Archive

2026​

• February 1 - CrossCurve Bridge Exploited via Smart Contract Vulnerability, $3 Million in Assets Stolen
• February 3 - ArbitrumDAO Official X Account Compromised
• February 18 - Moonwell Oracle Misconfiguration Leads to cbETH Pricing Anomaly, Resulting in $1.78M Bad Debt
• February 21 - Suspected IoTeX Private Key Leak: Token Treasury Drained of Approximately $4.3 Million
• February 23 - USD1 Faces a Coordinated Short-Selling Attack
• February 25 - Holdstation Suffers Supply Chain Attack, Losing Approximately 462,000 USDT
• February 27 - Ploutus Protocol Exploited Due to Oracle Misconfiguration, Loss Totals ~$390,000
• March 2 - Inverse Finance Suffers an Exploit Resulting in Approximately $240,000 Loss
• March 2 - Stop Building in the Dark:autosec.dev Launches the Layer 0 Genesis Shield Program
• March 3 - Security Alert: North Korean Threat Actor FAMOUS CHOLLIMA Releases 26 Malicious npm Packages
• March 3 - UniswapV4Router04 Privilege Bypass Leads to Asset Theft
• March 5 - The Inugami staking contract contains a logic vulnerability
• March 5 - Address Poisoning Attack Leads to ~$24M Theft from sillytuna-Related Addresses
• March 6 - Solv Protocol Vulnerability Exploited: Attacker Reaps $2.7 Million in Illicit Profits
• March 10 - The NFT lending protocol Gondi has been exploited, resulting in the theft of approximately 40 NFTs.
• March 12 - The official domain for bonk.fun has been hijacked.
• March 12 - The DBXen protocol was hit by an ERC-2771 identity obfuscation attack, resulting in a loss of approximately $150,000.
• March 16 - Venus Protocol Suffers $3.7M Loss Following Security Breach in $THE Pool
• March 18 - Code Execution Vulnerability Discovered in OpenAI Codex Desktop
• March 18 - dTRINITY Suffers ~$260k Loss in Logic Vulnerability
• March 18 - Keom Protocol Suffers Full-Drain Redemption Attack, Resulting in $94k Loss
• March 23 - ResolvLabs Exploited: Total Losses Reach $25 Million
• March 25 - Supply Chain Poisoning and Developer Credential Theft in Apifox Desktop Client
• March 25 - LiteLLM Supply Chain Poisoning: A Full-Path Analysis from Trivy Compromise to Zero-Click Malicious .pth Injection
• March 31 - InfinitySix Hit by Oracle Attack: Exploiter Arbs 270k USDT via Stale TWAP Prices
• April 1 - Social Engineering Trap: Kraken Whale Targeted in Deep Orchestration; $18.2 Million Laundered via THORChain Cross-Chain Swaps
• April 1 - $56M Stolen, 13 Exploits, 4 Supply Chain Attacks — March 2026 Was a Bloodbath for Web3 Security
• April 2 - Drift Protocol Exploited for $285M in Suspected Private Key Compromise
• April 8 - SquidMulticall Vulnerability Leads to Million-Dollar Exploit
• April 8 - HB Token Suffers Flash Loan State Manipulation Attack
• April 13 - Hyperbridge Cross-Chain Gateway Suffers Proof Replay Attack, Resulting in Approximately $237,000 Loss
• April 19 - $292 Million: A Deep Dive into the KelpDAO Cross-Chain Message Forgery Incident — Post-Mortem of the Largest DeFi Security Crisis in 2026
• April 20 - Vercel Supply-Chain Breach: Context.ai OAuth Compromise Forces Web3 Teams into Emergency API Key Rotation
• April 21 - Volo Protocol Loses $3.5M in Targeted Sui Vault Exploit, Freezes All Vaults During Recovery
• April 27 - Scallop Loses 150K SUI in Deprecated sSUI Rewards Contract Exploit
• April 28 - ZetaChain GatewayEVM Arbitrary Call Exploit Drains $333K from Team Wallets Across Four Chains
• April 29 - YieldCore-3rd-deal Vault Drained for $398K Due to Missing Caller Authorization Checks
• April 29 - Syndicate Commons Bridge Exploit: 18.5M SYND Sold as Token Falls More Than 36%
• May 6 - Ekubo Protocol Custom Extension Exploit Drains $1.4M via Payment Callback Authorization Gap
• May 7 - TrustedVolumes Exploit: $6.7M Drained via RFQ Proxy Signer Bypass
• May 11 - Renegade V1 Arbitrum Dark Pool Exploit: $209K Drained, $190K Returned After Whitehat Negotiation
• May 11 - Huma Finance V1 Exploit: $101K Drained from Polygon BaseCreditPool via Credit-State Logic Error
• May 12 - SQ Token Staking Drain: $346K Lost via Hardcoded Owner Backdoor and Fake Renounce
• May 14 - TAC Bridge Exploit: $2.8M Lost on TON-Side Cross-Chain Layer, Later Routed Through White-Hat Recovery
• May 14 - ShapeShift FOX Colony Exploit: $132K Drained via Meta-Transaction Self-Call and Resolver Hijack
• May 15 - THORChain Exploit: $10.7M Drained from Asgard Vault via GG20 TSS Key-Material Leakage
• May 18 - Verus-Ethereum Bridge Exploit: $11.5M Drained via Forged Cross-Chain Transfer Validation Failure
• May 19 - HermesVault Exploit: $29K Drained and Protocol Retired After Withdrawal Verification Key-Reset Flaw
• May 20 - RetoSwap/Haveno Exploit: Active Arbitrator Multisig Hijack via Pre-Deposit ACK Message Spoofing
• May 23 - MureDistribution Exploit: QUEST Drained via User-Supplied Signer Source Bypass
• May 24 - StablR Exploit: EURR and USDR Depeg After 1-of-3 Minting Multisig Key Compromise
• May 25 - WUSD.fi GLOVE Incentive Abuse: Sybil Farming Drains USDC and USDT from Uniswap V3 Pools
• May 25 - SquidRouterModule Exploit: $3.2M Drained from 86 Safe Wallets via Third-Party Module Flaw
• May 29 - DxSale Legacy Locker Drain: $7.3M Exposure Across 1,406 BNB Chain Pools
• May 30 - Alephium TokenBridge Exploit: $815K Drained via Forged Guardian Messages
• June 2 - TesseraDAO TSR Mint Exploit: 99M Tokens Created and Sold for $2.4M
• June 4 - ATM Token transferFrom Hidden Swap Exploit: BSC Token Drained for $243.5K
• June 5 - BYToken Public Maintenance Function Exploit: BY/WBNB Liquidity Drained for 146.6 BNB
• June 7 - Ambient Finance CrocSwapDex Exploit: $110K Lost to Surplus-Collateral Accounting Bug
• June 8 - Syscoin Bridge Exploit: 5B Unauthorized SYS Minted via Transaction-Proof Validation Flaw
• June 9 - Humanity Protocol H Token Exploit: Foundation Key Compromise Triggers $32M Drain and 90% Crash
• June 10 - Token of Power TOP Governance Attack: 10B Mint Drains 944.2 WETH from Balancer V1
• June 10 - Raydium Exploit: $1.34M Drained via Legacy AMM V3 LP Mint Validation Flaw
• June 14 - Aztec Connect Exploit: $2.19M Drained via Legacy Proof-Validation Bypass