Back to Blog

Newsletter - March 2026

Code AuditingPhalcon Security
April 1, 2026
3 min read
Key Insights

Top 3 DeFi Incidents in March

Resolv Protocol: ~$80M

On March 22, 2026, Resolv suffered a security breach, resulting in $80M* in losses.

The root cause was compromised privileged infrastructure keys. Using the stolen key, the attacker abused a privileged swap-finalization flow and minted over 80M USR without equivalent collateral across three exploit transactions. While the root cause was straightforward, this incident revealed a broader lack of security controls, both on-chain and off-chain. The project enforced no strict validation during the minting approval, nor did it have monitoring strategies in place to detect and respond to the breach in time.

Notably, the impact extended far beyond the 80M in unauthorized USR minting. Because Resolv assets were widely used as collateral across multiple lending protocols, the depeg triggered broader contagion. As reported by Chaos Labs, on-chain curators using automated yield-seeking allocation lacked real-time risk controls and continued directing fresh capital into already impaired markets. What began as a localized exploit quickly escalated into a cross-protocol contagion event, leaving lending protocols with millions in bad debt.

*The loss is estimated based on USR’s pegged value of $1.

BitcoinReserveOffering: ~$2.7M

On March 5, 2026, the BitcoinReserveOffering contract on Ethereum was exploited for approximately $2.7M.

The root cause was a flawed business logic in the mint() function, which executed the minting logic twice when processing a full ERC-3525 SFT deposit. Because ERC-3525 inherits from ERC-721, safe transfers trigger an onERC721Received() callback. Inside the callback, the BRO token amount was calculated and minted to the caller. However, after the callback returned, the outer mint() resumed and performed a second minting operation, doubling the BRO issued per deposit. This allowed the attacker to inflate their BRO balance through repeated burn-and-mint cycles in an attack transaction.

To prevent similar issues, protocols should ensure asset accounting occurs exactly once per deposit operation, with state updates committed before any external call capable of triggering a callback. Additionally, invariant checks should be added to guarantee that minted amounts never exceed the underlying deposited value.

Venus Protocol: ~$2.15M

On March 15, 2026, Venus’s THE (Thena) market on BNB Chain suffered a donation attack combined with market manipulation. This incident resulted in approximately $2.15M in protocol bad debt, while the exploiter incurred a net on-chain loss of ~$4.7M.

Venus is a Compound V2 fork lending protocol. The affected market uses THE as its underlying assets, which have shallow on-chain liquidity. The donation attack was made possible because the market contract derives totalCash from the contract’s raw balance. This allowed the attacker to donate THE directly to the market, which increased totalCash and inflated the exchangeRate. With this inflated collateral, the attacker borrowed liquid assets, swapped them for more THE and raised THE’s market price. These obtained THE tokens were further donated into the market, continuously escalating the attack's impact.

This incident serves as a warning to the lending protocols on two fronts: accounting logic and risk configuration. Protocols should implement manipulation-resistant accounting mechanisms that accurately reflect asset values and cannot be skewed by donation attacks. Additionally, critical risk parameters such as supply caps, borrow caps, and LTV (Loan-to-Value) ratios must be carefully configured to limit protocol exposure.

For a detailed analysis, read our deep-dive post:

https://blocksec.com/blog/venus-thena-donation-attack

The information above is based on data as of 00:00 UTC, March 31, 2026.

This concludes the March security incidents brief. For more in-depth analysis of blockchain security incidents and Web3 security trends, you can explore our resources.

You can learn more in our Security Incidents Library.

Stay informed and stay secure!

Sign up for the latest updates
~$800K Lost: Hinkal Double-Spend | BlockSec Weekly
Security Insights

~$800K Lost: Hinkal Double-Spend | BlockSec Weekly

This weekly security report covers 1 notable incident from June 29 to July 5, 2026, with approximately $800K in total losses on Ethereum. The Hinkal shielded-pool protocol was drained through a double-spend attack that likely exploited a flaw in the legacy note format, allowing the attacker to derive multiple nullifiers from a single deposit. The report analyzes the probable circuit-level vulnerability, the attack flow, and broader implications for nullifier-based privacy protocols.

Newsletter - June 2026
Security Insights

Newsletter - June 2026

This monthly report covers the three largest security incidents in June 2026, totaling approximately $22M in confirmed losses. A sophisticated honeypot attack drained ~$15M from JaredFromSubway's MEV bot by exploiting unchecked token allowances. Two legacy Aztec rollup deployments lost ~$4.35M through proof-settlement boundary gaps. SecondFi's Ed25519 implementation flaw exposed wallet private keys, resulting in ~$2.4M drained from 374 wallets. All three incidents share a common pattern: security guarantees that appeared intact on the surface but were never actually enforced.

~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly
Security Insights

~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly

This weekly blockchain security report covers two notable incidents from June 22-28, 2026, with approximately $4.1M in confirmed losses across Ethereum and Cardano. The Taiko bridge exploit combined an exposed SGX enclave signing key with an incomplete attestation policy that failed to reject debug enclaves, allowing the attacker to register a malicious prover and forge L2 state proofs on Ethereum. The SecondFi wallet vulnerability stemmed from a cryptographic implementation flaw in Ed25519 nonce derivation that removed the secret input, enabling offline private key recovery from public Cardano transaction data.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit

Get Real-Time Protection with Phalcon Security

Audits alone are not enough. Phalcon Security detects attacks in real time and blocks threats mid-flight.

phalcon security