Galxe SpaceStation V2 Hit by $219K Signer Key Exploit

n-chain data shows the first exploit transaction hit Ethereum at approximately 06:07 UTC on May 18, 2026. Galxe then publicly disclosed the incident about three hours later at 09:00 GMT via its official X account. The platform confirmed that no user wallets, approvals, or deposited funds took any damage.

The attacker targeted residual tokens sitting inside retired reward contracts on Ethereum, BSC, Polygon, Arbitrum, Base, and Optimism. Specifically, the drained assets included USDT, USDC, BUSD, OP, and CYBER.

How the Galxe SpaceStation V2 Exploit Worked

SpaceStation V2 contracts served as legacy reward distribution contracts tied to earlier quest campaigns on the Galxe platform. Users would connect wallets and claim rewards through EIP-712 signed transactions. As a result, each claim required a valid signature from the platform’s authorized signer address.

The compromised signer address, 0xC638B660694688c559D67016F4cD58d408aba306, sat immutably in all V2 contracts. Because the contracts themselves are immutable on-chain, the team could not rotate the signer key without deploying entirely new contracts. Consequently, no one had changed the key since original deployment.

The attacker, operating from address 0x6dBA9Be4fbA81CB9928ae7Ae5B909cb6C4577Aac, forged valid EIP-712 signatures using the compromised key. This allowed unauthorized claims against the contracts’ residual token balances through repeated EventClaim calls. For example, a key Ethereum exploit transaction shows large volumes of USDT and USDC moving in a single batch.

Why User Wallets Stayed Safe

SpaceStation V2 contracts only held platform-deposited reward tokens. Users connected wallets to claim rewards but never sent funds to these contracts. Therefore, the exploit only touched the contracts’ internal balances.

The attack did not require or compromise any user approvals, signatures, or private keys. Even users who previously interacted with the Galxe SpaceStation V2 contracts face no risk from this incident.

Galxe confirmed this directly in its disclosure. “NO user wallets or funds were affected,” the team stated. “Even if you connected to these contracts in the past, your wallet is completely safe.”

Galxe’s Official Response

Galxe disclosed the breach approximately three hours after the first exploit transaction. The team stated it had identified the root cause and begun updating security controls.

“We identified the root cause and are updating our security controls,” Galxe wrote on X. “We will share a full report once the investigation is done.”

On-chain records also show the affected Ethereum contract received an “Update Paused” transaction, indicating Galxe moved to freeze remaining assets. Meanwhile, CEO Charles Wayn and other named executives have not released any public statements. Similarly, no official blog post, Discord, or Telegram announcement has appeared beyond the initial X post.

Independent Researchers Confirm the Details

On-chain security researchers @exvulsec and @chrisdior777 independently verified the incident timeline and scope. Their analysis aligns with Galxe’s “no user funds affected” framing while also confirming the approximately $219,000 contract-level drain.

Major security firms such as PeckShield, SlowMist, and CertiK have not yet published findings. Because the incident occurred less than six hours before reporting, this gap is expected. Notably, no conflicting accounts have surfaced from any source.

Galxe’s Security Track Record

This is not Galxe’s first security incident. In October 2023, the platform suffered a DNS hijack that redirected users to a malicious front end. That attack led to actual user fund losses through fraudulent wallet connections.

In contrast, today’s incident is significantly smaller in scope. The $219,411 drain affected only legacy contract balances, not active user funds. Galxe now serves over 25 million users. The platform also operates the Gravity Layer-1 blockchain, which launched its mainnet in Q4 2025.

The Galxe SpaceStation V2 contracts entered retirement before 2026. Both Galxe and independent analysts consistently describe them as deprecated legacy infrastructure, though neither party has specified the exact retirement date.

Market Impact and Token Price

The GAL token, now migrated to the Gravity token G, showed no material price reaction in early data. As of the May 17, 2026 close, GAL traded at approximately $0.33 with normal 24-hour volume.

Additionally, no on-chain GAL or G token movements connect to the incident. The drained amount of roughly $219,000 across stablecoins and minor tokens represents residual protocol funds, not circulating token supply.

What Remains Unknown

Several key details still await answers. Galxe has not disclosed the exact method of key compromise. It could involve phishing, an insider breach, or a supply-chain attack. Whether additional contracts or chains suffered beyond those already identified also remains unclear.

The total drained across all chains comes from researcher estimates. Galxe has not confirmed a final figure. Investigators also do not know when the attacker first accessed the signer key. Galxe has explicitly promised a full post-mortem but has not set a release date.

The Bigger Lesson for DeFi Security

This incident highlights a persistent risk in decentralized infrastructure. Retired smart contracts remain live on-chain indefinitely. If teams do not actively manage signer keys or admin controls, deprecated contracts become dormant attack surfaces.

Key rotation, contract pausing mechanisms, and residual balance sweeps all serve as standard mitigations. Projects that retire contracts without these steps leave value exposed. The Galxe SpaceStation V2 exploit clearly demonstrates what happens when teams leave legacy infrastructure unattended.

Galxe says a full report will follow the investigation. Until then, the platform’s current infrastructure remains fully operational and unaffected.