攻击交易:
0x26aa86261c834e837f6be93b2d589724ed5ae644bc8f4b8af2207e6bd70828f9
攻击智能合约是开源的。
第一步:0x054e 发送交易,将管理员角色授予钱包 (0x41b8) 的 0x0eba。
然后 0x0eba 将“DAO 合约”角色授予 0x1c93。
最后,0x1c93 (XXX) 调用 withdrawFromUser 函数将资金转移到 XXX 合约。
有趣的是,受害者 0x41b8 是由 0x054e 创建的。
总而言之,0x054e 创建了受害者 0x41b8 钱包。然后 0x054e 将管理员角色授予 0x0eba,后者又将“DAO 合约”角色授予 0x1c93。最后 0x1c93 从受害者那里提取了资金。
Weekly Web3 Security Incident Roundup | Feb 9 – Feb 15, 2026
During the week of February 9 to February 15, 2026, three blockchain security incidents were reported with total losses of ~$657K. All incidents occurred on the BNB Smart Chain and involved flawed business logic in DeFi token contracts. The primary causes included an unchecked balance withdrawal from an intermediary contract that allowed donation-based inflation of a liquidity addition targeted by a sandwich attack, a post-swap deflationary clawback that returned sold tokens to the caller while draining pool reserves to create a repeatable price-manipulation primitive, and a token transfer override that burned tokens directly from a Uniswap V2 pair's balance and force-synced reserves within the same transaction to artificially inflate the token price.
Top 10 "Awesome" Security Incidents in 2025
To help the community learn from what happened, BlockSec selected ten incidents that stood out most this year. These cases were chosen not only for the scale of loss, but also for the distinct techniques involved, the unexpected twists in execution, and the new or underexplored attack surfaces they revealed.
#10 Panoptic Incident: XOR Linearity Breaks the Position Fingerprint Scheme
On August 29, 2025, Panoptic disclosed a Cantina bounty finding and confirmed that, with support from Cantina and Seal911, it executed a rescue operation on August 25 to secure roughly $400K in funds. The issue stemmed from a flaw in Panoptic’s position fingerprint calculation algorithm, which could have enabled incorrect position identification and downstream fund risk.