Monday, January 26, 2026

Silence is now an attack vector, oracles still trust lies, and most of the real damage keeps happening far away from smart contracts.

This week:

• ZeroLend hid a $371K exploit for ten months, kept deposits open, and turned a drained market into a zombie liquidity trap, proving that not disclosing a hack can be more dangerous than the hack itself.

• Makina lost $4.13M because its oracle trusted momentary prices, showing that audits don’t protect you from designs that assume markets can’t be manipulated inside a single transaction.

• From social engineering heists to address poisoning spam, LinkedIn malware, and tax data leaks, the pattern is unchanged: keys are still lost through people, platforms, and pipelines, not just code.

When protocols stop talking and oracles start trusting spot prices, DeFi doesn’t fail loudly. It fails quietly, then keeps charging admission.

• ZeroLend buried a $371K LBTC drain for ten months and left the vault open. ZeroLend’s LBTC market on Base was emptied on February 23, 2025 using the same fake-collateral playbook that hit Ionic Money just eighteen days earlier. The attacker deposited PT-LBTC, borrowed ~3.92 LBTC in three transactions, bridged profits through Across, swapped out to ETH, and never repaid the loan. The variable debt token still sits on-chain like a receipt for an unpaid crime. ZeroLend never disclosed the exploit, blamed frozen withdrawals on “high utilization,” and kept the deposit button live. Over time, someone even built an automated extraction setup that siphons any new liquidity entering the pool. No code bug. No reentrancy. Just bad collateral risk, silence, and a zombie market still collecting victims. (Read more)

• Makina Finance lost $4.13M to an oracle attack its audits never covered. Makina trusted live pool prices to decide what its tokens were worth. An attacker used a massive flash loan to temporarily distort those prices, locked in the fake valuation, and drained the pool in a single transaction. Before the original attacker could even collect, MEV bots copied the method and took most of the money for themselves. Six audits and a high-profile security competition had already happened, but this exact attack was explicitly labeled “out of scope.” The contracts worked as designed. The design itself was the problem. (Read more)

Explained: The $282m Social Engineering Crypto Heist (3 min read)
An attacker impersonated Trezor support, convinced a user to reveal their seed phrase, and instantly turned a hardware wallet from the strongest defense in crypto into a fully compromised signing machine, draining roughly $282M across Bitcoin and Litecoin and proving that key custody only works if the person holding it understands that no real support desk ever needs their recovery words.

Rust Security & Auditing Guide by Sherlock: 2026 (12 min read)
Rust removed entire classes of memory bugs, but most real failures now come from unsafe contracts that silently drift, boundary code that trusts attacker-shaped inputs, concurrency paths that deadlock under pressure, and release pipelines where the binary you ship isn’t the code you reviewed. Security in Rust today is less about pointers and more about proving invariants, enforcing determinism, and making sure your build, dependencies, and unsafe guarantees stay true long after the first audit.

Is Quantum Computing a Real Threat to Blockchain? (4 min read)
Quantum computing doesn’t break blockchains overnight, but it does put a timer on today’s cryptography. The real risk is not some sudden quantum takeover, it’s how slowly protocols and users move to post-quantum signatures while public keys are already exposed on-chain and quietly accumulating for future attacks.

Audit Readiness for MegaETH Projects | What Actually Goes Wrong on a Real-Time EVM (5 min read)
MegaETH changes audits from “is the contract safe” to “does your system survive real-time execution.” Parallel state, millisecond ordering, in-memory storage, and physical latency turn bad state design, timing assumptions, and infrastructure gaps into protocol-level risks.

Supply Chain Security and DevSecOps for Web3 (4 min read)
Smart contracts don’t fail in isolation, they fail through the software factories that build and deploy them. A single compromised dependency, CI runner, container image, or deployment script can silently rewrite what goes on-chain, turning “audited” code into attacker-controlled infrastructure and proving that Web3 security starts long before a transaction is ever signed.

Most hacked crypto projects never recover, and the damage is operational, not technical. Immunefi’s CEO says nearly 80% of protocols fail to regain trust after a breach because teams freeze, delay response, avoid pauses, and go silent, letting panic, liquidity flight, and reputational collapse finish what the exploit started.

Ethereum’s activity spike may be fueled by address poisoning spam. A researcher links the surge in new wallets and record transactions to dusting attacks made cheaper by lower gas fees, with poisoning wallets targeting hundreds of thousands of addresses and over $740K already stolen.

South Korea charges three Chinese nationals in a $101M crypto laundering case. Authorities say the group funneled funds through Korean exchanges and bank accounts while disguising transfers as tuition and medical payments.

Hackers are using LinkedIn DMs to deliver malware via DLL sideloading. Attackers are approaching targets through private messages, sending a fake WinRAR archive that drops a legitimate PDF reader and a malicious DLL, which then installs a Python-based payload that runs in memory, persists via registry keys, and gives full remote access to the victim’s system.

Waltio’s data breach turns tax records into phishing ammunition. Hackers who accessed emails and 2024 gains-and-loss reports can now craft highly targeted social engineering scams that reference real tax data to appear legitimate, increasing the risk of wallet compromise without ever touching passwords or private keys.

Cyber Security Engineer, SecOps, Bitpanda, Vienna, Austria

Security Engineer, LayerZero Labs, Vancouver, Canada,

Security Assurance Specialist, Chainlink Labs, Remote

Product Security Engineer - DeFi, FalconX, New York, US (Remote)

Senior Offensive Security Engineer, BitMEX, Asia (Remote)

Three years ago, DeFi learned that adding new collateral types without understanding their edge cases is how “safe” lending protocols turn into ATMs. Midas Capital just proved the lesson didn’t stick. A Curve LP token with a known read-only reentrancy issue was rushed in as collateral, its price was manipulated inside a flash loan, and ~$660K in jFIAT assets were borrowed against value that never really existed. jEUR, jCHF, jGBP and agEUR were drained, swapped to MATIC, and sent to centralized exchanges. Different year, same failures: when collateral onboarding becomes a growth feature instead of a security decision, exploits stop being accidents and start being inevitabilities.

Teenagers turned phone numbers into skeleton keys, draining crypto accounts by lying to telecom support and reading SMS codes off burner phones. Sim swapping wasn’t hacking code, it was hacking people, and it paid millions before the FBI noticed. One group, one informant, one betrayal, and a reminder that the weakest link in crypto is still a phone call.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.