Galxe SpaceStation V2 exploit drained about $219K from retired reward contracts after a compromised signer key attack across six blockchains.
Author: Akshay
18th May 2026. The Galxe SpaceStation V2 exploit drained approximately $219,411 from retired reward contracts across six blockchains after attackers compromised an internal signer key.
High Signal Summary For A Quick Glance
AqibAi
@Aqib__786Ai
@Galxe Appreciate the fast transparency and clear communication. Most important part: ✅ User wallets and funds remained safe ✅ Issue was isolated ✅ Root cause already identified Incidents happen in crypto, what matters is how quickly teams respond, contain, and communicate. Looking
🚨 Security Update: Earlier today, a compromised internal key affected our retired Galxe SpaceStation V2 contracts. NO user wallets or funds were affected. Even if you connected to these contracts in the past, your wallet is completely safe. The issue was strictly isolated to
10:06 AM·May 18, 2026
n-chain data shows the first exploit transaction hit Ethereum at approximately 06:07 UTC on May 18, 2026. Galxe then publicly disclosed the incident about three hours later at 09:00 GMT via its official X account. The platform confirmed that no user wallets, approvals, or deposited funds took any damage.
The attacker targeted residual tokens sitting inside retired reward contracts on Ethereum, BSC, Polygon, Arbitrum, Base, and Optimism. Specifically, the drained assets included USDT, USDC, BUSD, OP, and CYBER.
SpaceStation V2 contracts served as legacy reward distribution contracts tied to earlier quest campaigns on the Galxe platform. Users would connect wallets and claim rewards through EIP-712 signed transactions. As a result, each claim required a valid signature from the platform’s authorized signer address.
The compromised signer address, 0xC638B660694688c559D67016F4cD58d408aba306, sat immutably in all V2 contracts. Because the contracts themselves are immutable on-chain, the team could not rotate the signer key without deploying entirely new contracts. Consequently, no one had changed the key since original deployment.
The attacker, operating from address 0x6dBA9Be4fbA81CB9928ae7Ae5B909cb6C4577Aac, forged valid EIP-712 signatures using the compromised key. This allowed unauthorized claims against the contracts’ residual token balances through repeated EventClaim calls. For example, a key Ethereum exploit transaction shows large volumes of USDT and USDC moving in a single batch.
SpaceStation V2 contracts only held platform-deposited reward tokens. Users connected wallets to claim rewards but never sent funds to these contracts. Therefore, the exploit only touched the contracts’ internal balances.
The attack did not require or compromise any user approvals, signatures, or private keys. Even users who previously interacted with the Galxe SpaceStation V2 contracts face no risk from this incident.
Galxe confirmed this directly in its disclosure. “NO user wallets or funds were affected,” the team stated. “Even if you connected to these contracts in the past, your wallet is completely safe.”
Galxe disclosed the breach approximately three hours after the first exploit transaction. The team stated it had identified the root cause and begun updating security controls.
“We identified the root cause and are updating our security controls,” Galxe wrote on X. “We will share a full report once the investigation is done.”
On-chain records also show the affected Ethereum contract received an “Update Paused” transaction, indicating Galxe moved to freeze remaining assets. Meanwhile, CEO Charles Wayn and other named executives have not released any public statements. Similarly, no official blog post, Discord, or Telegram announcement has appeared beyond the initial X post.
Timeline: Russia’s gradual transition from crypto restrictions toward regulated institutional market access and MOEX crypto products
President Vladimir Putin signs legislation explicitly banning cryptocurrencies and NFTs as payment instruments inside Russia, tightening the country’s domestic crypto restrictions.
The Bank of Russia begins live pilot testing for the digital ruble CBDC with selected individuals and merchants, laying groundwork for controlled domestic and cross-border digital settlement systems.
Russia formally legalizes cryptocurrency mining through dedicated legislation, establishing registration rules for companies and energy-use limits for individuals.
Russia creates legal exemptions allowing cryptocurrencies for international trade settlements while regulators intensify discussions around institutional crypto market access and regulated exposure products.
MOEX launches BTC and ETH benchmark indices while the Central Bank publishes a formal proposal allowing qualified investors to gain limited crypto exposure through licensed intermediaries.
MOEX introduces new crypto indices including MOEXXRP and begins cash-settled RUB futures trading, giving qualified Russian institutions regulated synthetic exposure to XRP, SOL, TRX, and BNB.
Russia targets July 2026 for implementation of broader legislation governing licensed institutional crypto access under Central Bank oversight.
On-chain security researchers @exvulsec and @chrisdior777 independently verified the incident timeline and scope. Their analysis aligns with Galxe’s “no user funds affected” framing while also confirming the approximately $219,000 contract-level drain.
Major security firms such as PeckShield, SlowMist, and CertiK have not yet published findings. Because the incident occurred less than six hours before reporting, this gap is expected. Notably, no conflicting accounts have surfaced from any source.
This is not Galxe’s first security incident. In October 2023, the platform suffered a DNS hijack that redirected users to a malicious front end. That attack led to actual user fund losses through fraudulent wallet connections.
In contrast, today’s incident is significantly smaller in scope. The $219,411 drain affected only legacy contract balances, not active user funds. Galxe now serves over 25 million users. The platform also operates the Gravity Layer-1 blockchain, which launched its mainnet in Q4 2025.
The Galxe SpaceStation V2 contracts entered retirement before 2026. Both Galxe and independent analysts consistently describe them as deprecated legacy infrastructure, though neither party has specified the exact retirement date.
The GAL token, now migrated to the Gravity token G, showed no material price reaction in early data. As of the May 17, 2026 close, GAL traded at approximately $0.33 with normal 24-hour volume.
Additionally, no on-chain GAL or G token movements connect to the incident. The drained amount of roughly $219,000 across stablecoins and minor tokens represents residual protocol funds, not circulating token supply.
Several key details still await answers. Galxe has not disclosed the exact method of key compromise. It could involve phishing, an insider breach, or a supply-chain attack. Whether additional contracts or chains suffered beyond those already identified also remains unclear.
The total drained across all chains comes from researcher estimates. Galxe has not confirmed a final figure. Investigators also do not know when the attacker first accessed the signer key. Galxe has explicitly promised a full post-mortem but has not set a release date.
This incident highlights a persistent risk in decentralized infrastructure. Retired smart contracts remain live on-chain indefinitely. If teams do not actively manage signer keys or admin controls, deprecated contracts become dormant attack surfaces.
Key rotation, contract pausing mechanisms, and residual balance sweeps all serve as standard mitigations. Projects that retire contracts without these steps leave value exposed. The Galxe SpaceStation V2 exploit clearly demonstrates what happens when teams leave legacy infrastructure unattended.
Galxe says a full report will follow the investigation. Until then, the platform’s current infrastructure remains fully operational and unaffected.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
