According to Beosin Alert monitoring, Narwhal's NRW token is suspected of being used for a total of about $1.5 million (97,000 US dollars on January 6 and 500,000 US dollars on January 5). Most of the stolen funds were sent to Tornado Cash. For the vulnerability on January 6, the attacker called withdraw() and passed in the signer information. The contract is not open source. After decompiling, it was found that the signer address was set by the contract owner. It is suspected that the signer's private key was leaked or the information was forged.

Previously, Narwhal disclosed that it had encountered a hacker contract, resulting in the theft of NRW tokens. Narwhal stated that it would rebuild the liquidity pool within three days starting yesterday. Narwhal also stated that it is developing a new platform to enhance security and ensure that similar events will not occur in the future.