One key held everything. TesseraDAO lost $2.49 million - minted from nothing, dumped, and gone through Tornado Cash. No multisig, no real audit, not even an acknowledgment that they were exploited. Just hollow men, straw governance, and a Telegram full of bots.
$5.4 million gone from Gravity Bridge after an attacker minted worthless tokens on Osmosis, poisoned the token registry with a fabricated denom string, and walked out with real assets. The attacker didn't break the code. They just found where it stopped asking questions.
A 2021 DxSale locker, an unprotected admin key, $7.3 million gone. Decurity flagged the risk in 2023 for $500. Two compromised contracts holding $15.5 million remains untouched, for now.
One poisoned VS Code extension silently auto-updated to 2.2 million developers, and TeamPCP walked out with 3,800 GitHub internal repositories in eleven minutes, the culmination of eight months spent climbing the developer supply chain one trusted tool at a time.
$3.98 million drained from 88 Gnosis Safes across three chains on New Market Trading. A third-party Safe module trusted caller-supplied data over msg.sender. One missing require check. Anyone who read the source code could drain every wallet.
A malicious node is believed to have exploited THORChain’s GG20 TSS signing stack to leak vault key material, reconstructed the private key offline, and drained $10.7 million across multiple chains. The network halted itself. The attacker was already gone.
They told you to connect everything. You wrote the explainer. They sent you to a conference. On May 11, someone else did the checking - 170 packages, 518 million downloads, OpenAI's signing certificates. The unaudited stack is the attack surface. Be paranoid by default.
$5.87 million gone in one transaction. A permissionless signer function, a broken authorization check, and unlimited approvals did the rest. TrustedVolumes' contract was never open-sourced. The team hadn't posted in over a year. The bug bounty line is open.
Is Age Verification a Trap? Every bill in this wave invokes children. Every system gets breached. Every jurisdiction that builds it never repeals it. The ratchet only turns one direction. And no one asked if you wanted it built.
Admin key compromised, UUPS upgrades pushed to over a dozen vaults across four chains - Wasabi Protocol lost $5.9 million before most users saw a single alert. No multisig. No timelock. April 2026 was DeFi's worst month on record. Are we April Fools?
The AI protocol wired to your org has been exploited a dozen times since 2025. The creator called the flaw expected behavior. One hacker used Claude to breach nine Mexican agencies. Crypto firms on this stack could be exposing on-chain operations and internal comms.
$3.5 million drained from Volo on Sui after an admin private key was compromised, likely via social engineering. Three vaults hit - WBTC, XAUm, USDC. Volo self-disclosed first, and recovered nearly all of it, with a net loss of just $60K.