Summary of the security incident

In October 2025, BlockHound conducted an independent forensic investigation into a security breach affecting a third-party market maker (MM) wallet operating on the BNB Smart Chain.

The wallet, which was fully controlled and operated by the market maker and not by Astra Nova, was compromised by an external attacker.

Within a short window of approximately thirty minutes, the attacker gained unauthorized access to the MM's wallet, withdrew USDT stored inside it, and intercepted RVV tokens that were automatically routed there as part of the market maker's settlement processes.

In total, around 187,370 USDT and 199,771,980 RVV were drained from the MM wallet.

Astra Nova's internal systems, smart contracts, and operational wallets were never compromised.

Loss profile
What the attacker drained from the MM wallet.
187,370USDT
199,771,980RVV
~30 minAttack window
BNB ChainNetwork
Source — BlockHound forensic analysis, Oct 18, 2025

Timeline of events

All times are UTC on October 18, 2025.

Reconstructed sequence
From first unauthorized access to consolidation of stolen tokens.
15:52
The attacker accessed the MM-operated wallet and withdrew 118,612 USDT.
15:56
As part of routine market maker settlement activity, 100 million RVV was automatically routed into the MM's wallet. Because the attacker had gained control, the tokens were immediately transferred out.
16:13
A second settlement transfer of 100 million RVV was routed into the same wallet and again immediately drained by the attacker.
16:22
BlockHound's monitoring tools detected the consolidation of all drained RVV into an address controlled by the attacker. Upon detecting the abnormal activity, Astra Nova immediately halted all interactions with the compromised MM infrastructure.
16:48
Astra Nova promptly notified Binance and other exchanges, requesting emergency freezes and providing early forensic information to assist with containment and potential recovery.
Note — RVV settlement transfers were part of the MM's automated liquidity and settlement system. Astra Nova did not initiate or manually approve these transactions.

Attacker behavior and movement of funds

BlockHound's analysis shows that the attacker moved the stolen assets across several wallets before consolidating most of the value into a primary address.

Preliminary indicators suggest portions of the stolen funds may have passed through automated routing services such as Changelly and may have partially reached LBank.

Further confirmation of these paths depends on internal logs held by the respective platforms. BlockHound has supplied all relevant addresses and flows to impacted exchanges.

Root cause

The breach was caused by the compromise of a third-party market maker's hot wallet, which was externally operated and not under Astra Nova's control.

The investigation found no evidence of compromise or vulnerability in Astra Nova's own systems, contracts, or private infrastructure.

Response and ongoing recovery efforts

Following the detection of the breach, Astra Nova and BlockHound took the following actions:

  • Immediately notified Binance and other exchanges to freeze associated assets.
  • Collaborated with HitBTC, Changelly, and other platforms to block attacker-linked funds.
  • Contacted Tether to request the freezing of remaining USDT tied to the attacker's addresses.
  • Delivered forensic data packages to all relevant exchanges.
  • Engaged in ongoing monitoring of attacker addresses for any movement of funds.

BlockHound continues to support Astra Nova and exchange partners as additional information becomes available.

Security enhancements implemented

To prevent future incidents involving external service providers, Astra Nova has adopted a strengthened operational framework:

  • Mandatory verification of all third-party wallet activities.
  • Multi-person approval process for large transfers.
  • Real-time alerting and monitoring tools for all externally operated wallets.
  • Stricter audit and security requirements for market makers and partners.
  • Additional safeguards around routing, settlement, and liquidity operations.

These improvements significantly reduce the likelihood of similar incidents and enhance ongoing protection for the project and its community.

Conclusion

BlockHound's investigation confirms that this incident resulted from the external compromise of a third-party market maker's wallet, not from a breach of Astra Nova's infrastructure.

Astra Nova responded rapidly once abnormal behavior was detected and has taken robust steps to strengthen its security posture going forward.

BlockHound will continue to support the recovery and monitoring process as additional developments occur.

Other casework