Back to Blog

Newsletter - May 2026

Code Auditing
June 3, 2026
3 min read
Key Insights

Top 3 Security Incidents in May

May's most significant losses stemmed not from smart contract vulnerabilities but from failures at trust boundaries, including private key compromises, cross-chain validation flaws, and lapses in operational security around mint authority and bridge semantics.

This pattern is a reminder that Web3 security extends well beyond smart-contract code. Every system embeds trust assumptions across its full lifecycle. When any one of those assumptions breaks, it becomes the weakest link, and often the only one an attacker needs.

Echo Protocol: ~$76.7M

On May 19, 2026, Echo Protocol’s eBTC deployment on Monad suffered a major security incident. Based on the pegged value of minted eBTC at the time of the exploit, the loss was estimated at approximately $76.7 million.

The root cause was an administrator key compromise, rather than a conventional smart contract logic vulnerability. After obtaining privileged control, the attacker minted roughly 1,000 unbacked eBTC without depositing corresponding collateral. Because eBTC was intended to track BTC value, the unauthorized minting immediately created a massive notional exposure. The attacker then moved part of the forged supply into downstream protocols, turning the incident into a cross-protocol risk event.

This case highlights that for synthetic or wrapped asset systems, the key security boundary is not only contract correctness, but also whether mint authority is overly concentrated in a single privileged key. Once that trust anchor is compromised, the attacker can circumvent the intended collateralization model entirely.

Read the official announcement

StablR: ~$12.8M

On May 24, 2026, StablR’s stablecoin system suffered a secuirty breach involving approximately $12.8 million in unauthorized token issuance.

Based on public reports, this appeared to be primarily an infrastructure or key-management compromise rather than a conventional smart-contract exploit. The attacker gained control over the multisig-based minting authority and was then able to replace or seize ownership roles, enabling unauthorized minting of USDR and EURR. Although the attacker’s realized on-chain proceeds were lower than the full notional value of the illicitly minted tokens, the incident still triggered depegging and exposed weaknesses in mint authority isolation, signer security, and multisig governance design.

For stablecoin protocols, this class of incident is especially severe because the attacker does not need to directly drain treasury reserves. If unauthorized minting is possible, market confidence in redeemability can collapse immediately, causing the peg to fail and liquidity to deteriorate rapidly.

Verus: ~$11.7M

On May 18, 2026, the Verus-Ethereum Bridge was exploited for approximately $11.7 million, affecting ETH, tBTC, and USDC. As of May 23, 2026, around 75% of the stolen funds had been returned.

The root cause was a type-validation failure in the Ethereum-side import path. The Verus-Ethereum Bridge is designed to release assets on Ethereum after proving that a qualifying export object exists on Verus under a notarized state. However, the vulnerable logic only verified that some Verus-side object existed, and failed to ensure that the proven object was actually a valid primary export intended for payout processing. As a result, the attacker was able to craft a blank export on Verus containing a handcrafted supplemental export output, then prove that object on Ethereum and have the bridge misclassify it as a normal value-carrying export.

The attacker then supplied serializedTransfers matching the embedded transfer-hash commitment, allowing the fraudulent import to pass Ethereum-side checks and trigger asset releases from the bridge. This incident shows that bridge security depends not only on cryptographic proof verification, but also on strict validation of object type, state, flags, encoding boundaries, and execution semantics. If a protocol proves only that an object exists, but not that it is the correct object for the intended action, even a valid proof can be abused to authorize invalid payouts.

Read the official post-mortem

The information above is based on data as of 00:00 UTC, June 1, 2026.

This concludes the May security incidents brief.

You can learn more in our Security Incidents Library.

Stay informed and stay secure!

Sign up for the latest updates
~$800K Lost: Hinkal Double-Spend | BlockSec Weekly
Security Insights

~$800K Lost: Hinkal Double-Spend | BlockSec Weekly

This weekly security report covers 1 notable incident from June 29 to July 5, 2026, with approximately $800K in total losses on Ethereum. The Hinkal shielded-pool protocol was drained through a double-spend attack that likely exploited a flaw in the legacy note format, allowing the attacker to derive multiple nullifiers from a single deposit. The report analyzes the probable circuit-level vulnerability, the attack flow, and broader implications for nullifier-based privacy protocols.

Newsletter - June 2026
Security Insights

Newsletter - June 2026

This monthly report covers the three largest security incidents in June 2026, totaling approximately $22M in confirmed losses. A sophisticated honeypot attack drained ~$15M from JaredFromSubway's MEV bot by exploiting unchecked token allowances. Two legacy Aztec rollup deployments lost ~$4.35M through proof-settlement boundary gaps. SecondFi's Ed25519 implementation flaw exposed wallet private keys, resulting in ~$2.4M drained from 374 wallets. All three incidents share a common pattern: security guarantees that appeared intact on the surface but were never actually enforced.

~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly
Security Insights

~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly

This weekly blockchain security report covers two notable incidents from June 22-28, 2026, with approximately $4.1M in confirmed losses across Ethereum and Cardano. The Taiko bridge exploit combined an exposed SGX enclave signing key with an incomplete attestation policy that failed to reject debug enclaves, allowing the attacker to register a malicious prover and forge L2 state proofs on Ethereum. The SecondFi wallet vulnerability stemmed from a cryptographic implementation flaw in Ed25519 nonce derivation that removed the secret input, enabling offline private key recovery from public Cardano transaction data.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit