June 2026 Protocol -
Engineering Recap

Table of Contents

June 2026 Protocol Engineering Recap

Coverage window: June 1 to June 30, 2026. This recap deliberately excludes market price commentary and financial speculation. Loss figures appear only where they are part of a technical security post-mortem.

TL;DR

  • Glamsterdam Integration Risk: Ethereum June core-dev work moved from feature selection toward multi-client integration: ACDE #238 reported Glamsterdam Devnet-5 launching with 2 execution-layer clients and 4 consensus-layer clients, while ACDE #239 reported 95% Devnet-5 participation and targeted Devnet-6 for June 24 -> treat Glamsterdam as an interop and testnet-risk program, not a single EIP upgrade.
  • ePBS API Surface Expansion: EIP-7732 enshrines proposer-builder separation and introduces Payload Timeliness Committee mechanics, while ACDC #181 discussed builder execution requests, validator API impacts, and Gloas payload-matching bugs -> validators, builders, relays, and proof systems should budget engineering time for API migration and fallback paths.
  • BAL Became Client Code: EIP-7928 remains a draft, but June client releases show it moving into execution-layer plumbing: Geth v1.17.4 implements EIP-7928 and snap/2 EIP-8189, while Nethermind v1.38.0 adds parallel transaction execution with block-level access lists -> execution teams should benchmark witness construction, block validation, and state-sync behavior now.
  • Client Performance Work Is Practical, Not Cosmetic: Geth optimized JUMPDEST bitmap caching, stack operations, blob Engine API paths, cgroup memory sizing, and GetBlobs latency; Prysm v7.1.5 avoided materializing 2.3M validators in validator-list endpoints and added Gloas support -> node operators should stage upgrades against RPC-heavy, blob-heavy, and validator-heavy profiles.
  • L2s Focused On Proof Reliability: OP Stack releases included a required kona-client update for a fault-proof soundness bug involving BLOBBASEFEE, Nitro v3.11.x shipped in June, and zkSync Era core v31.0.0 added airbender proof failure submission and bounded proving retries -> L2 teams should prioritize proof-program correctness and proving failure paths over feature velocity.
  • Solana Release Train Split Mainnet And RC Risk: Agave shipped stable v4.0.3 and testnet v4.1.0-rc.1 on June 16, while Jito-Solana shipped matching mainnet and testnet builds Agave v4.0.3 Agave v4.1.0-rc.1 Jito v4.0.3-jito -> operators should keep production upgrades and release-candidate testing as separate operational tracks.
  • Firedancer Metrics Need Caveats: Firedancer Testnet v1.0.0 shipped June 12, Frankendancer Mainnet v0.913.40003 shipped June 19, and public dashboards identify at least one Figment Firedancer validator, but the extracted official June sources did not publish a definitive Firedancer 1.0 mainnet validator count Firedancer v1.0.0 Frankendancer v0.913.40003 -> cite dashboard indicators as non-official telemetry, not official rollout metrics.
  • Alpenglow Is A Consensus Rewrite: Solana’s network-upgrades page describes Alpenglow as under development and expected by Agave 4.1, targeting 150 ms confirmation times and removing Proof of History plus onchain vote transactions; SIMD-0326 provides the proposal track -> downstream infra should model finality, vote accounting, and validator incentives as new assumptions.
  • Privacy Engineering Converged On Encrypted Mempools And TEEs: June Encrypt The Mempool meetings, Flashbots/ethresear.ch activity, Shutter research, and Oasis confidential-contract docs point to threshold encryption, attested networking, and TEE-backed execution as separate but converging privacy patterns -> privacy architects should threat-model key release, enclave trust, gas leakage, and censorship separately.
  • Security Failures Exposed Cross-Layer Invariant Gaps: Aztec Connect was exploited on June 14 after a deprecated rollup settlement path failed to align ZK proof processing with L1 settlement validation, with sources reporting roughly $2.15M to $2.28M drained -> audits should add explicit cross-domain set-equivalence, settlement-boundary, and deprecated-contract invariant tests.

Ethereum L1: Glamsterdam Moved From Roadmap To Interop Risk

Ethereum’s June L1 story was not a single EIP becoming final. It was the conversion of Glamsterdam from a roadmap theme into a set of multi-client integration risks. The official ethereum.org roadmap lists Glamsterdam as an upcoming upgrade planned for H2 2026. The June core-dev record shows the workstream becoming operational: ACDE #238 on June 4 reported Glamsterdam Devnet-5 launching one hour before the meeting with 2 EL clients and 4 CL clients, and the meeting decided to merge separate development networks into a unified track starting with Devnet-6, cancelling the separate BAL Devnet-8 path.

That consolidation matters because Glamsterdam combines consensus and execution changes that are coupled at block-production time. EIP-7732, enshrined proposer-builder separation, separates the Ethereum block into consensus and execution parts and adds a mechanism for the consensus proposer to choose the execution proposer. EIP-7928, block-level access lists, proposes enforced block access lists containing state locations and post-transaction state diffs, with a block_access_list_hash in the block header. These are not independent implementation chores: ePBS changes who produces and proves block payloads, while BAL changes how clients describe and verify state access.

ACDE #239 on June 18 showed the work shifting toward measurable interop: Devnet-5 participation reached 95%, Devnet-6 was targeted for June 24, EIP-8282 was slated for the Glamsterdam Meta EIP, and EIP-7904 was reclassified as informational because clients were already above the 100M gas per second anchor. The same call caveated EIP-7928 as only a soft commitment pending final feedback and asked client teams to review state-access restructuring options. ACDC #181 on June 25 added consensus-side caveats, including Devnet-5/Devnet-6 readiness, EIP-8045, EIP-8080, EIP-8282, validator API naming impacts, and a spec bug where Gloas attestations with specific indices failed payload matching.

Case study – Devnet unification as risk reduction. The decision at ACDE #238 to unify separate Glamsterdam and BAL devnet tracks is easy to miss, but it is the clearest June engineering signal. Running ePBS and BAL in isolated tracks would make local progress easier while deferring the harder question: can consensus clients, execution clients, builders, validators, and Engine API consumers survive the combined state transition? Devnet unification forces the system to discover cross-EIP failures earlier.

