Monday, March 9, 2026

Zero-knowledge proofs promised a world where you don’t trust the team, you trust the math. This week showed what happens when the math ships unfinished and nobody checks the setup.

This week:

• FoomCash lost $2.26M because its zero-knowledge verifier was broken from deployment. The Groth16 verifier had γ and δ set to the same elliptic curve point, collapsing the proof system’s soundness so any withdrawal proof would verify as valid. Attackers simply forged proofs in a loop and drained the protocol across Ethereum and Base until whitehats intervened. (Read more)

• Veil Cash got drained after the exact same Groth16 misconfiguration left its verifier accepting any proof. The protocol shipped with default trusted-setup values still in place, allowing an attacker to fabricate nullifier hashes and withdraw funds without ever depositing. A single transaction looped withdrawals 29 times and emptied the pool before security researchers stepped in to rescue the remaining funds. (Read more)

BlockSec Releases the 2025 Crypto Crime Report (58 min read)
BlockSec’s 2025 Crypto Crime Report shows how illicit activity is becoming more structured, concentrated, and professionalized. Sanctions-related flows surged by nearly $100B, Lazarus continued large-scale laundering after the $1.5B Bybit exploit, and stablecoins increasingly became both the tool for crime and the enforcement point for freezing funds.

LLMs in Smart Contract Audits Need Evidence (12 min read)
LLMs are useful in smart contract security, but only when they act like hypothesis engines - not oracles. They can quickly map unfamiliar code, spot suspicious logic, and suggest exploit paths, but none of that matters unless the claim comes with proof: a failing test, a concrete trace, or a verified invariant break.

Solv Protocol $2.5M Exploit: Double Mint Bug (Explained) (6 min read)
A small logic mistake in Solv’s minting process let an attacker create tokens twice in the same action. When an NFT transfer triggered a callback, the contract minted tokens there and then minted them again when the original function resumed. By repeating this loop 22 times in one transaction, the attacker inflated 135 BRO tokens into 567M and converted part of them into 1211 ETH.

Quantum Computing’s Threat to Blockchain: The Enduring Need for Secure Keys (20 min read)
Quantum computers could eventually break the cryptography that protects today’s wallets by deriving private keys from exposed public keys. Post-quantum signature schemes already exist, but they come with trade-offs like larger signatures, heavier computation, and difficult implementations inside constrained hardware wallets.

Month in Review: Top DeFi Hacks of February 2026 (4 min read)
February was quieter than January, but four major exploits still drained about $23.5M across CrossCurve, IoTeX, YieldBlox, and FoomCash. The attacks ranged from bridge validation flaws and compromised admin keys to oracle manipulation and cryptographic misconfiguration. The pattern remains the same: bridges and price feeds continue to be prime targets, and most failures still come from broken assumptions rather than complex code exploits.

ClickFix scams impersonate VCs to steal crypto wallets. Attackers pose as venture capital firms on LinkedIn, lure targets to fake meeting pages, and trick them into pasting a malicious command into their terminal.

Coruna iPhone exploit kit silently infects devices through malicious websites. Google researchers found a toolkit with 23 iOS vulnerabilities used by spies and crypto scammers that can compromise iPhones just by visiting a rigged webpage, delivering tailored exploits that bypass security protections without requiring the victim to click anything.

Authorities dismantle major cybercrime forum LeakBase. A coordinated operation across 14 countries seized accounts, messages, and IP logs from the marketplace where hackers traded stolen data and attack tools.

Fake Google security page installs malware through browser apps. The campaign tricks victims into installing a malicious web app that steals one-time passwords, wallet addresses, and even turns the victim’s browser into a proxy for attacker traffic.

Deepfakes Are Becoming Identity Access Attacks. Synthetic media is now targeting verification moments, bank onboarding, hiring, and account recovery, where convincing video or injected streams can trick systems into granting real access.

EVMbench: A smart contract security benchmark introduced by OpenAI and Paradigm that evaluates AI agents across detect, patch, and exploit tasks using 117 curated high-severity vulnerabilities from 40 audits, with deterministic replay in local sandboxed environments to measure how useful AI is becoming in real blockchain security workflows.

Guardrail: A stablecoin-focused security platform that pushes a proactive defense model for issuers, combining real-time anomaly detection, configurable security modules, and automated response controls like circuit breakers and contract pausing to stop attacks before funds leave the system.

AgentGuard: An open-source AI agent security layer launched by GoPlus Security, built to protect OpenClaw-style agents at execution time through runtime interception and deep scanning before high-risk actions like file access, command execution, or on-chain signing are allowed.

PenTiDef: A defense framework for decentralized intrusion detection that uses blockchain coordination and privacy-preserving learning to block poisoning attacks without relying on a central server.

Three years ago, Euler Finance proved that even battle-tested lending protocols can implode from one overlooked edge case. A little-used donateToReserves function ignored the health of a borrower’s debt, letting an attacker manufacture bad debt, liquidate themselves at a discount, and walk away with ~$197M in ETH, WBTC, USDC, and DAI. Same lending mechanics, same flash-loan amplification, same “audited by everyone” comfort blanket that didn’t matter once the accounting assumptions broke.

A teenager called Lick allegedly stole over $40M in seized government crypto and treated it like clout capital. Private jets, Lambos outside the FBI building, wallet flexes on Telegram, and a “ban for band” contest.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.