The Foom Cash Exploit: How a Skipped CLI Step in a Groth16 Trusted Setup Turned a $2.3M Privacy Protocol Into an ATM

TL;DR On March 2, 2026, attackers drained $2.26M from Foom Cash — a zk-SNARK privacy protocol on Ethereum and Base — by forging zero-knowledge proofs. The root cause? A single omitted step during the Groth16 trusted setup that left γ and δ parameters at their default generator values, collapsing the entire soundness guarantee of the proof system. A white-hat rescue recovered $1.84M (81%) through front-running the attacker with the same forged-proof technique. This article dissects the vulnerability, the proof malleability exploit, and what every team deploying ZK circuits needs to learn from it. The Attack Timeline Feb 27, 2026 — First suspicious withdrawals detected on Base Mar 02, 2026 — Full-scale exploit: 24.28T FOOM tokens drained (~$2.26M) Mar 02, 2026 — White-hat @duha_real front-runs attacker on Base ($1.84M saved) Mar 02, 2026 — DecurityHQ rescues Ethereum mainnet funds Mar 03, 2026 — Foom Cash patches verifier, awards $420K in bounties The attack wasn't a zero-day in cryptogr