Decision-ready insight: teams building validator infrastructure, builder software, proof circuits, execution clients, or node observability should treat Devnet-6 and subsequent Glamsterdam devnets as API-breaking rehearsals. The high-risk interfaces are Engine API payload/witness methods, builder execution requests, validator API naming, Gloas attestation handling, QUIC transport assumptions, and BAL state-access validation.

Ethereum Clients: Performance Work Followed The Upgrade Surface

June client releases map directly onto Glamsterdam’s new hot paths. Geth v1.17.4, released June 22, continued Amsterdam/Glamsterdam work and implemented EIP-7928, EIP-8189 snap/2, EIP-8037, engine_newPayloadWithWitnessV5, Amsterdam-aware evm t8n tooling, BAL support, slot-number support, and binary-trie leaf export. The performance theme was concrete: cache sizing now respects cgroup memory caps, EVM execution gets a global cache for JUMPDEST bitmaps, stack operations avoid per-operand copies, large blob Engine API JSON encoding was optimized, gzip was disabled on the Engine API, and GetBlobs request caching reduces latency.

Nethermind’s June line also tied performance to upgrade readiness. Nethermind v1.38.0 on June 2 improved robustness, restart safety, RPC compatibility, and runtime performance for Flat DB users and RPC-heavy workloads, while adding Taiko Unzen, parallel transaction execution with EIP-7928 BAL, EIP-7981, EIP-7976, and EIP-4444 EraE history expiry. Nethermind v1.38.1 on June 15 focused on Optimism and OP Stack support, adding OP Karst, refreshing Superchain registry chains, and removing bundled Base mainnet and Sepolia configurations, meaning operators running Base through built-in configs must supply their own chainspec/config. On June 23, Nethermind also published a ZisK guest preview supporting standard chains and glamsterdam-devnet-5.

Prysm v7.1.5, released June 16, is the strongest consensus-client signal. It supports the Gloas/ePBS fork, including end-to-end stateful self-build, execution payload envelope production and processing over REST/SSZ, payload attestation duties, EIP-8045, and a Gloas-aware fork-choice dump endpoint. The same release reduces validator-list memory pressure by streaming endpoints rather than materializing 2.3M validators, adds O(1) pubkey-to-index maps for builder lookups, updates committee caches asynchronously, introduces Snappy-compressed hdiff state snapshots, and hardens exact gossip subnet-topic matching plus BLS signature verification on REST attestation paths. Erigon v3.4.4, released June 18, fixed an in-RAM overlay pruning issue after no-op execution unwinds and aligned Caplin uint64 beacon API JSON serialization with beacon-APIs expectations.

Client

June 2026 signal

Upgrade surface

Operator implication

Geth

v1.17.4 on June 22

EIP-7928, snap/2, witness payload APIs, EVM hot paths

Benchmark Engine API, blob, BAL, and memory-capped container behavior

Nethermind

v1.38.0 on June 2, v1.38.1 on June 15, ZisK guest preview on June 23

BAL parallel execution, OP Stack support, Glamsterdam devnet proof tooling

Re-test Flat DB, RPC-heavy workloads, OP configs, and proof-generation paths

Prysm

v7.1.5 on June 16

Gloas/ePBS, PTC duties, EIP-8045, fork-choice tooling

Stage validator and builder workflows against new ePBS duties

Erigon

v3.4.4 on June 18

Reorg/unwind correctness, beacon API compliance

Re-test reorg handling and Caplin API consumers

Decision-ready insight: the performance work is not general optimization. It is preparation for heavier witness handling, builder lookups, blob payloads, validator-set scale, and Engine API churn. Teams should benchmark mixed workloads rather than treating June releases as routine patches.

Ethereum L2s: Proof Correctness And Proving Reliability Dominated

L2 releases in June had a consistent engineering message: production risk is migrating from transaction throughput to proof correctness, proving reliability, and node support windows. The OP Stack release page includes a required kona-client release for the OP Stack fault-proof program that fixes a fault-proof soundness bug involving BLOBBASEFEE on post-Jovian blocks. That is exactly the class of bug L2 teams cannot paper over with monitoring: if the fault-proof program is wrong, the security boundary is wrong.

Arbitrum Nitro shipped v3.11.0 on June 22 and v3.11.1 on June 29 according to the extracted GitHub release page. Arbitrum’s support policy also shows Nitro 3.9.9 support ending June 11 and Nitro 3.10.x support lasting until 30 calendar days after 3.11.x is released. For operators, this makes support-policy tracking part of security operations: running a version outside the active support window can turn a non-critical bug into an unpatchable production risk.

zkSync Era core v31.0.0 was released June 18 and added airbender proof failure submission, bounded proving retries, pre-upgrade l2_da_commitment_scheme configuration, fee-history reward percentile fixes, and state-keeper mempool sync fixes. Earlier June zkSync releases included v29.20.0 on June 4 enabling airbender proof submission, v29.19.2 on June 3 fixing SNARK prover queries, and v29.19.1 on June 1 increasing proof body size limits and handling NULL protocol versions. The pattern is a proving pipeline being hardened around retries, failure submission, configuration ordering, and RPC correctness.

A note on Starknet: search results suggested a June v0.14.3 timeline, but the official Starknet version-release and version-notes pages extracted for this recap did not confirm a June 2026 version event. Therefore, this recap does not present a June Starknet mainnet date as verified.

Decision-ready insight: L2 operators should maintain a proof-risk checklist separate from normal node upgrade checklists. It should cover fault-proof program versions, proving retry limits, proof failure submission paths, DA commitment configuration, RPC compatibility, and support-window cutoffs.

Solana: Validator Releases, Firedancer Caveats, And Alpenglow

Solana’s June release train split into three tracks: production validator patches, testnet release candidates, and longer-horizon consensus replacement. Agave shipped v4.0.2 and v4.1.0-beta.3 on June 5, then shipped stable v4.0.3 and testnet v4.1.0-rc.1 on June 16 Agave v4.0.2 Agave v4.1.0-beta.3 Agave v4.0.3 Agave v4.1.0-rc.1. Jito-Solana mirrored the operational structure with mainnet v4.0.3-jito and testnet v4.1.0-rc.1-jito on June 16 Jito v4.0.3-jito Jito v4.1.0-rc.1-jito.

Firedancer activity was visible, but the metric story needs careful wording. Firedancer Testnet v1.0.0 shipped June 12 Firedancer v1.0.0. Frankendancer Mainnet v0.912.40003 shipped June 16 and Frankendancer Mainnet v0.913.40003 shipped June 19 Frankendancer v0.912.40003 Frankendancer v0.913.40003. StakeWiz identifies a Figment Firedancer validator and shows version 4.0.3 on the validator page. SolanaCompass provides a Firedancer project page and reported that the Mithril client produced blocks on the Alpenglow community test cluster on June 24, but that is a third-party project-page signal, not an official Firedancer 1.0 mainnet adoption count. I did not find an official June source publishing a definitive Firedancer 1.0 mainnet validator count.

Alpenglow is the bigger architectural shift. Solana’s network-upgrades page described Alpenglow as under development and expected by Agave 4.1, with a target of 150 ms confirmation times and removal of Proof of History plus onchain vote transactions. SIMD-0326 is the formal proposal, authored by Quentin Kniep, Kobi Sliwinski, and Roger Wattenhofer, and describes Alpenglow as a major overhaul of Solana’s consensus protocol replacing the existing Proof-of-History and TowerBFT mechanisms.



Track

June source signal

Technical meaning

How to act

Agave

v4.0.3 stable and v4.1.0-rc.1 testnet on June 16

Separate production patch and RC validation lanes

Keep mainnet rollouts isolated from Agave 4.1 RC testing

Jito-Solana

v4.0.3-jito and v4.1.0-rc.1-jito on June 16

Jito maintained a matching mainnet/testnet cadence

Validate Jito-specific deployment assumptions separately

Firedancer/Frankendancer

Firedancer Testnet v1.0.0 on June 12, Frankendancer mainnet builds on June 16 and June 19

Alternative-client rollout continues across testnet and mainnet artifacts

Treat dashboard adoption as telemetry, not official rollout counts

Alpenglow/SIMD-0326

Under development, expected by Agave 4.1, 150 ms target

Consensus rewrite, not a performance flag

Re-model finality, voting, incentives, and monitoring assumptions

Decision-ready insight: Solana infra teams should not collapse Agave 4.0 production operations, Agave 4.1 RC testing, Firedancer/Frankendancer adoption, and Alpenglow into one upgrade bucket. They have different failure modes, rollback assumptions, and monitoring requirements.

Smart Contract Engineering: Tooling, TEEs, And Encrypted Mempools

The smart-contract tooling signal in June was mixed: Foundry and Hardhat had visible June activity, while Solidity’s official release blog did not show a June compiler release in the extracted release list. Foundry’s GitHub release page lists a Nightly pre-release for 2026-06-22, including a test change allowing vm.load on precompiles. Hardhat’s package and release surfaces show v3.9.0 in June, with npm listing June 8, 2026 for Hardhat version activity. Solidity’s official release blog showed Solidity 0.8.35 as an April 29, 2026 release and did not provide a June release entry in the extracted page. For Slither and OpenZeppelin Contracts, the extracted release pages did not provide a clearly verified June 2026 change suitable for a major claim.

Privacy engineering had more architectural substance. Ethereum’s Encrypt The Mempool #5 was scheduled for June 10 and #6 for June 24, with #6 listing use-case exploration and framed transactions/account abstraction for anonymous paymasters as agenda items. Shutter’s encrypted-mempool research frames threshold encryption as a way to reduce censorship, front-running, and builder centralization, and includes eth_sendEncryptedTransaction as an interface pattern for private transaction submission. The Ethereum Research index for June also surfaced discussion around LUCID and encryption-scheme-agnostic encrypted mempools, which is relevant because it questions whether encrypted-mempool designs can be made independent of a specific encryption construction.

TEE-based contract privacy is a separate mechanism from mempool encryption. Oasis documents confidential smart contracts as relying on trusted execution environments, encrypted blockchain storage, and end-to-end encrypted client queries. The same docs warn that events remain public, timing and gas-limit behavior can leak information, and developers should avoid secret-dependent branching that reveals confidential state. Flashbots’ public confidential-compute repository and Collective discussions around attested TLS point to a parallel track: attestation and confidential networking for MEV and transaction-supply-chain components.

Case study – Oasis confidential contracts versus encrypted mempools. Oasis-style confidential contracts protect execution state through TEE-backed computation and encrypted storage, but they do not hide everything: public events, gas use, execution timing, and developer branch structure remain leakage surfaces. Encrypted mempools, by contrast, focus on hiding transaction contents before ordering and inclusion, with threshold key release and PBS integration as the hard coordination problems.

Decision-ready insight: do not label all privacy work as one category. TEE confidentiality, encrypted mempools, attested networking, private token standards, and account-abstraction paymaster privacy each protect different phases of the transaction lifecycle and have different leakage surfaces.

Security Post-Mortems: Cross-Layer Invariants Failed Loudly

The most technically useful June post-mortem was Aztec Connect. SlowMist reported that on June 14, 2026 the deprecated Aztec Connect RollupProcessor contract was exploited for approximately $2.19M. Rekt reported $2.28M drained from a deprecated ZK-rollup contract over two consecutive days and emphasized that Aztec Labs had deprecated Aztec Connect in March 2023. BlockSec’s weekly report listed the Aztec incident at approximately $2.15M and described the root cause as a mismatch or input-validation failure across the rollup proof path and L1 settlement logic. The dollar amounts differ, but the technical pattern is consistent: a settlement boundary accepted a state transition that the proof/settlement interface should have rejected.

That distinction matters for auditors. In a ZK-rollup or hybrid proof system, verifying a proof is not enough if the public inputs, transaction set, settlement accounting, and withdrawal state are not all bound to the same semantic object. The Aztec failure mode is therefore not just “missing validation” in a generic sense. It is a cross-domain invariant failure: the off-chain/proof domain and the on-chain settlement domain processed different assumptions about what was being finalized.

BlockSec’s June weekly also grouped the Aztec case with a Raydium AMM v3 exploit and a Top Token governance attack, reporting approximate impacts of $1.34M and $1.59M respectively. The key engineering takeaway is not the aggregate loss number. It is that June incidents crossed architecture categories: ZK-rollup settlement validation, AMM logic, and governance authorization. CyberChainBench, published in June, reinforces this by classifying vulnerabilities by root cause in contract code rather than only by exploit technique.

Case study – Aztec Connect as a deprecated-system risk. Deprecated systems are dangerous because teams stop exercising integration tests while funds, approvals, and attack surfaces can remain live. Aztec Connect’s exploit shows why sunsetting must include executable kill switches, withdrawal-only invariants, and monitoring for stale settlement paths. Documentation that says a system is deprecated is not equivalent to an on-chain invariant that prevents value extraction.

Decision-ready insight: audits for rollups, bridges, AMMs, and governance systems should add an explicit “cross-boundary invariant” section. For rollups, test proof public inputs against settlement state. For bridges, test message identity and replay boundaries. For AMMs, test accounting invariants across hooks and fee paths. For governance, test trust-chain assumptions and privilege propagation.

Synthesis: Parallel Execution, Separated Roles, And Stronger Invariants Converge

June’s throughline is separation. Ethereum is separating proposer and builder roles through ePBS while trying to make state access explicit through BAL. Solana is separating validator-client risk by advancing Firedancer/Frankendancer alongside Agave and Jito-Solana, while Alpenglow proposes to replace the existing consensus machinery. Smart-contract privacy work separates transaction confidentiality, execution confidentiality, attested networking, and developer tooling into distinct layers. Security post-mortems show what happens when those separated layers fail to share the same invariant.



Vector

Mechanism

Scope

Trade-off

Evidence base

Time horizon

Ethereum L1

ePBS, Gloas, BAL, Engine API/witness changes

Base-layer block production and state access

More explicit roles and state data, but more interop and API risk

ACDC/ACDE calls, EIP-7732, EIP-7928, client releases

H2 2026 roadmap and active devnets

Ethereum clients

Cache, memory, blob, witness, validator-list, and fork-choice optimizations

Execution and consensus node operation

Better hot-path performance, but operators must retest workloads

Geth, Nethermind, Prysm, Erigon releases

Immediate staging and devnet use

Ethereum L2s

Fault-proof fixes, Nitro support windows, proving retries

Rollup correctness and node operations

Higher assurance, but proof pipelines and support windows become operational dependencies

OP, Nitro, zkSync release pages

Immediate production risk management

Solana

Agave/Jito RCs, Firedancer/Frankendancer, Alpenglow SIMD-0326

Validator software and consensus design

More client diversity and faster finality targets, but adoption metrics and consensus assumptions need caveats

GitHub releases, SIMD, Solana network-upgrades page, dashboards

RC testing now, consensus rewrite later

Smart-contract engineering

TEEs, encrypted mempools, attested TLS, dev tooling, root-cause taxonomies

Application privacy, transaction supply chain, audit workflows

Stronger confidentiality and testing, but new leakage and trust assumptions

Ethereum PM, Shutter, Oasis, Flashbots, BlockSec, SlowMist, Rekt, arXiv

Research to production varies by component

The non-obvious tension is that performance and security are both pushing systems toward more explicit structure. BAL makes state access explicit to enable parallel execution and better sync. ePBS makes builder/proposer roles explicit to reduce off-protocol relay dependence. Alpenglow aims to simplify Solana consensus by replacing legacy mechanisms. Encrypted mempools and TEEs make confidentiality boundaries explicit. Post-mortems show the cost when explicit boundaries are incomplete: the proof layer and settlement layer can disagree, a signer or approval path can be hijacked, or a deprecated component can remain economically live.

The practical recommendation is to update engineering checklists around boundaries, not components. For Ethereum L1, test Engine API and witness boundaries. For L2s, test proof-program and settlement boundaries. For Solana, test client-version and consensus-assumption boundaries. For privacy systems, test key-release, attestation, event, gas, and timing boundaries. For smart-contract audits, test cross-domain invariants before tuning for coverage metrics.

Decision-ready insight: June 2026 was not about one chain “winning” a performance race. It was about protocol teams making hidden dependencies explicit. The teams that benefit will be the ones that instrument and test those boundaries before mainnet traffic does it for them.

June 2026 Web3 Hacks: A Complete Incident Catalog

June 2026 was an unusually active month for on-chain security incidents. This catalog documents 33 distinct exploits confirmed between June 1 and June 30, 2026, with combined reported losses well over $74 million (per-incident figures vary by source and are shown as ranges where reporting disagrees). Each entry states the chain, the amount as reported, the specific technical root cause, and a concrete analysis of how it could have been avoided. Incidents were compiled and cross-checked across Rekt.news, SlowMist, BlockSec, PeckShield, CertiK, Halborn, Chainalysis, Blockaid, DefiLlama and primary protocol post-mortems; only incidents with a source explicitly dating them to June 2026 are included. The recurring lesson is that the largest losses came not from broken cryptography but from operational and access-control failures: centralized or leaked keys, deprecated-but-live contracts, unvalidated cross-chain proofs, and compromised front-ends. (Aztec Connect, Raydium and Top Token also appear in the post-mortem section above; they are repeated here with dedicated avoidance analysis so the catalog is self-contained.)

Major Incidents (Losses of $1M or More)

Humanity Protocol – ~$32M-$36M Bridge Multisig / Private-Key Compromise (June 8, 2026)

On June 8, 2026, Humanity Protocol lost roughly $32M-$36M worth of its $H token across Ethereum and BNB Smart Chain (BSC) in an operational-security failure rather than a smart-contract code bug (CoinDesk’s initial June 9 report cited “$32M+” with losses still climbing; Halborn, Decrypt and later coverage settled on ~$36M). Malware on a Humanity Foundation developer’s laptop gained root access and exfiltrated seven private keys: one hot-wallet key plus two full sets of Safe/Gnosis multisig owner keys — three owner keys for the Ethereum bridge Safe and three for the BSC bridge Safe. These keys had been accidentally backed up onto that single machine during the June 2025 mainnet launch, so the supposed 3-of-6 (Ethereum) and 3-of-5 (BSC) multisigs effectively lived on one device, meaning a single host compromise crossed the approval threshold on both chains. Using the stolen keys, the attacker drained the hot wallet (~6.05M H), then on Ethereum took over the bridge ProxyAdmin, transferred ownership, and pushed a malicious bridge-contract implementation upgrade that drained ~141M H in one transaction; on BSC the attacker seized ProxyAdmin control and deployed an unlimited-mint implementation, minting an estimated 200-300M unauthorized H. In total roughly 447M $H was stolen or fraudulently minted, and the proceeds were swapped to ETH and dumped on DEXs. Quantstamp responders linked the tooling to North Korea (DPRK)-associated groups, while ZachXBT publicly flagged the event as “possibly staged,” leaving attribution contested; the reported initial delivery vector was a spear-phishing lure impersonating exchange Bithumb.

