According to monitoring, by Beosin Alert there are suspicions of exploitation of Narwhals NRW token amounting to $1.5 million ($970,000 on January 6 and $500,000 on January 5).
The majority of the stolen funds were transferred to Tornado Cash. In the case of the vulnerability on January 6 the attacker used the withdraw() function. Entered signer information. This contract is not publicly available for review. Upon decompiling it it was discovered that the contract owner had set the signer address. There are suspicions either of a leaked key for the signer. That the information was falsified.
Narwhal had previously disclosed an incident involving a contract that led to theft of NRW tokens. They have announced plans to rebuild their liquidity pool within three days starting from yesterday. Additionally Narwhal is currently working on developing a platform, with enhanced security measures to prevent incidents from occurring in the future.