History’s largest npm supply chain attack - phishing gave attackers control over packages with 2 billion+ weekly downloads. They slipped in a polished crypto-stealer - only to drop it into server builds. The malware broke CI-CD, outed itself, and the epic heist netted just $1,050.
Trusted partner Kiln got API-owned, letting hackers plant skeleton keys in SwissBorg 8 days early then drain 192.6K SOL. Eight days of patience, then $41.5 million gone in minutes through compromised withdrawal authority. Trusted partnerships can be expensive trust exercises.
Innovation meets reality check - fancy LDF curves and rehypothecation magic caught a hacker's attention. Bunni's basic rounding bug became an $8.4 million lesson in precision. TVL went up overnight in August, funds went down by September. Move fast, break things, get rekt.
Bug bounty economics can backfire across crypto. Platforms underfund security rewards, then scramble with recovery offers post-hack. When finding vulnerabilities pays less than exploiting them, researchers exit. Misaligned incentives create predictable outcomes.
The founder of Eureka Crypto fell for a malicious Zoom link, losing $13 million in a flash loan exploit on Venus Protocol. Venus froze the protocol, rushed a governance vote, and force-liquidated the attacker’s collateral - recovering all funds within 12 hours.
3 weeks from launch to exploit - $5 million drained from BetterBank, leaving users lighter while the protocol’s own reward logic printed the cash. A simple incentive flaw triggered catastrophic losses, exposing how quickly DeFi math can turn on you.
The Treasury wants DeFi identity checks. Some protocols may already have the infrastructure - admin keys, blacklist functions, compliance switches that could be repurposed. Who’s ready for KYC DeFi? October 17th comment deadline could decide the future of permissionless finance.
We hardened smart contracts against every exploit, then got rekt by a fake Solidity extension. AI bots got gaslit into moving ETH, devs trusted poisoned IDEs. The blockchain is immutable, but some of the brains building on it are running on compromised autopilot.
A $550K lesson - Coinbase lost funds after granting ERC-20 approvals to 0xProject's permissionless Settler contract - exactly what their docs warn against. An MEV bot exploited the permissions to drain hundreds of tokens, adding to ongoing security failures investigators have highlighted.
Crypto deposits and withdrawals frozen as BTCTurk faces Groundhog Day - $55 million lost in June 2024’s private key breach, now $51.7 million gone again, funds funneled into ETH, founder silent, and users are left watching the rerun.
Odin.fun hemorrhaged $7 million on August 12th through basic AMM manipulation - their third breach in six months. PhD founder's credentials can't fix inadequate treasury or unclear compensation plans. The pattern feels disturbingly familiar.
A $300 million AI project claimed it conquered a $6 billion privacy giant with a 51% attack on Monero. Community sleuths called BS - actual hashrate closer to 30%. Meanwhile, QUBIC tokens burned by the billions. Market moved, story spread, receipts didn't add up.