How it could have been avoided: the core failure was co-locating every Safe owner key on one internet-connected laptop, so the primary fix is true multisig key segregation — each owner key must live on a separate person AND a separate hardware device (hardware wallet, HSM, or air-gapped signer), never exported to the filesystem, never backed up as plaintext or keystore files, and never generated on a networked machine. Signing keys for privileged bridge and ProxyAdmin operations should be hardware-bound (e.g., Ledger/Trezor, or MPC with per-participant TEEs) so root-level malware cannot exfiltrate raw private keys in the first place. Because the attacker’s payload was an instant, single-transaction ProxyAdmin upgrade, moving the upgrade/bridge-admin authority behind a timelock would have delayed the malicious implementation long enough to detect and pause it. Signers should also be geographically and organizationally distributed so no single compromised host can meet threshold on either chain, and any keys ever touched by an internet-connected machine — especially during a mainnet launch — must be rotated, destroyed, and explicitly audited for stray backups afterward. Finally, dedicated, monitored signing workstations with endpoint hardening and phishing-resistant FIDO2 authentication would blunt the spear-phishing entry vector. Any one of key segregation, hardware-bound signing, or a timelock on the upgrade path would have blocked this attack.

Sources: Humanity’s $36 million exploit happened because a ‘multisig’ lived on one laptop (CoinDesk), Explained: The Humanity Protocol Hack (June 2026) (Halborn), Humanity Protocol says compromised admin keys led to $36M exploit (crypto.news)

Syscoin Bridge – ~$8M-$10M Cross-Chain Proof-Validation Exploit (June 7, 2026)

On June 7, 2026, the Syscoin cross-chain bridge that connects the network’s UTXO layer to its NEVM (EVM) layer was exploited, allowing an attacker to mint roughly 5 billion unauthorized SYS on the UTXO side with no corresponding burn on the NEVM side. Estimates of the fiat value range from about $8M to $10M, since sources price the same ~5 billion SYS at different points: Rekt.news and Halborn anchor ~$8.56M using the June 7 close of $0.00171/SYS, while several outlets cite ~$10M at intraday value and DefiLlama-style trackers record ~$8M; the invariant across reports is ~5 billion SYS, or roughly 85% of circulating supply and about 568% inflation. The root cause was an implementation-level flaw, not a cryptographic break: the bridge mints SYS on the UTXO side only against a proof of a corresponding burn/lock on the NEVM side, and the attacker submitted a malformed SPV/transaction proof deliberately structured so the relay’s parser misread it as valid. The malformed payload exploited a cross-layer interpretation mismatch between Syscoin Core and the NEVM relay, involving ambiguous or duplicate asset commitments targeting the same output, so the parser inferred validity for a NEVM burn that never occurred. The relay accepted this invalid proof and authorized an unbacked mint, without any private-key compromise. This places the incident in the same vulnerability class as the 2022 Nomad bridge hack, where an invalid proof was accepted as valid.

How it could have been avoided: the mint path should have enforced strict, canonical, fail-closed validation of the SPV/burn proof before authorizing any UTXO-side mint. First, canonicalize and length/structure-check the proof payload and reject any ambiguous or duplicate asset commitments targeting the same output, so that Syscoin Core and the NEVM relay parse identical bytes to identical meaning and the cross-layer interpretation mismatch is eliminated at the source. Second, verify that the referenced NEVM burn actually exists and is finalized via Merkle inclusion against a confirmed block header, rather than trusting parser-inferred validity. Third, enforce a strict mint <= verified-burn accounting invariant, backed by a per-epoch mint rate-limit and supply-cap circuit breaker that would have halted an attempted mint of ~85% of circulating supply. Fourth, apply differential fuzzing and property-based testing across the two independent parser implementations (Core versus relay) to detect divergent interpretations of the same proof before deployment, reinforced by an independent audit of the proof-verification logic.

Sources: Syscoin – Rekt News, Explained: The Syscoin Bridge Hack (June 2026) – Halborn, SYS Drops 20% After 5B Unauthorized Tokens Minted in Syscoin Bridge Exploit – CryptoPotato

jaredFromSubway.eth MEV Bot – ~$7.5M (some estimates ~$15M) Counter-MEV Honeypot Drain (June 20, 2026)

On June 20, 2026, the well-known “jaredFromSubway.eth” sandwich/MEV bot on Ethereum was drained of an estimated ~$7.5 million (the most-cited figure from Blockaid, The Block, thirdweb, and others), with some on-chain analyses putting the total value touched closer to ~$15 million. This was not a private-key compromise, phishing, or a bug in the bot’s own contract, but a counter-MEV honeypot that weaponized the bot’s automated approve-per-route logic. Over several weeks the attacker deployed roughly 66 counterfeit token and wrapper contracts plus fabricated liquidity pools that mimicked WETH, USDC, and USDT and appeared as profitable MEV/sandwich routes. Early interactions behaved normally (approve, wrap, swap, unwrap, profit), building trust, but the malicious wrappers embedded a conditional toggle (reported as a getStatus()-style switch) that, on certain blocks, skipped the expected transferFrom and left the granted ERC-20 allowance unconsumed. Across roughly 600 blocks the bot repeatedly re-approved these contracts against its genuine WETH/USDC/USDT holdings (one example being an approval of about 92.16 WETH to an attacker helper contract), accumulating standing dangling allowances. Once enough unconsumed approvals had built up across all ~66 contracts, the attacker fired a single transaction invoking every backdoor at once, sweeping the bot’s real tokens via transferFrom; proceeds were consolidated into thousands of ETH and partly routed through Tornado Cash.

