KYC giant Sumsub verifies millions of users for over 4,000 clients, but who verified Sumsub? Opaque ownership, unnamed investors, 18 months of undetected breach. The questions nobody thought to ask are still unanswered.

更多

DPRK hackers spent 6 months sending proxies to befriend Drift Protocol. Conferences, trust, $1 million deposited. $285 million later, those friends vanished. No code broken. No bug found. Just a six-month con, a fake token, and a culture that never saw it coming.

更多

On March 22, Resolv Labs lost $25 million when a compromised private key handed an attacker unlimited USR minting power. No oracle check. No mint cap. 80 million tokens printed. Hardcoded oracles and automated liquidity kept feeding broken markets long after the damage was done.

更多

An attacker spent 9 months building a position, bypassed Venus Protocol's supply cap via a known donation exploit, and extracted $3.7 million, leaving $2.15 million in bad debt on a protocol that has now been rekt four times in five years.

更多

Price impact kills. $50 million in, 327 AAVE out. Aave's interface routed through CoWSwap, a solver picked a $73K pool for a $50 million trade. Every warning fired. Every contract performed. The dark forest cleaned up the next block. Full fee refund planned.

更多

A misconfigured oracle cap triggered $27.78 million in healthy wstETH liquidations on Aave on March 10. 34 accounts liquidated for a configuration error they had no part in. No attacker, no hack, no market crash. Full reimbursement planned.

更多

$2.73 million drained from Solv's BRO vault, a callback fired before the books balanced, minting the same deposit twice across 22 loops and turning 135 BRO into 567 million, all inside a single transaction. An unaudited contract with no bug bounty coverage, losses covered by the team, attacker exited to Tornado Cash.

更多

Two protocols. One skipped command. The first confirmed live exploits of ZK cryptography weren't sophisticated, they were a setup ceremony nobody finished. It turns out default settings ship faster than trust.

更多

One skipped CLI step left FoomCash's zk verifier broken from day one. Someone read the Veil Cash post-mortem, scaled it up, and drained $2.26 million. $1.84 million rescued by Decurity. $320K kept under the protocol's own "code is law" bounty. Net loss of $420K.

更多

Oracle manipulation drained $10.97 million from Script3's YieldBlox pool on Blend V2. Attacker pumped illiquid collateral USTRY 100x on the Stellar DEX. The oracle reported the fake price as real.

更多

A Private key compromise handed an attacker full admin control over IoTeX's ioTube bridge. $4.4 million drained. Two tokens minted on top, which IoTeX claims most are frozen or worthless. The key was the only lock on the door.

更多

An oracle misconfiguration priced cbETH on Moonwell at $1.12 instead of $2,200. Liquidation bots seized 1,096 cbETH, leading to $1.78M in bad debt. The commit was co-authored by Claude Opus 4.6, possibly the first major exploit of vibe-coded smart contracts.

更多