Mattle.fun has published a full incident report following a security breach that allowed an attacker to drain approximately 500,000 $MATTLE tokens from the platform's Key Vault. The exploit, which occurred roughly 13 hours before the report was published, targeted the platform's API layer rather than its on-chain infrastructure.

According to the team's disclosure, the attacker identified a vulnerability in the Web2 API layer and used it to generate unlimited Mattle Keys. Those keys were then repeatedly used to open reward claims and withdraw $MATTLE directly from the Key Vault until the breach was detected and shut down.

Scope Contained by Vault Design

The Key Vault operates on a limited allocation model. Rather than holding large reserves, it is refilled periodically, which capped the damage to approximately 500,000 $MATTLE. After extracting the tokens, the attacker sold them on the open market, triggering a price drop of roughly 30%.

The team was explicit that this was a Web2 infrastructure attack. Smart contracts, the staking system, and user wallets were entirely unaffected and remain secure. On-chain components of the MattleFun ecosystem were not touched.

Once the breach was identified, the team patched the affected API, conducted a system-wide security review, and confirmed all platform features were restored to normal operation. The Key Vault has been refilled and users can once again claim rewards through Mattle Keys.

Buyback Response

To help stabilize the token's market price following the sell-off, Mattle.fun deployed 20 SOL from Shop revenue to buy back $MATTLE. The team provided an on-chain transaction hash via Solscan as verifiable proof of the buyback action.

About Mattle.fun

Mattle.fun is a gamified trading platform on Solana developed by Soluna Labs that bridges on-chain trading activity with in-game character strength. It was one of the Grand Prize winners of the first-ever Solana Mobile Hackathon, a $100,000 competition organized in partnership with RadiantsDAO and BONK that evaluated projects for deep Solana blockchain integration, mobile-first functionality, and effective use of the Solana Mobile Stack.

The platform's core mechanic converts a player's Solana trading volume into in-game stats including Speed, Luck, Armour, and Health. Trades made through the Mattle terminal earn Boosting Points that carry over into the survival arena mode, where players fight waves of enemies at Normal, Hard, and Cursed difficulty levels. This design turns ordinary DeFi activity into gameplay progression, with active traders arriving in the arena with measurably stronger characters.

Beyond trading-to-stats, the platform includes daily quests, Mattle Keys that unlock reward chests, a staking system tied to $MATTLE, and tournaments with prize pools paid in $MATTLE, USDC, and Keys. Staking $MATTLE unlocks missions, reduces platform fees, and grants access to premium in-game features. The platform is available on Android, via the Solana dApp Store for Seeker and Saga device holders, and through a web browser at app.mattle.fun. Partners include Play Solana, SNS, and MonkeDAO.

The incident report marks the platform's first disclosed security event since launch. The limited-vault design that contained the damage to a defined ceiling is now a demonstrated feature of the ecosystem's risk architecture rather than just a theoretical safeguard.