How it could have been avoided: the bot needed strict ERC-20 approval hygiene rather than blind approve-per-route execution. It should grant exact-amount allowances scoped to a single trade instead of unlimited or standing approvals, and immediately zero out each allowance after a route via approve(spender, 0) so no dangling permission can survive an unconsumed transferFrom. Its opportunity-detection logic should enforce counterparty allowlisting – interacting only with known, verified canonical token addresses (real WETH/USDC/USDT) and audited AMM pools/routers, rejecting any contract that merely emits legitimate-looking Transfer/Swap events, which would have excluded all ~66 counterfeit tokens and fake pools. Pre-execution simulation and invariant checks (Blockaid/Forta/OpenZeppelin Defender-style) should verify that each route actually consumes the allowance it was granted and flag routes leaving residual approvals or whose token/pool bytecode is unverified or contains conditional transferFrom-skipping logic. Finally, a residual-approval monitor that alarms on accumulating outstanding allowances would have surfaced the growing dangling-approval exposure well before the single sweep transaction executed.

Sources: The Block – Notorious ‘jaredfromsubway’ MEV bot drained for roughly $7.5 million in counter-MEV honeypot, thirdweb – Jaredfromsubway.eth MEV Bot Exploited for $7.5M: What Builders Need to Know, crypto.news – JaredFromSubway MEV bot gets drained in $7.5m approval trap

Secret Network / Axelar Bridge – ~$4.67M CW20-ICS20 Infinite-Mint Exploit (June 10, 2026)

On June 10, 2026, a modified CW20-ICS20 token contract on Secret Network (Cosmos/IBC) that backed Axelar-wrapped assets was drained for roughly $4.67 million (Cointelegraph rounds to $4.7M) in an infinite-mint exploit. The contract had been reworked from an escrow-based to a mint-based model for the Axelar integration, and in doing so two critical validation checks were commented out in do_ibc_packet_receive: parse_voucher_denom, which verifies a voucher denom’s port/channel trace against the packet’s actual source, and reduce_channel_balance, which caps redemptions at the amount genuinely escrowed on a given channel. As a result the contract minted saTokens based solely on allow-listed denomination names, without checking which IBC channel had actually carried the deposit. Because IBC channel opening is permissionless, the attacker stood up a single-validator counterfeit Cosmos chain (ibc-dev-allowlist-denom-1), opened channel-227 to the vulnerable contract, and self-relayed forged packets carrying approved denominations such as uusdt; a uusdt arriving on the attacker’s channel-227 was indistinguishable from one on Axelar’s legitimate channel-69, so the bridge minted genuine but unbacked saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB and sawstETH (per Common Prefix: saWETH ~$1.537M, saUSDT ~$1.121M, saWBTC ~$1.065M, saUSDC ~$638K, saDAI ~$174K, saWBNB ~$102K, sawstETH ~$38K). The unbacked tokens were then redeemed over the legitimate Axelar channel to release the real escrowed assets, which were bridged through Osmosis to Ethereum and converted to ETH. The attack ran across seven transactions between ~19:01 and 19:20 UTC and went unnoticed for roughly seven days, surfacing around June 17 only when an “insufficient funds” error on a cross-chain transfer exposed the drained account; no external audit had been requested for the integration.

How it could have been avoided: the ICS-20 denomination-trace validation (parse_voucher_denom) and per-channel escrow accounting (reduce_channel_balance) must never be removed or commented out when forking CW20-ICS20 — every inbound packet needs its source port/channel verified against the voucher denom path per the ICS-20 spec before any minting, so a token can only be minted from the exact channel on which it was escrowed. The minting contract should further restrict accepted transfers to a hardcoded allow-list of trusted counterparty channels (e.g. only Axelar’s channel-69) rather than any permissionlessly-opened channel, and cap redemptions at genuinely-escrowed per-channel balances, which alone would have made the attacker’s channel-227 deposits non-mintable. Any security-critical fork that removes core validation checks — especially a change from an escrow model to a mint model — must be re-audited by an external party before deployment. Finally, real-time supply/escrow-invariant monitoring should assert that total minted saTokens always equal total escrowed backing and alert immediately on any divergence, so an infinite-mint cannot sit undetected for a week until a downstream transfer happens to fail.

Sources: Common Prefix — Secret Network CW20-ICS20 Exploit: What Exactly Happened, Secret Network’s Axelar bridge drained for $4.67 million in infinite-mint exploit that went unnoticed for seven days | The Block, Axelar Reports $4.67M Bridge Exploit with Secret Network | ForkLog

Polymarket – ~$3M-$3.1M Frontend Supply-Chain Attack (June 25, 2026)

On June 25, 2026, prediction-market platform Polymarket lost roughly $3M to $3.1M in PUSD (its USDC-backed stablecoin) in a client-side supply-chain attack; early reports put the figure near $2.9M before it rose to around $3.1M, and the proceeds were bridged from Polygon to Ethereum and swapped into approximately 1,893 ETH into a single wallet. The root cause was a compromise of a third-party frontend vendor whose JavaScript dependency was loaded into Polymarket’s website: the attacker injected malicious script that was served to some users directly from the legitimate Polymarket domain. That script silently manipulated the wallet transaction-approval flow, presenting draining transactions as routine market actions so that fewer than roughly 15 users signed them, ultimately emptying PUSD from about 11 wallets on Polygon. Polymarket confirmed that its own servers, backend infrastructure, and smart contracts were not compromised, and the PUSD peg held throughout the incident. The event is distinct from a separate ~$700K Polymarket private-key incident on May 22, 2026, and the platform stated it would reimburse affected users.

How it could have been avoided: because the malicious code entered through a trusted third-party vendor bundle served from Polymarket’s own domain, the primary defenses are integrity controls on frontend assets. Subresource Integrity (SRI) hashes on every third-party / tag would cause the browser to refuse to execute any vendor bundle whose contents were tampered with, and a strict Content-Security-Policy whitelisting only trusted script origins while blocking inline and unexpected script execution would prevent injected code from running. Third-party frontend dependencies should be self-hosted and pinned (version-locked and hash-verified) rather than pulled dynamically from vendor CDNs, with any vendor update gated behind a build-time integrity check and code review. Finally, because the attack succeeded by disguising a fund-draining approval as a routine market action, client-side transaction simulation with human-readable “what will this transaction do” signing prompts would let users detect the drain before signing, and runtime frontend-integrity monitoring should alert on unexpected DOM or script modifications served from the production domain.

