Tuesday, March 31, 2026

One parameter wasn’t checked. One backend got compromised. The mint never stood a chance.

This week:

• Resolv Labs lost $25M after an unchecked mint parameter let a compromised SERVICE_ROLE backend decide how many tokens to print. The attacker deposited just $300K USDC but minted over 80M USR across three transactions, collapsing the peg and still walking away with ~$25M. No oracle manipulation, no complex exploit, just blind trust in off-chain logic controlling on-chain money printers.

Six mistakes in ERC-4337 smart accounts (16 min read)
Account abstraction makes wallets programmable, but it also turns every design mistake into a potential private-key leak in slow motion. After auditing dozens of ERC-4337 accounts, researchers keep finding the same failures: weak access control, incomplete signature checks, replay bugs, unsafe validation logic, and execution paths that still burn gas even when they revert.

The Full Story of the LiteLLM Supply Chain Attack (7 min read)
A compromised CI/CD pipeline turned one of the most widely used AI libraries into a credential-stealing backdoor. Attackers poisoned LiteLLM via a tampered security tool, exfiltrating SSH keys, cloud creds, and wallet data at scale while planting persistent access across infected systems.

Explained: The Venus Protocol Hack (March 2026) (4 min read)
A known donation flaw let an attacker bypass Venus’s supply cap, inflate collateral 3.8×, and borrow against liquidity that never should’ve existed. The vulnerability had already been flagged in audits and exploited once before, but was left untouched, turning a nine-month setup into a $2M bad debt event.

Hardening OpenClaw on Aleph Cloud: Step by Step Defence for Frontier AI Agents (17 min read)
OpenClaw turns AI agents into systems that can read, act, and execute, which means every input becomes a potential attack surface. The real risk isn’t the model, it’s the pipeline: prompts, tools, files, and outbound access all create paths for prompt injection, data exfiltration, and code execution.

Movie Token Incident Analysis (3 min read)
A flawed sell function counted the same tokens twice, once for the swap and once for a pending burn, creating an artificial supply shock. The attacker used this to distort pool reserves, inflate price, and drain ~$242K via a flash loan loop.

“Wrong number” texts led to a $3.4M crypto scam. Victims were slowly groomed into a fake ETH investment tied to gold, buying assets themselves before sending funds to attacker wallets in a classic pig-butchering scheme.

Fake war posts fueled a crypto scam network on X. Attackers used AI-generated personas and viral geopolitical content to farm engagement before pivoting into fake giveaways and pump-and-dump schemes, netting six-figure profits.

GlassWorm malware hijacks dev tools to steal crypto and credentials. Attackers distribute poisoned packages that deploy multi-stage payloads, exfiltrate wallets and browser data, and even hide command-and-control instructions inside Solana transactions.

Fake resumes deliver malware to corporate targets. Victims open booby-trapped CVs that deploy credential stealers and crypto miners, using Dropbox, WordPress, and SMTP infrastructure to exfiltrate data in under 25 seconds.

Fraud is now a multi-stage pipeline, not a single attack. Attackers chain bots, proxies, stolen identities, and human sessions across the lifecycle, bypassing single-signal defenses that only see one step at a time.

• Hacken audited Newrails’ upgradeable ERC-20 stablecoin, covering role-based minting quotas, blacklist/pausing enforcement, and EIP-712 authorization flows. The review reported 9 findings with no critical, high, or medium issues, identifying 4 low-severity risks around blacklist inconsistencies, improper allowance updates enabling excess minting, and privileged interaction gaps.

• Cantina audited Clove’s spot settlement and vault system, covering order matching, replay protection, nonce handling, and collateral flows. The review reported 9 findings including 2 high issues, all resolved, primarily around replay attacks via non-canonical fill IDs, missing nonce enforcement, and insecure mock collateral deployment.

• Halborn audited Temple’s DAML smart contract updates on Canton, focusing on settlement, delegation, and asset lifecycle logic between versions 4.0.1 and 4.1.1. The review reported 4 informational findings with no critical, high, or medium issues, highlighting minor concerns around allocation handling, role validation, and assertion messaging, all addressed in the final release.

• Hacken audited Overlayer’s stablecoin and staking system, covering mint/redeem, vault mechanics, and cross-chain flows. The review reported 11 findings including 2 high and 2 medium issues, all resolved, primarily around blacklist bypass, supply inconsistencies causing potential DoS, cooldown manipulation, and admin control risks.

• Nethermind reviewed Tori Finance’s synthetic stablecoin system (trUSD, staking vault, and cross-chain LayerZero setup), identifying 14 issues with no critical/high risks. The main concern allowed blacklisted users to withdraw funds via the cooldown silo, alongside design gaps in access control, nonce handling, and ERC-4626 compliance, with most issues fixed and the rest acknowledged as trade-offs or improvements.

Two years ago, Zoth showed how a single compromised admin key can turn protocol control into an attacker’s kill switch. A stolen deployer wallet enabled a malicious proxy upgrade, letting the attacker drain ~$8.4M in USD0++ tokens, swap to DAI, and disappear within minutes. Same admin key risk, same overreliance on privileged access, same reminder that in DeFi, the biggest exploits don’t always break the code - they take control of it.

He didn’t hack the jet. He hacked the people. Years of social engineering and phishing turned insiders into access points, leaking F-35 secrets piece by piece. No single breach - just a slow, systematic theft of one of the world’s most advanced weapons.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.