One skipped CLI step left FoomCash's zk verifier broken from day one. Someone read the Veil Cash post-mortem, scaled it up, and drained $2.26 million. $1.84 million rescued by Decurity. $320K kept under the protocol's own "code is law" bounty. Net loss of $420K.
Oracle manipulation drained $10.97 million from Script3's YieldBlox pool on Blend V2. Attacker pumped illiquid collateral USTRY 100x on the Stellar DEX. The oracle reported the fake price as real.
A Private key compromise handed an attacker full admin control over IoTeX's ioTube bridge. $4.4 million drained. Two tokens minted on top, which IoTeX claims most are frozen or worthless. The key was the only lock on the door.
An oracle misconfiguration priced cbETH on Moonwell at $1.12 instead of $2,200. Liquidation bots seized 1,096 cbETH, leading to $1.78M in bad debt. The commit was co-authored by Claude Opus 4.6, possibly the first major exploit of vibe-coded smart contracts.
They're not stealing credentials anymore. They're stealing your AI's model of who you are. 20% of skills poisoned on OpenClaw. Now someone wants to give these AI agents access to bank accounts. The weaponization phase has begun.
Digital parasites aren’t smashing in, they’re clocking in - DPRK on your payroll, China in your routers, malware that plays dead and studies your mouse. The threat isn’t at the perimeter anymore, it’s on your org chart.
Credibility for sale. Scrutiny sold separately. Pay-to-play removes the friction. No pitch required. No editor to convince. According to recent findings, 62% of crypto press releases come from high-risk or scam projects. When credibility is for sale, who can afford honesty?
Audited contracts, bug bounties, and security reviews. None of it mattered when an executive's inbox at Step Finance became the attack vector. $27.3 million in SOL unstaked and gone. The smart contracts worked flawlessly. The humans didn't.
The lobster formerly known as Clawdbot and Moltbot, OpenClaw, has over 156k GitHub stars. Hundreds left credentials and shell access wide open on the internet, plus a $16 million scam token and infostealers adapting. More hyping than warning. If this is an IQ test, many are failing.
Pokémon cards and CS2 skins were supposed to be the product. Turns out, the investors were. Trove Markets raised $11.5 million for a Hyperliquid DEX, flipped chains before launch, sold partner tokens, kept $9.4 million “to keep building,” and spun excuses while wallets kept dumping.
Forged IBC messages, $7 million minted from thin air. Saga’s bridge swallowed the fiction whole. Cosmos Labs traced it to Ethermint's codebase, they're now reaching out to other affected Cosmos EVM chains with short-term fixes.
Flash loan goes in, pools get manipulated, permissionless oracle trusts the lie, $4.13 million walks out. Makina's code worked exactly as designed. MEV bots front-ran the attacker and kept most of the stolen funds.