Sources: Polymarket customers lose $3 million in supply-chain attack (BleepingComputer), Explained: The Polymarket Hack (June 2026) (Halborn), $3 Million Reportedly Stolen in Polymarket Hack (SecurityWeek)

TesseraDAO (TSR) – ~$2.4M-$2.5M Infinite-Mint / Admin-Key Takeover (June 1, 2026)

On June 1, 2026, TesseraDAO (TSR) on BNB Chain was drained of roughly $2.4M-$2.5M through an infinite-mint and dump enabled by an access-control failure rather than a code bug (usethebitcoin and CryptoTimes cite ~$2.4M; PeckShield, Rekt, and Cryptopolitan cite ~$2.5M, with Rekt reporting $2.49M in stablecoins converted to 1,285.5 ETH plus an additional ~$16,224 swept later). The protocol retained a single privileged admin/owner role with total authority over minting, role assignment, ownership transfer, and the trade() and withdrawal() functions, and this role was never revoked nor gated behind a multisig or timelock. The attacker gained control of this privileged address (an ownership-takeover / compromised-deployer-key scenario) and, in roughly six transactions, reassigned the trader and withdrawer roles to their own wallet, transferred ownership, and called the mint function to create 99,000,000 TSR directly from the zero address into 0x6f2b45B950d1739EF67C76F4106df6d6E84904cB (mint tx at 2026-06-01 11:38:25 UTC). The minted supply was then routed through the protocol’s own trade() function to swap the tokens into ~$2.47M BSC-USD, which was withdrawn and bridged to Ethereum for laundering. On-chain analysts at Rekt and PeckShield emphasized that the exploiter did not find a bug in the code but instead used the protocol’s own privileged functions against it, pointing to an insider/backdoor or key-compromise root cause.

How it could have been avoided: because the root cause was an unrestricted, single-key admin role retaining infinite-mint and ownership-transfer authority, the fix is to eliminate that privileged path rather than patch code. After token distribution is finalized, unrestricted mint capability should be renounced entirely in favor of a fixed or capped supply with no live privileged mint path; where an admin role must persist, every privileged function (mint, role assignment, ownership transfer, trade, and withdraw) should be gated behind a multi-signature wallet plus a timelock so no single key can unilaterally mint or reassign ownership. The token contract should enforce per-transaction and cumulative mint caps, and deployment operations should monitor for owner-role reassignment and large mint events with automated circuit-breakers and pausable logic to halt a drain in progress. Deployer keys should be rotated to a hardware-backed multisig before mainnet launch, and independent audits should explicitly flag any live, non-multisig admin key with infinite-mint or ownership-transfer authority as a critical centralization risk rather than an accepted operational assumption.

Sources: TesseraDAO – Rekt News, PeckShield Says TesseraDAO Exploit Minted 99 Million TSR, Stole 2.5 Million USDT – Bloomingbit, TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit – Crypto Times

SecondFi – ~$2.4M (up to ~$20M at risk) Cardano Wallet Nonce-Derivation Exploit (June 21-23, 2026)

Between June 21 and 23, 2026, SecondFi, a Cardano wallet provider, suffered a cryptographic key-compromise exploit across three separate draining events, with public disclosure on June 23. Attackers drained roughly 16M ADA (approximately $2.4M) from 374 wallet addresses, while the total at-risk exposure was estimated as high as ~$20M / ~129M ADA (a SlowMist figure including NFTs and tokens); of that, ~129M ADA was proactively routed to an independent custodian and secured rather than lost, and the vulnerable-account footprint was reported as high as 3,072 accounts. The root cause was a deterministic nonce-derivation flaw in SecondFi’s proprietary Cardano software signer, which generated the per-signature secret value k with predictable or insufficient randomness. Because Cardano uses Ed25519/EdDSA signatures over the ed25519 curve, a faulty deterministic nonce means that once an affected address publishes even a single on-chain signature, an attacker can algebraically recover the long-term private key from public signature data alone. The defect was strictly in the signer’s nonce-generation code, not in the wallet UI, the seed phrase, or the Cardano protocol itself. Consequently, restoring the recovery phrase into a different wallet provides no mitigation, because it recreates identical addresses whose private keys are already recoverable by anyone observing the chain.

How it could have been avoided: the signer should never have used bespoke nonce-derivation logic; the per-signature value k for Ed25519/EdDSA must be derived exactly as specified, by hashing the private-key prefix concatenated with the message (analogous to RFC 6979 for deterministic ECDSA), so that distinct messages produce uncorrelated nonces and identical private keys are never leaked. In practice this means delegating signing to audited, constant-time cryptographic libraries such as libsodium’s ed25519 or cardano-crypto rather than reimplementing randomness or nonce generation in proprietary code. Before shipping, the signer should have been subjected to cryptographic review and validated against known-answer test vectors, plus duplicate/correlatable-nonce detection that confirms distinct messages never reuse or produce algebraically related k values. Because key rotation is impossible for addresses whose nonce scheme is already compromised, the only remediation once such a defect is deployed is immediate withdrawal of all funds to freshly generated addresses signed by a correct implementation, which is precisely why detection had to happen before, not after, on-chain signatures were published.

Sources: Cardano wallet exploit: SecondFi traces attack to private key flaw, warns users not to restore seed phrases – AMBCrypto, Security Incident Update – FAQ | SecondFi (official knowledge base), SecondFi maps recovery path after $2.4 million Cardano wallet exploit – The Block

Aztec Private Rollup Bridge – ~$2.15M-$2.21M Immutable Escape-Hatch Claim-Proof Drain (June 17, 2026)

On June 17, 2026, an attacker drained the deprecated Aztec Private Rollup Bridge on Ethereum L1 by abusing its emergency escapeHatch(bytes,bytes,bytes) withdrawal path. The on-chain drain (tx 0xab306cd2…, 18:34:47 UTC) removed 1,158 ETH (worth roughly $2.15M) from the bridge’s custody at 0x737901be…; broader reporting places the full loss at approximately $2.15M-$2.21M, with some sources including 150,000 DAI and 0.4696 renBTC and others citing ~$2.16M. The root cause was a claim-proof recipient-binding failure: the circuit and on-chain TurboVerifier did not constrain the withdrawal recipient (outputOwner) to the legitimate note owner, so a proof with an attacker-controlled outputOwner was accepted as valid. The attacker set rollupSize = 0, which the contract interpreted as a single escape-hatch transaction, routing attacker-supplied proof data through processRollupProof() and processDepositsAndWithdrawals() with no ownership check. Because the escape-hatch path treated verifier success alone as authorization and lacked rollup-provider auth, onlyOwner restriction, and recipient signature verification, a fresh EOA was able to specify a 1,158 ETH payout to itself. The contract, deployed as immutable in 2021 and deprecated in 2022, could not be paused or patched, so the residual custody balance was emptied from 1,158.76 ETH to 0.76 ETH. This was the second attack on Aztec infrastructure in three days, contributing to a combined loss of roughly $4M.

