Search Developers Get rated
Editorial · investigation

How NovaPlay drained itself

Riya Patel · Lead Reviewer · GameFi & Consumer · May 22, 2026 · 14 min

Forty-two days from Certified to Removed. The full reconstruction of the largest GameFi treasury event of 2026 — what the audit missed, what the docs misrepresented, and what the team did in the 96 hours after the transactions.

Forty-two days. That's how long it took NovaPlay to go from a Certified-tier Onyx rating (86/100, published April 11) to an editorial removal (May 22). In between: a treasury drain of $7.7M, an audit report whose scope did not match what the public was led to believe was protected, and a series of team communications that shifted, in 96 hours, from "we are investigating" to silence.

This is what we found.

§ The timeline

April 11: Onyx publishes NovaPlay's rating at 86/100 — Certified. The score reflects a Halborn audit dated April 2025, a multi-sig with five named signers, public documentation describing a 72-hour governance timelock, and 19 months of clean operational history.

April 18, 03:14 UTC: A governance proposal is opened. It proposes to "upgrade treasury management contracts." The proposal is self-executed 26 seconds later in the same block. Three treasury wallets — controlling $7.7M in user-attributable funds — are drained to a single external address within the next 4 minutes.

April 18, 09:00 UTC: NovaPlay's official Discord posts the message: "We are aware of unusual treasury activity and investigating."

April 19-22: No further public communication.

May 19: Onyx publishes a notice that NovaPlay has been moved to active investigation status.

May 22: Onyx publishes this article and removes the rating.

§ What the audit covered (and what it did not)

The Halborn audit report dated April 2025 reviewed the NovaPlay smart contract suite as deployed at that time. Halborn's scope was the on-chain contracts. This is the standard scope for a smart-contract audit and Halborn's report is, on its own terms, accurate and complete.

What it did not cover — and was not asked to cover — was the governance frontend at app.novaplay.gg, which is what the team had publicly described as enforcing the 72-hour timelock.

The contracts themselves did not enforce a timelock. The frontend did. The frontend was a thin client that could be bypassed by calling the contract directly. The team's documentation in three places (whitepaper §4.2, governance forum sticky post, and the FAQ) described the timelock as a property of the protocol. It was not.

This is a Category-A misrepresentation under Onyx methodology §13.

§ The 96 hours

Between the April 18 drain and our May 22 removal, Onyx editorial made fourteen documented attempts to reach NovaPlay's team. Three contact channels listed in their rating application (email, Telegram, Discord) returned no substantive response.

Two of the three named treasury signers responded to direct outreach. Both stated, in writing, that they had not authorized the April 18 transactions and were not contacted about the treasury upgrade proposal. The third did not respond.

A former NovaPlay engineer — who had departed in February 2026 — provided Onyx with internal Discord screenshots from March 2026 showing the team had been aware that the timelock was frontend-only and had discussed implementing contract-level enforcement. The implementation work was deprioritized.

§ Who is responsible

We do not know. The wallet that received the drained funds (0x9d2a…1f04) has not been linked to any named individual. The drained funds remain on-chain at the time of publication; some have moved through privacy-preserving routes.

§ What changes at Onyx

This case has surfaced one methodology gap and one process gap.

The methodology gap: §06 (Security & Audit Posture) does not currently require that the audit scope explicitly match what the team's documentation claims is protected. We will add this as a sub-criterion in methodology v3.3.

The process gap: Onyx's pre-publication review for Certified-tier projects did not include a structured cross-check between the audit's scope of work and the project's public claims about protected surface. We will add this check effective Q3 2026, applied retroactively to existing Certified-tier projects within 90 days.

These changes will be documented in the next quarterly transparency report.