An oracle misconfiguration priced cbETH on Moonwell at $1.12 instead of $2,200. Liquidation bots seized 1,096 cbETH, leading to $1.78M in bad debt. The commit was co-authored by Claude Opus 4.6, possibly the first major exploit of vibe-coded smart contracts.
They're not stealing credentials anymore. They're stealing your AI's model of who you are. 20% of skills poisoned on OpenClaw. Now someone wants to give these AI agents access to bank accounts. The weaponization phase has begun.
Digital parasites aren’t smashing in, they’re clocking in - DPRK on your payroll, China in your routers, malware that plays dead and studies your mouse. The threat isn’t at the perimeter anymore, it’s on your org chart.
Credibility for sale. Scrutiny sold separately. Pay-to-play removes the friction. No pitch required. No editor to convince. According to recent findings, 62% of crypto press releases come from high-risk or scam projects. When credibility is for sale, who can afford honesty?
Audited contracts, bug bounties, and security reviews. None of it mattered when an executive's inbox at Step Finance became the attack vector. $27.3 million in SOL unstaked and gone. The smart contracts worked flawlessly. The humans didn't.
The lobster formerly known as Clawdbot and Moltbot, OpenClaw, has over 156k GitHub stars. Hundreds left credentials and shell access wide open on the internet, plus a $16 million scam token and infostealers adapting. More hyping than warning. If this is an IQ test, many are failing.
Pokémon cards and CS2 skins were supposed to be the product. Turns out, the investors were. Trove Markets raised $11.5 million for a Hyperliquid DEX, flipped chains before launch, sold partner tokens, kept $9.4 million “to keep building,” and spun excuses while wallets kept dumping.
Forged IBC messages, $7 million minted from thin air. Saga’s bridge swallowed the fiction whole. Cosmos Labs traced it to Ethermint's codebase, they're now reaching out to other affected Cosmos EVM chains with short-term fixes.
Flash loan goes in, pools get manipulated, permissionless oracle trusts the lie, $4.13 million walks out. Makina's code worked exactly as designed. MEV bots front-ran the attacker and kept most of the stolen funds.
Over ten months ago, $371K in LBTC left ZeroLend's Base market and never came back. Neither did an explanation. The team blamed "high utilization." GitHub went quiet. Users still can't withdraw. But hey - the deposit button still works.
A vault operator on YO Protocol fat-fingered a $3.84 million swap with broken slippage params. $112K came out the other side - a $3.71 million loss. The team quietly backstopped it and waited 2 days to mention it publicly.
First major hack of 2026, as TrueBit was drained for $26.2 million through an overflow in unverified bytecode. The same attacker hit Sparkle weeks prior. Old code keeps bleeding - the archives have clearly become a shopping list.