Seven keys on one laptop handed an attacker $36.4 million from Humanity Protocol across Ethereum and BSC. Rare for its kind, the owner of the compromised device was publicly named. The code wasn't broken. The key management was, and nobody's been held accountable for either.
5 billion SYS minted from a malformed SPV proof that slipped past Syscoin’s bridge relay parser. The team published the receipts, coordinated a whitehat recovery, and the funds came back. No public audit record for the relay path that failed.
One key held everything. TesseraDAO lost $2.49 million - minted from nothing, dumped, and gone through Tornado Cash. No multisig, no real audit, not even an acknowledgment that they were exploited. Just hollow men, straw governance, and a Telegram full of bots.
$5.4 million gone from Gravity Bridge after an attacker minted worthless tokens on Osmosis, poisoned the token registry with a fabricated denom string, and walked out with real assets. The attacker didn't break the code. They just found where it stopped asking questions.
A 2021 DxSale locker, an unprotected admin key, $7.3 million gone. Decurity flagged the risk in 2023 for $500. Two compromised contracts holding $15.5 million remains untouched, for now.
One poisoned VS Code extension silently auto-updated to 2.2 million developers, and TeamPCP walked out with 3,800 GitHub internal repositories in eleven minutes, the culmination of eight months spent climbing the developer supply chain one trusted tool at a time.
$3.98 million drained from 88 Gnosis Safes across three chains on New Market Trading. A third-party Safe module trusted caller-supplied data over msg.sender. One missing require check. Anyone who read the source code could drain every wallet.
A malicious node is believed to have exploited THORChain’s GG20 TSS signing stack to leak vault key material, reconstructed the private key offline, and drained $10.7 million across multiple chains. The network halted itself. The attacker was already gone.
They told you to connect everything. You wrote the explainer. They sent you to a conference. On May 11, someone else did the checking - 170 packages, 518 million downloads, OpenAI's signing certificates. The unaudited stack is the attack surface. Be paranoid by default.
$5.87 million gone in one transaction. A permissionless signer function, a broken authorization check, and unlimited approvals did the rest. TrustedVolumes' contract was never open-sourced. The team hadn't posted in over a year. The bug bounty line is open.
Is Age Verification a Trap? Every bill in this wave invokes children. Every system gets breached. Every jurisdiction that builds it never repeals it. The ratchet only turns one direction. And no one asked if you wanted it built.
Admin key compromised, UUPS upgrades pushed to over a dozen vaults across four chains - Wasabi Protocol lost $5.9 million before most users saw a single alert. No multisig. No timelock. April 2026 was DeFi's worst month on record. Are we April Fools?