Monday, March 23, 2026

One system didn’t stop it. The other never fixed it. Both ended in losses.

This week:

• A $50M Aave position got wiped because a collateral swap routed through a pool with ~$74K in liquidity. A CoW Protocol solver converted USDT → WETH correctly, then pushed 17,957 WETH into a SushiSwap AAVE pool holding just 17.65 WETH. The AMM did its job, pricing along the curve, and returned 327 AAVE (~$36K). No hack, no failure, just catastrophic price impact baked into the route before execution. (Read more)

• Venus Protocol lost $3.7M after a nine-month setup exploited a known “donation attack” vector to bypass supply caps. The attacker accumulated 84% of the supply, then inflated collateral by directly transferring tokens to the contract, manipulating the exchange rate and recursively borrowing against it. The exact vulnerability had been flagged in a 2023 audit and exploited once before in 2025, but was dismissed as “no negative side effects.” (Read more)

Thread Modeling for Canton-based Applications (28 min read)
Canton flips the blockchain model into a private, multi-party system where no one sees the full state, but everyone depends on it. That breaks traditional threat modeling. Security shifts from protecting a single system to securing relationships between institutions, data visibility boundaries, and cross-domain workflows.

Hiding in Plain Sight: zERC20 and zk-Proof-of-Burn (21 min read)
Most privacy tools force you to announce that you’re using them. zERC20 flips that model by making private transfers indistinguishable from ordinary token sends, routing funds through stealth addresses that look like dead wallets and proving ownership later with zero-knowledge proofs.

Securing AI Agents: 5 Rules to Stop Autonomous Takeovers (7 min read)
AI agents don’t just generate code anymore, they execute it. The real risk isn’t what they can do, but what they’re allowed to do when something goes wrong.

Security Theater vs Real Detection: The Biggest Mistake in Evaluating Monitoring Solutions (12 min read)
Most security platforms look impressive in demos because they show what already happened. The real test is whether they detect attacks before funds move. The difference between a logged alert and a real-time signal is the difference between preventing a hack and writing a post-mortem.

x402 Explained: Security Risks & Controls for HTTP 402 Micropayments (8 min read)
The long-abandoned HTTP 402 status code is finally being used to turn web requests into on-demand payments. Instead of subscriptions or API keys, servers can require stablecoin payments before serving content, unlocking agent-to-agent commerce at machine speed. But once every request can trigger a payment, risks like replay attacks, prompt injection, and wallet draining become part of the web stack.

Invisible Unicode code is being used to hide malware in supply-chain attacks. Researchers found over 150 packages where malicious payloads are invisible to humans but executed by machines, bypassing traditional code review defenses.

Crypto wrench attacks escalate in France. Police arrested suspects after a crypto entrepreneur’s father was kidnapped and assaulted, part of a growing trend of physical attacks targeting crypto holders for ransom.

North Korea’s fake IT worker scheme infiltrates companies using stolen identities and AI-generated personas. Operatives secure remote jobs, steal sensitive data, and funnel salaries and extorted funds into the regime’s weapons programs.

Forensics link Milei to payments from a $LIBRA lobbyist. The financial relationship dates back to 2021 and intensified after he took office, raising new concerns over his links to the token’s collapse.

Nordstrom emails were hijacked to push crypto scams. Attackers sent messages from a legitimate company address promising to double deposits, tricking customers into sending funds before the breach was flagged.

Lead Security Engineer, Solana Foundation, Remote

Security Governance Engineer, OKX, Hong Kong

Senior Product Security Engineer, Zinnia, Noida, Uttar Pradesh, India

Security Engineer, Exodus, Remote (EMEA)

DevOps Security Engineer, Blockdaemon, United Kingdom

Three years ago, Safemoon showed how a single upgrade can turn “locked liquidity” into an illusion. A contract update exposed a publicly callable burn() function, letting anyone destroy tokens from the SFM/BNB pool, inflate the price, and drain ~$8.9M in BNB. Same upgradeable contract risk, same missing safeguards on critical functions, same reminder that in DeFi, the biggest exploits don’t always come from attackers - but from the code you just shipped.

He turned gambling into code and broke the sportsbooks with it. Built a model that saw the game before it happened and printed millions until they banned him everywhere.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.