PANews reported on June 11 that, according to Bits.media, the NovaBox platform's reward pool was hacked on Ethereum on June 9, resulting in the loss of approximately 56.73 ETH, affecting over 130 depositors. The attackers drained the pool from 65.11 ETH to 0.09 ETH in a single transaction, representing approximately 99.86% of the total. Security firm F12 stated that the incident was not due to a smart contract vulnerability, but rather a flaw in the reward distribution mechanism.

The attacker borrowed 427.5 WETH through an Aave V3 flash loan, exploiting a vulnerability in NovaBox's mechanism where dividends are paid out before the balance is updated upon user deposits and withdrawals. The hacker first deposited a small amount of NOVA tokens to trigger dividend calculation, then deposited a large amount of ETH, significantly increasing the actual share. However, because the system failed to update the balance in time, dividends were still calculated based on the previous small share, but were paid out based on the new large share, resulting in a "phantom dividend" of approximately 145.82 ETH, thus depleting the reward pool.