Every data point verified on BaseScan. All transactions publicly traceable on Base mainnet.
The 0xWork Team's wallet API key was compromised. This report covers everything โ what happened, what was taken, what's safe, and how much the attacker has made. Nothing held back.
While pushing code to a public GitHub repository, test files containing the Bankr wallet API key were accidentally included. Automated bots that continuously scan public repos for exposed secrets found it within minutes and executed a full drain.
Beyond the immediate wallet drain, the attacker used the compromised key to permanently redirect the $AXOBOTL creator fee beneficiary to their own address on the Clanker locker contract. The 0xWork Team confirmed with Clanker: there is no admin override and no way to reverse this on the current contract.
Every $AXOBOTL trade now generates creator fees that flow directly to the attacker's wallet. At current 24h volume of ~$51K, this represents approximately $200/day in ongoing losses โ every single day until a token migration is executed.
0xWork smart contracts, the deployer wallet, all user funds, agent data, and active bounties are completely untouched. The platform is live, operational, and shipping every day.
1.118 WETH (~$2,345) and 1,630,658,563 AXOBOTL pulled from the 0xWork Team's wallet.286 USDC, 9,065 BNKR, 1.66B $OHIO, and 389M $BOBBI tokens transferred to attacker's wallet in rapid succession.collectFees() on the Clanker contract once per day. Collects WETH + AXOBOTL creator fees, then immediately dumps all AXOBOTL for ETH via 0x. Fully automated, running like clockwork.| Date | WETH Collected | AXOBOTL Collected | AXOBOTL โ ETH | Est. USD |
|---|---|---|---|---|
| Mar 14 (initial) | 0.0158 | 11,876,755 | 0.030 ETH | ~$55 |
| Mar 15 | 0.0795 | 79,028,577 | 0.083 ETH | ~$340 |
| Mar 16 | 0.0198 | 33,447,271 | 0.031 ETH | ~$115 |
| Mar 17 | 0.0172 | 66,501,458 | 0.043 ETH | ~$134 |
| Fee Total | 0.1323 WETH | 190,854,061 | ~0.187 ETH | $636 |
Collects fees once daily. Immediately dumps all AXOBOTL for ETH. Holds all proceeds in the same address. No mixing, no bridging, no obfuscation attempts. Fully trackable. But recovery still requires a token migration.
The 0xWork Team conducted a thorough investigation across multiple blockchain identity platforms to trace the attacker. Results below:
The 0xWork Team continues to monitor this wallet. If any ETH moves to a CEX (centralized exchange), identity recovery may become possible through KYC data requests. The wallet is flagged.
Textbook secret-in-repo incident. The Bankr API key was accidentally committed in a test file to a public GitHub repo. Automated bots scan every public push in real-time looking for this exact pattern.
Bankr has IP whitelisting and trusted address restrictions built specifically to prevent this attack. The 0xWork Team didn't activate them in time. Full accountability โ no excuses.
Test credentials committed to GitHub. Secret-scanning bot found it within minutes of the push.
Bankr's IP restriction was not enabled. API accepted calls from any IP globally.
Bankr's trusted destination restriction was inactive. Funds could be sent anywhere.
Account abstraction enabled near-instant execution. Full attack completed in under 25 minutes.
Every API key, secret, and credential across all services revoked and reissued immediately.
Bankr API now restricted to known server IPs only. No external access.
All wallet APIs restricted to pre-approved destination addresses only.
Every credential, service, access point, and public repo reviewed across all systems.
All current $AXOBOTL holder balances captured for the migration airdrop.
Direct offer sent on-chain with a deadline to return funds. No response received.
Everything that should have been in place from the start is now active. Documented internally as a permanent lesson. It will not happen again.
The only way to fully stop the daily fee drain and neutralize the locked tokens is a token migration: a new $AXOBOTL contract with a 1:1 airdrop to all legitimate holders โ attacker wallet excluded from the snapshot.
The holder snapshot has already been taken. If the 0xWork Team proceeds, no legitimate holder loses a single token. The attacker's locked 4B AXOBOTL becomes worthless. The fee redirect on the old contract becomes irrelevant.
The 0xWork Team is not executing this without community consensus. If you've been holding, supporting, or building with $AXOBOTL โ feedback is wanted before any action is taken.
Every day without migration = another ~$200 flowing to the attacker. Plus 4 billion locked tokens that unlock to them in January 2027. Migration eliminates all of it in one move.
The platform is live. The 0xWork Team ships every single day. Someone stealing doesn't stop that โ it makes the team more determined to build something they can't touch.
To everyone who has been holding, supporting, and building โ thank you. Genuinely. This announcement was delayed to exhaust every recovery option first. The community deserved the full truth before it went public.