18th May 2026. The Galxe SpaceStation V2 exploit drained approximately $219,411 from retired reward contracts across six blockchains after attackers compromised an internal signer key.
High Signal Summary For A Quick Glance
- A compromised internal signer key drained approximately $219,411 in USDT, USDC, BUSD, OP, and CYBER from Galxe’s retired SpaceStation V2 reward contracts across Ethereum, BSC, Polygon, Arbitrum, Base, and Optimism
- No user wallets, approvals, or deposited funds were affected; the exploit only touched residual platform-deposited tokens sitting inside the legacy contracts
- Galxe disclosed the incident approximately three hours after the first exploit transaction and confirmed the root cause has been identified, with a full post-mortem forthcoming
- Galxe platform users who previously interacted with SpaceStation V2 reward contracts, though Galxe confirms their wallets remain completely safe
- DeFi projects managing legacy or deprecated smart contracts with unrotated signer keys or admin controls that could become dormant attack surfaces
n-chain data shows the first exploit transaction hit Ethereum at approximately 06:07 UTC on May 18, 2026. Galxe then publicly disclosed the incident about three hours later at 09:00 GMT via its official X account. The platform confirmed that no user wallets, approvals, or deposited funds took any damage.
The attacker targeted residual tokens sitting inside retired reward contracts on Ethereum, BSC, Polygon, Arbitrum, Base, and Optimism. Specifically, the drained assets included USDT, USDC, BUSD, OP, and CYBER.
How the Galxe SpaceStation V2 Exploit Worked
SpaceStation V2 contracts served as legacy reward distribution contracts tied to earlier quest campaigns on the Galxe platform. Users would connect wallets and claim rewards through EIP-712 signed transactions. As a result, each claim required a valid signature from the platform’s authorized signer address.
The compromised signer address, 0xC638B660694688c559D67016F4cD58d408aba306, sat immutably in all V2 contracts. Because the contracts themselves are immutable on-chain, the team could not rotate the signer key without deploying entirely new contracts. Consequently, no one had changed the key since original deployment.
The attacker, operating from address 0x6dBA9Be4fbA81CB9928ae7Ae5B909cb6C4577Aac, forged valid EIP-712 signatures using the compromised key. This allowed unauthorized claims against the contracts’ residual token balances through repeated EventClaim calls. For example, a key Ethereum exploit transaction shows large volumes of USDT and USDC moving in a single batch.
Why User Wallets Stayed Safe
SpaceStation V2 contracts only held platform-deposited reward tokens. Users connected wallets to claim rewards but never sent funds to these contracts. Therefore, the exploit only touched the contracts’ internal balances.
The attack did not require or compromise any user approvals, signatures, or private keys. Even users who previously interacted with the Galxe SpaceStation V2 contracts face no risk from this incident.
Galxe confirmed this directly in its disclosure. “NO user wallets or funds were affected,” the team stated. “Even if you connected to these contracts in the past, your wallet is completely safe.”
Galxe’s Official Response
Galxe disclosed the breach approximately three hours after the first exploit transaction. The team stated it had identified the root cause and begun updating security controls.
“We identified the root cause and are updating our security controls,” Galxe wrote on X. “We will share a full report once the investigation is done.”
On-chain records also show the affected Ethereum contract received an “Update Paused” transaction, indicating Galxe moved to freeze remaining assets. Meanwhile, CEO Charles Wayn and other named executives have not released any public statements. Similarly, no official blog post, Discord, or Telegram announcement has appeared beyond the initial X post.
Timeline: Russia’s gradual transition from crypto restrictions toward regulated institutional market access and MOEX crypto products
Crypto payments ban reinforced
President Vladimir Putin signs legislation explicitly banning cryptocurrencies and NFTs as payment instruments inside Russia, tightening the country’s domestic crypto restrictions.
Digital ruble pilot launches
The Bank of Russia begins live pilot testing for the digital ruble CBDC with selected individuals and merchants, laying groundwork for controlled domestic and cross-border digital settlement systems.
Crypto mining becomes fully legal
Russia formally legalizes cryptocurrency mining through dedicated legislation, establishing registration rules for companies and energy-use limits for individuals.
Cross-border crypto settlement framework expands
Russia creates legal exemptions allowing cryptocurrencies for international trade settlements while regulators intensify discussions around institutional crypto market access and regulated exposure products.
MOEX crypto benchmarks and policy framework emerge
MOEX launches BTC and ETH benchmark indices while the Central Bank publishes a formal proposal allowing qualified investors to gain limited crypto exposure through licensed intermediaries.
MOEX launches XRP-linked futures products
MOEX introduces new crypto indices including MOEXXRP and begins cash-settled RUB futures trading, giving qualified Russian institutions regulated synthetic exposure to XRP, SOL, TRX, and BNB.
Institutional framework deadline approaches
Russia targets July 2026 for implementation of broader legislation governing licensed institutional crypto access under Central Bank oversight.
Independent Researchers Confirm the Details
On-chain security researchers @exvulsec and @chrisdior777 independently verified the incident timeline and scope. Their analysis aligns with Galxe’s “no user funds affected” framing while also confirming the approximately $219,000 contract-level drain.
Major security firms such as PeckShield, SlowMist, and CertiK have not yet published findings. Because the incident occurred less than six hours before reporting, this gap is expected. Notably, no conflicting accounts have surfaced from any source.
Galxe’s Security Track Record
This is not Galxe’s first security incident. In October 2023, the platform suffered a DNS hijack that redirected users to a malicious front end. That attack led to actual user fund losses through fraudulent wallet connections.
In contrast, today’s incident is significantly smaller in scope. The $219,411 drain affected only legacy contract balances, not active user funds. Galxe now serves over 25 million users. The platform also operates the Gravity Layer-1 blockchain, which launched its mainnet in Q4 2025.
The Galxe SpaceStation V2 contracts entered retirement before 2026. Both Galxe and independent analysts consistently describe them as deprecated legacy infrastructure, though neither party has specified the exact retirement date.
Market Impact and Token Price
The GAL token, now migrated to the Gravity token G, showed no material price reaction in early data. As of the May 17, 2026 close, GAL traded at approximately $0.33 with normal 24-hour volume.
Additionally, no on-chain GAL or G token movements connect to the incident. The drained amount of roughly $219,000 across stablecoins and minor tokens represents residual protocol funds, not circulating token supply.
What Remains Unknown
Several key details still await answers. Galxe has not disclosed the exact method of key compromise. It could involve phishing, an insider breach, or a supply-chain attack. Whether additional contracts or chains suffered beyond those already identified also remains unclear.
The total drained across all chains comes from researcher estimates. Galxe has not confirmed a final figure. Investigators also do not know when the attacker first accessed the signer key. Galxe has explicitly promised a full post-mortem but has not set a release date.
The Bigger Lesson for DeFi Security
This incident highlights a persistent risk in decentralized infrastructure. Retired smart contracts remain live on-chain indefinitely. If teams do not actively manage signer keys or admin controls, deprecated contracts become dormant attack surfaces.
Key rotation, contract pausing mechanisms, and residual balance sweeps all serve as standard mitigations. Projects that retire contracts without these steps leave value exposed. The Galxe SpaceStation V2 exploit clearly demonstrates what happens when teams leave legacy infrastructure unattended.
Galxe says a full report will follow the investigation. Until then, the platform’s current infrastructure remains fully operational and unaffected.
Leave a Reply