Back to Blog

Newsletter - May 2026

Code Auditing
June 3, 2026
3 min read
Key Insights

Top 3 Security Incidents in May

May's most significant losses stemmed not from smart contract vulnerabilities but from failures at trust boundaries, including private key compromises, cross-chain validation flaws, and lapses in operational security around mint authority and bridge semantics.

This pattern is a reminder that Web3 security extends well beyond smart-contract code. Every system embeds trust assumptions across its full lifecycle. When any one of those assumptions breaks, it becomes the weakest link, and often the only one an attacker needs.

Echo Protocol: ~$76.7M

On May 19, 2026, Echo Protocol’s eBTC deployment on Monad suffered a major security incident. Based on the pegged value of minted eBTC at the time of the exploit, the loss was estimated at approximately $76.7 million.

The root cause was an administrator key compromise, rather than a conventional smart contract logic vulnerability. After obtaining privileged control, the attacker minted roughly 1,000 unbacked eBTC without depositing corresponding collateral. Because eBTC was intended to track BTC value, the unauthorized minting immediately created a massive notional exposure. The attacker then moved part of the forged supply into downstream protocols, turning the incident into a cross-protocol risk event.

This case highlights that for synthetic or wrapped asset systems, the key security boundary is not only contract correctness, but also whether mint authority is overly concentrated in a single privileged key. Once that trust anchor is compromised, the attacker can circumvent the intended collateralization model entirely.

Read the official announcement

StablR: ~$12.8M

On May 24, 2026, StablR’s stablecoin system suffered a secuirty breach involving approximately $12.8 million in unauthorized token issuance.

Based on public reports, this appeared to be primarily an infrastructure or key-management compromise rather than a conventional smart-contract exploit. The attacker gained control over the multisig-based minting authority and was then able to replace or seize ownership roles, enabling unauthorized minting of USDR and EURR. Although the attacker’s realized on-chain proceeds were lower than the full notional value of the illicitly minted tokens, the incident still triggered depegging and exposed weaknesses in mint authority isolation, signer security, and multisig governance design.

For stablecoin protocols, this class of incident is especially severe because the attacker does not need to directly drain treasury reserves. If unauthorized minting is possible, market confidence in redeemability can collapse immediately, causing the peg to fail and liquidity to deteriorate rapidly.

Verus: ~$11.7M

On May 18, 2026, the Verus-Ethereum Bridge was exploited for approximately $11.7 million, affecting ETH, tBTC, and USDC. As of May 23, 2026, around 75% of the stolen funds had been returned.

The root cause was a type-validation failure in the Ethereum-side import path. The Verus-Ethereum Bridge is designed to release assets on Ethereum after proving that a qualifying export object exists on Verus under a notarized state. However, the vulnerable logic only verified that some Verus-side object existed, and failed to ensure that the proven object was actually a valid primary export intended for payout processing. As a result, the attacker was able to craft a blank export on Verus containing a handcrafted supplemental export output, then prove that object on Ethereum and have the bridge misclassify it as a normal value-carrying export.

The attacker then supplied serializedTransfers matching the embedded transfer-hash commitment, allowing the fraudulent import to pass Ethereum-side checks and trigger asset releases from the bridge. This incident shows that bridge security depends not only on cryptographic proof verification, but also on strict validation of object type, state, flags, encoding boundaries, and execution semantics. If a protocol proves only that an object exists, but not that it is the correct object for the intended action, even a valid proof can be abused to authorize invalid payouts.

Read the official post-mortem

The information above is based on data as of 00:00 UTC, June 1, 2026.

This concludes the April security incidents brief. For more in-depth analysis of blockchain security incidents and Web3 security trends, you can explore our resources.

You can learn more in our Security Incidents Library.

Stay informed and stay secure!

Sign up for the latest updates
~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly
Security Insights

~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly

This weekly security report covers 5 notable attack incidents between May 25 and May 31, 2026, with combined losses of approximately $16M across BNB Chain, Ethereum, Base, Arbitrum, and Cosmos. Key incidents include the DxSale token locker exploit ($7.3M) involving three missing state updates compounded by a deployer key compromise, the SquidRouterModule exploit ($3.2M) caused by improper input validation in an Axelar Bridge integration that allowed forged cross-chain messages to drain 86 Safe wallets, and the Gravity Bridge signing key compromise ($5.4M). Other incidents involve a compromised deployer key (Stake DAO, $91K) and a vulnerable off-chain bridge backend (Alephium, $300K).

~$104.6M Lost: Verus, RetoSwap & More | BlockSec Weekly
Security Insights

~$104.6M Lost: Verus, RetoSwap & More | BlockSec Weekly

This BlockSec weekly security report covers 5 notable attack incidents identified between May 18 and May 24, 2026, with total estimated losses of approximately $104.6M. Two incidents are analyzed in detail: the highlighted $11.7M Verus-Ethereum Bridge exploit, where a type-validation failure allowed a handcrafted supplemental export output to be misclassified as a valid primary export; and the $2.7M RetoSwap exploit on Monero, where a protocol-level authentication flaw in the P2P trade flow allowed an attacker to hijack the arbitrator role via a forged ACK message. Three additional key compromise incidents (EchoProtocol, Polymarket, StablR) accounted for ~$90.2M.

~$4.72M Lost: TAC, Transit Finance & More | BlockSec Weekly
Security Insights

~$4.72M Lost: TAC, Transit Finance & More | BlockSec Weekly

This BlockSec weekly security report covers 3 notable attack incidents identified between May 11 and May 17, 2026, across TRON, TON, and Ethereum, with total estimated losses of approximately $4.72M. Three incidents are analyzed in detail: the highlighted $1.88M Transit Finance exploit on TRON, where a deprecated swap bridge contract with lingering token approvals was exploited through arbitrary calldata forwarding; the $2.8M TAC TON-to-EVM bridge exploit caused by missing canonical wallet verification in the jetton deposit flow; and the $46.75K Boost Hook exploit on Ethereum, where spot price manipulation on a Uniswap V4 hook-based perpetual protocol forced the protocol to buy tokens at inflated prices using its own reserves.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit