Monday, March 16, 2026

Not every disaster starts with a brilliant exploit. Sometimes it starts with a contract nobody audited and an oracle that disagrees with reality.

This week:

• Solv Protocol lost $2.73M because an unaudited reserve contract could mint the same position twice. A callback in the BitcoinReserveOffering flow minted BRO tokens once during NFT transfer and then again when execution returned to the original function, letting an attacker loop 135 BRO into 567M in a single transaction and cash out 38 SolvBTC. (Read more)

• Aave liquidated $27.78M in healthy wstETH positions because its anti-manipulation oracle mispriced reality. A parameter update from Chaos Labs’ CAPO risk engine pushed wstETH to roughly 2.85% below market, and Aave’s liquidation engine wiped out 34 leveraged accounts in one block even though there was no hack, no bad debt, and no market crash. The safety layer built to stop manipulation became the trigger for the damage, proving once again that configuration errors can be just as destructive as exploits. (Read more)

ERC-4337 Security: Bundlers, Paymasters, Signatures (7 min read)
Account abstraction turns a simple wallet signature into a distributed system of smart accounts, bundlers, paymasters, and off-chain infrastructure. That flexibility expands the attack surface where replay bugs, hashing mismatches, or weak signature binding can quietly authorize the wrong transaction.

CrossCurve Bridge Hack : An integration blunder that cost multi-million dollars (18 min read)
CrossCurve’s bridge exploit wasn’t a cryptographic failure but an integration mistake. A publicly callable expressExecute() function inherited from Axelar’s SDK allowed attackers to inject a spoofed cross-chain message and trigger token unlocks without proper gateway validation. Combined with a bridge “consensus” threshold effectively set to one, the attacker bypassed the entire security model and drained millions across Ethereum and Arbitrum.

The Builders’ Security Playbook: A 3-Phase Framework for Protocol and Chain Security (7 min read)
Most Web3 security failures don’t come from a single bug. They happen when defenses stop evolving as a protocol moves from development to launch to live operation with real users and real capital. Securing onchain systems means treating security as a lifecycle problem where code, deployment controls, and continuous monitoring all matter as much as the initial audit.

Produced by SlowMist | OpenClaw Security Practice Guide - Minimalist Deployment (12 min read)
AI agents with terminal or root access can automate complex operations, but they also introduce a new class of security risk. SlowMist’s OpenClaw security guide proposes a layered defense model built around three phases of agent behavior: pre-action controls, in-action safeguards, and post-action auditing.

Autonomous AI in DeFi: The Security Framework We Need (22 min read)
AI agents are starting to manage wallets, execute trades, and interact with DeFi protocols autonomously. That automation introduces new risks where prompt injection, poisoned data, compromised dependencies, or excessive token approvals can push an agent to execute malicious transactions. Securing AI-driven DeFi systems means combining traditional smart contract safeguards with guard models, cryptographic verification, and strict execution controls around what agents are allowed to do.

Trust Wallet adds address-poisoning detection to stop copy-paste wallet scams. The new feature screens destination addresses against databases of known lookalike wallets to prevent users from accidentally sending funds to attacker-controlled addresses.

Scammers impersonate U.S. officials to steal permit payments. Victims receive phishing emails referencing real zoning applications and are pressured to pay fake fees via wire transfers, P2P apps and crypto.

Hackers are using AI to accelerate cyberattacks. Microsoft says threat actors now rely on generative AI to write phishing emails, build malware, create fake identities, and automate parts of the attack lifecycle.

Post-quantum cryptography could break how exchanges generate deposit addresses. Researchers warn that some quantum-resistant signature schemes would remove a key feature of BIP32 wallets, forcing custodial platforms to involve private keys whenever new addresses are created.

Malicious npm package disguised as an OpenClaw installer deploys data-stealing RAT. The package used a fake CLI setup and password prompt to steal system credentials, crypto wallets, SSH keys, and browser sessions before installing persistent remote access malware.

Rekt Security Summit
March 27, 2026 | Cannes, France
A security summit built around real exploits, not theory. One day with the researchers, auditors, and investigators who actually break, defend, and dissect protocols, covering exploit mechanics, audit blind spots, bounty economics, insider threats, and what security costs when billions are on the line.

BOTCONF 2026
April 14 - April 17, 2026 | Reims, France
Botnets, malware, threat intel, and incident response with a much more operator-heavy feel than expo-floor security conferences.

Black Hat Asia 2026
April 21 - April 24, 2026 | Singapore
Hands-on trainings plus briefings that skew technical, with real attacker tradecraft and defensive engineering instead of slideware.

OffensiveCon 2026
May 15 - May 16, 2026 | Berlin, Germany
A dense, highly technical offensive security conference focused on exploitation, vuln research, and reverse engineering.

Gartner Security & Risk Management Summit 2026
June 1 - June 3, 2026 | Maryland, United States
Executive-heavy, strategy-heavy, and built for CISOs, risk leads, and enterprise security managers.

Two years ago, Unizen showed how a single upgrade can turn a routine optimization into an attack surface. A gas-saving update to the DEX aggregation contract introduced an unverified external call, letting attackers drain tokens from users who had previously granted spending approvals and walking away with about $2.1M across multiple transactions. Same upgradeable contract risk, same missing audit on the new code path, same reminder that the most dangerous bugs often arrive not with a launch, but with an update.

Spyware companies sold tools that turned journalists’ and dissidents’ devices into live surveillance feeds. When hacker Phineas Fisher breached Hacking Team, 400GB of leaked files exposed the global cyber-spyware market.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.