According to Beosin Alert monitoring, Narwhal's NRW token is suspected of being used for a total of about $1.5 million (97,000 US dollars on January 6 and 500,000 US dollars on January 5). Most of the stolen funds were sent to Tornado Cash. For the vulnerability on January 6, the attacker called withdraw() and passed in the signer information. The contract is not open source. After decompiling, it was found that the signer address was set by the contract owner. It is suspected that the signer's private key was leaked or the information was forged.