Gym Network Missing Signature Check
Gym Network on BNB Chain lost $2.1M after a deposit function accepted a referrer signature without validating it, letting the attacker mint huge GYMNET rewards.
- Date
- Victim
- Gym Network
- Chain(s)
- Status
- Funds Stolen
On June 8, 2022, the BNB Chain yield/MLM-style farm Gym Network lost approximately $2.1 million because a deposit function accepted a signature parameter but never validated it. The attacker passed an unchecked signature and a crafted deposit to mint a hugely disproportionate amount of GYMNET rewards from a near-zero deposit, then dumped the tokens.
What happened
Gym Network's depositFromOtherContract (or equivalent) flow took a signature meant to authorise the operation. The contract decoded the signature but never verified it against an authorised signer. With the check effectively absent, the attacker supplied arbitrary parameters, deposited a trivial amount, and was credited an enormous GYMNET reward, which they sold.
Aftermath
- Gym Network paused the affected contract and patched signature verification.
- GYMNET token collapsed from the dump; partial protocol continuation followed.
Why it matters
Gym Network is a textbook "signature parameter present but unverified" bug — the same class as KiloEX (2025) and others where the appearance of a security check (a signature in the function signature) gave false assurance while the actual verification was missing or broken. The lesson the catalogue keeps teaching: a security mechanism that is present in the interface but not enforced in the implementation is worse than none, because it manufactures false confidence. Auditors and tests must verify the check fires and rejects, not merely that the parameter exists.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-gym-network-hack-june-2022
- [02]chainzoom.substack.comhttps://chainzoom.substack.com/p/21-million-hack-on-gym-network
- [03]rekt.newshttps://rekt.news/gymnet-rekt