Back to Blog

Newsletter - May 2026

Code Auditing
June 3, 2026
3 min read
Key Insights

Top 3 Security Incidents in May

May's most significant losses stemmed not from smart contract vulnerabilities but from failures at trust boundaries, including private key compromises, cross-chain validation flaws, and lapses in operational security around mint authority and bridge semantics.

This pattern is a reminder that Web3 security extends well beyond smart-contract code. Every system embeds trust assumptions across its full lifecycle. When any one of those assumptions breaks, it becomes the weakest link, and often the only one an attacker needs.

Echo Protocol: ~$76.7M

On May 19, 2026, Echo Protocol’s eBTC deployment on Monad suffered a major security incident. Based on the pegged value of minted eBTC at the time of the exploit, the loss was estimated at approximately $76.7 million.

The root cause was an administrator key compromise, rather than a conventional smart contract logic vulnerability. After obtaining privileged control, the attacker minted roughly 1,000 unbacked eBTC without depositing corresponding collateral. Because eBTC was intended to track BTC value, the unauthorized minting immediately created a massive notional exposure. The attacker then moved part of the forged supply into downstream protocols, turning the incident into a cross-protocol risk event.

This case highlights that for synthetic or wrapped asset systems, the key security boundary is not only contract correctness, but also whether mint authority is overly concentrated in a single privileged key. Once that trust anchor is compromised, the attacker can circumvent the intended collateralization model entirely.

Read the official announcement

StablR: ~$12.8M

On May 24, 2026, StablR’s stablecoin system suffered a secuirty breach involving approximately $12.8 million in unauthorized token issuance.

Based on public reports, this appeared to be primarily an infrastructure or key-management compromise rather than a conventional smart-contract exploit. The attacker gained control over the multisig-based minting authority and was then able to replace or seize ownership roles, enabling unauthorized minting of USDR and EURR. Although the attacker’s realized on-chain proceeds were lower than the full notional value of the illicitly minted tokens, the incident still triggered depegging and exposed weaknesses in mint authority isolation, signer security, and multisig governance design.

For stablecoin protocols, this class of incident is especially severe because the attacker does not need to directly drain treasury reserves. If unauthorized minting is possible, market confidence in redeemability can collapse immediately, causing the peg to fail and liquidity to deteriorate rapidly.

Verus: ~$11.7M

On May 18, 2026, the Verus-Ethereum Bridge was exploited for approximately $11.7 million, affecting ETH, tBTC, and USDC. As of May 23, 2026, around 75% of the stolen funds had been returned.

The root cause was a type-validation failure in the Ethereum-side import path. The Verus-Ethereum Bridge is designed to release assets on Ethereum after proving that a qualifying export object exists on Verus under a notarized state. However, the vulnerable logic only verified that some Verus-side object existed, and failed to ensure that the proven object was actually a valid primary export intended for payout processing. As a result, the attacker was able to craft a blank export on Verus containing a handcrafted supplemental export output, then prove that object on Ethereum and have the bridge misclassify it as a normal value-carrying export.

The attacker then supplied serializedTransfers matching the embedded transfer-hash commitment, allowing the fraudulent import to pass Ethereum-side checks and trigger asset releases from the bridge. This incident shows that bridge security depends not only on cryptographic proof verification, but also on strict validation of object type, state, flags, encoding boundaries, and execution semantics. If a protocol proves only that an object exists, but not that it is the correct object for the intended action, even a valid proof can be abused to authorize invalid payouts.

Read the official post-mortem

The information above is based on data as of 00:00 UTC, June 1, 2026.

This concludes the April security incidents brief. For more in-depth analysis of blockchain security incidents and Web3 security trends, you can explore our resources.

You can learn more in our Security Incidents Library.

Stay informed and stay secure!

Sign up for the latest updates
Web3 Companion: The Open-Source Secure Agentic Wallet

Web3 Companion: The Open-Source Secure Agentic Wallet

BlockSec open-sources Web3 Companion, a security-first agentic wallet that treats its own AI agent as untrusted and uses key isolation, hard policies, and Passkey to protect on-chain assets.

~$5.98M Lost: Aztec, Raydium & More | BlockSec Weekly
Security Insights

~$5.98M Lost: Aztec, Raydium & More | BlockSec Weekly

This weekly blockchain security report covers the period of June 8 to June 14, 2026, analyzing 4 notable incidents across Ethereum and Solana with total losses of approximately $5.98M. The highlighted events include Aztec Connect, where a missing input validation allowed the rollup's proof path and L1 settlement to reach inconsistent states, and Raydium, where a missing validation check on the legacy AMM v3 program allowed an attacker to manipulate the LP token redemption calculation and drain four pools. Both vulnerabilities had been live for years before exploitation. The report examines attack types including lack of input validation, integer overflow, and governance capture.

Zcash Orchard Soundness Bug Analysis | BlockSec Weekly
Security Insights

Zcash Orchard Soundness Bug Analysis | BlockSec Weekly

During the week of June 1, 2026, a critical soundness vulnerability was publicly disclosed in Zcash's Orchard shielded pool circuit, caused by a missing equality constraint in the halo2 ECC scalar multiplication gadget that could have enabled undetectable counterfeiting of ZEC within the Orchard pool through double-spending. The vulnerability, which existed for over four years since Orchard's activation in May 2022, was discovered by an AI-assisted security audit and patched through an emergency network upgrade (NU6.2). This single-event report covers the technical root cause (under-constrained ZK circuit relation), the AI-assisted discovery by researcher Taylor Hornby using Anthropic's Opus 4.8 model, the emergency response timeline, and the broader implications for the ZKP ecosystem.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit