the tokens but couldn't convert them to anything realizable.

The team's post-incident statement: "ALL external account balances have been fully restored and operations are back to normal." A formal incident report will be filed with relevant law enforcement, and a forensic post-mortem is planned for public release.

The decentralization debate this re-opens

This response is a textbook example of centralized incident response producing the best user outcome — and an inconvenient one for the maximalist version of decentralization. The pausable token contract that allowed SWEAT to freeze the attacker is exactly the feature that purists denounce; the relationships with MEXC and Rhea that allowed liquidity choke-off are exactly the kind of off-chain coordination that "trustless" rhetoric disclaims. Yet the alternative — an immutable contract, no exchange or DEX coordination, $3.5M permanently lost to retail token holders — would have been the worse outcome by every measurable user-impact dimension. The honest framing: practical DeFi security in 2026 is hybrid, and the hybrid worked here.

BlockAI News' View

Two non-obvious takeaways. First: Blockaid's role is the underrated story. Real-time on-chain security monitoring that can flag and route an alert to the issuer team within seconds of an attack is becoming infrastructure, not a feature. Expect Blockaid (and its peers Forta, Hypernative, Octane Security) to be central to every meaningful exploit-response narrative this year, and watch for the eventual acquisition or partnership announcement with a major chain or exchange. Second: the SWEAT incident is going to be cited by regulators arguing for mandatory pause functionality in tokens issued to retail — particularly in EU MiCA implementation and US state-level securities regulators. The maximalist resistance to that framing has just lost a meaningful talking point, and projects designing new tokens should expect the regulatory baseline to drift toward "must have an emergency pause."

Track every DeFi move in real time. Subscribe to the BlockAI News daily brief.

How we report: This article cites primary sources, regulatory filings, and on-chain data where available. BlockAI News uses AI tools to assist with research and first-draft generation; every article is reviewed and edited by a human editor before publication. Read our full How We Report page, Editorial Policy, AI Use Policy, and Corrections Policy.