Weekly Web3 Security Incident Roundup | Feb 23 – Mar 1, 2026

During the week of February 23 to March 1, 2026, seven blockchain security incidents were reported with total losses of ~$13M. The incidents affected multiple protocols, exposing critical weaknesses in oracle design/configuration, cryptographic verification, and core business logic. The primary drivers included oracle manipulation/misconfiguration that led to the largest loss at YieldBloxDAO (~$10M), a crypto-proof verification flaw that enabled the FOOMCASH (~$2.26M) exploit, and additional token design and logic errors impacting Ploutos, LAXO, STO, HedgePay, and an unknown contract, underscoring the need for rigorous audits and continuous monitoring across all protocol layers.

Newsletter - February 2026

February 2026 saw three major DeFi security incidents: YieldBlox DAO lost ~$10M due to oracle price manipulation, IoTeX’s ioTube bridge suffered ~$4.4M from a private key compromise, and CrossCurve incurred ~$2.8M after a cross-chain validation bypass.

BlockSec Releases the 2025 Crypto Crime Report

This 67-page report, based on data analysis and on-chain evidence, includes breakdowns of common real-world cases, showing the big picture of cryptocurrency crime in 2025. It also covers the main features, structure, and trends in this field.

YieldBlox DAO Incident on Stellar: Oracle Misconfiguration Enabled a $10M+ Drain

In-depth analysis of the YieldBlox DAO pool exploit on Blend V2 (Stellar), showing how USTRY/USDC price manipulation and oracle misconfiguration enabled a $10M+ drain.

Weekly Web3 Security Incident Roundup | Feb 16 – Feb 22, 2026

During the week of February 16 to February 22, 2026, three blockchain security incidents were reported with total losses of ~$6.22M. The incidents occurred across Base, BSC, and Ethereum, exposing critical vulnerabilities in oracle configuration, mathematical logic, and bridge access control. The primary causes included an oracle misconfiguration during a governance upgrade that incorrectly assigned a raw exchange rate feed instead of a composite price oracle to undervalue collateral, an unchecked arithmetic overflow in a bonding curve contract that allowed game tokens to be minted at near-zero cost due to integer wrapping, and a private key compromise of a bridge validator owner that enabled the attacker to transfer contract ownership and drain locked reserve assets.

Weekly Web3 Security Incident Roundup | Feb 9 – Feb 15, 2026

During the week of February 9 to February 15, 2026, three blockchain security incidents were reported with total losses of ~$657K. All incidents occurred on the BNB Smart Chain and involved flawed business logic in DeFi token contracts. The primary causes included an unchecked balance withdrawal from an intermediary contract that allowed donation-based inflation of a liquidity addition targeted by a sandwich attack, a post-swap deflationary clawback that returned sold tokens to the caller while draining pool reserves to create a repeatable price-manipulation primitive, and a token transfer override that burned tokens directly from a Uniswap V2 pair's balance and force-synced reserves within the same transaction to artificially inflate the token price.

Top 10 "Awesome" Security Incidents in 2025

To help the community learn from what happened, BlockSec selected ten incidents that stood out most this year. These cases were chosen not only for the scale of loss, but also for the distinct techniques involved, the unexpected twists in execution, and the new or underexplored attack surfaces they revealed.

#10 Panoptic Incident: XOR Linearity Breaks the Position Fingerprint Scheme

On August 29, 2025, Panoptic disclosed a Cantina bounty finding and confirmed that, with support from Cantina and Seal911, it executed a rescue operation on August 25 to secure roughly $400K in funds. The issue stemmed from a flaw in Panoptic’s position fingerprint calculation algorithm, which could have enabled incorrect position identification and downstream fund risk.

#9 1inch Incident: From Calldata Corruption to Forged Settlement: Binary Exploitation Goes On-Chain

On March 5, 2025, a third-party resolver integrated with 1inch Fusion V1 was exploited for over $5M after an unsafe calldata reconstruction in the settlement flow allowed attacker-controlled interaction lengths to trigger a pointer underflow and inject forged settlement data. The impact was amplified by a broken trust boundary, where resolver contracts treated forwarded calldata as authoritative based only on msg.sender, letting attacker-crafted payloads inherit settlement-level privileges while still passing access control.

#8 Bunni Incident: Repeated Small Withdrawals Compound a Rounding Error into an $8.4M Drain

On September 2, 2025, Bunni V2 was exploited for about $8.4M across the USDC/USDT pool on Ethereum and the weETH/ETH pool on Unichain after a rounding bug in liquidity removal misaccounted idle balances and undervalued total liquidity. The attacker then used a tightly timed sandwich strategy to arbitrage the gap between theoretical and actual pool liquidity, and the incident later contributed to Bunni’s bankruptcy filing on October 23, 2025.

#7 Trust Wallet Incident: A Stolen API Key Turns the Official Update Channel into a Backdoor

On December 25, 2025, Trust Wallet's Chrome extension (v2.68) was hit by a supply chain compromise that introduced a malicious backdoor, leading to the theft of about $8.5M in user funds. The injected code exfiltrated seed phrases to an attacker-controlled server, compromising wallets created or imported in that version, after which the attacker drained assets across multiple chains and laundered funds through non-KYC exchanges.

#6 Cork Protocol Incident: Two Independent Flaws Combine into One Devastating Exploit Chain

On May 28, 2025, Cork Protocol on Ethereum was exploited for about $12M after attackers manipulated HIYA pricing near maturity and abused a missing access control check in a Uniswap v4 hook callback. By combining expiry-driven premium inflation with arbitrary beforeSwap calls using crafted parameters, the attacker obtained underpriced Cover Tokens and DS, then swapped them back to wstETH to drain protocol reserves.