How it could have been avoided: the escape-hatch verifier circuit must cryptographically bind the withdrawal recipient to the claim/note owner as a constrained public input, committing to outputOwner and requiring the verifier or contract to enforce that it equals the recorded note owner, so a valid proof alone cannot authorize releasing funds to an arbitrary address. As defense-in-depth at the L1 bridge layer, the contract should perform independent entitlement checks (the withdrawal amount and recipient must match a recorded, un-spent user note) rather than trusting the proof’s embedded outputOwner field, and should reject degenerate inputs such as rollupSize == 0 that bypass rollup-state validation. The escape-hatch path itself needed explicit authorization gates, such as rollup-provider authorization, an onlyOwner restriction, or a user signature over the recipient, instead of treating TurboVerifier success as sufficient authorization to release custody. Finally, given that the contract was deployed immutable, its residual funds should have been fully migrated out and the bridge sunset when it was deprecated in 2022 rather than left live, and any immutable custody contract should have had a guardian pause or maximum-withdrawal rate-limit designed in before deployment.

Sources: Aztec Private Rollup Bridge Escape-Hatch Claim-Proof Drain — DARKNAVY, Aztec Network attacked twice in 3 days – Hacker drains $2.21M in digital assets — AMBCrypto, Aztec Network’s RollupProcessor Exploited for $2.21 Million — Crypto Times

Aztec Connect – ~$2.2M Deprecated ZK-Rollup Settlement-Boundary Exploit (June 14, 2026)

On June 14, 2026, an attacker drained roughly $2.1M-$2.19M (with some outlets reporting up to $2.21M as a cumulative figure) from the immutable, deprecated Aztec Connect RollupProcessorV3 contract (0xff1f2b4adb9df6fc8eafecdcbf96a2b351680455) on Ethereum L1. The root cause was a settlement-boundary bypass: a structural gap between the traversal range of the L1 settlement loop and the commitment range of the ZK proof’s SHA256 public-input hash. The attacker controlled the numRealTxs value directly from calldata (offset ~4516) with no on-chain constraint; while decoded_slots were rounded up to 32 slots for SHA256 precompile compatibility and thus all 32 slots were committed by the ZK proof to the L2 state root, the L1 settlement loop only iterated over the numRealTxs-declared slots (effectively 1), leaving slots 2-32 (31 slots) committed to L2 state but never subjected to L1 settlement verification. Forged deposit operations (proofId=1) were inserted into these unverified gap slots while the visible real slot held only no-ops. Across 14 processRollup() calls in two phases (7 calls minting ~217 unbacked forged deposit entries into L2 without decrementing the L1 pool, then 7 calls withdrawing the inflated L2 balances as legitimate L1 assets), the attacker drained ETH, DAI, wstETH, LUSD, yvDAI, yvWETH, and yvLUSD. Funds moved through intermediate contract 0x06f585…d0fcD to EOA 0x0F18D8b44a740272f0be4d08338d2b165b7EdD17.

How it could have been avoided: The L1 contract had to enforce that the set of transaction slots settled on L1 is identical to the set committed by the ZK proof’s public-input hash, rather than deriving the settlement loop bound from an attacker-supplied numRealTxs calldata field. Concretely: (1) never let a caller-supplied count (numRealTxs) determine the L1 settlement iteration range independently of the value bound inside the SNARK public inputs — derive the loop bound from the proof-committed value; (2) prove inside the circuit that the padding slots added purely for SHA256 precompile alignment (slots beyond real txs) are no-ops / zero-value deposit operations, so committed-but-unsettled gap slots cannot carry value-bearing deposits; and (3) add on-chain secondary verification asserting decoded_slots == numRealTxs (or that gap slots are empty) before minting any L2 balances. Because the RollupProcessor was immutable and deprecated, an additional mitigation would have been to withdraw or migrate the remaining L1 pool liquidity out of the abandoned contract after Aztec Connect’s shutdown, rather than leaving user funds in a frozen, unpatchable contract exposed to exactly this class of latent settlement flaw.

Sources: Analysis of the $2.19 Million Asset Theft from Aztec Connect: ZK-Rollup Settlement Boundary Bypass (SlowMist), Explained: The Aztec Connect Hack (June 2026) – Halborn, SlowMist Details Root Cause of $2.19M Aztec Connect Exploit – CryptoTimes

Taiko Bridge – ~$1.7M SGX Proof-Forgery Exploit via Leaked Raiko Signing Key (June 21, 2026)

On June 21, 2026, an attacker drained approximately $1.7 million from Taiko’s Ethereum Layer 2 bridge by forging cryptographic proofs that the L1 verifier accepted as valid L2 state transitions. The root cause was an RSA-3072 Intel SGX enclave signing key for Raiko, Taiko’s multi-prover/SGX proving stack, that had been committed as a file (reported as enclave-key.pem) to the public taikoxyz/raiko GitHub repository. Raiko’s SGX enclaves normally produce attestations that Taiko’s L1 bridge/verifier contracts trust as proof of valid L2 execution; with the private key public, the attacker enrolled their own SGX prover and signed fraudulent state attestations and withdrawal proofs. This let them register fake cross-chain bridge messages and submit L1 withdrawal requests that had no matching MessageSent events or deposits on Taiko L2, draining the L1 Bridge (ETH) and the ERC20Vault (stablecoins, WETH, WBTC, and other assets); roughly $170,000 of the total was around 2 million TAIKO tokens the attacker moved, some to MEXC, before the freeze. Blockaid flagged the attack in real time and BlockSec traced the root cause to the leaked Raiko signing key. Taiko activated its Security Council multisig to pause withdrawals and halt block production on June 21-22 and pledged to reimburse affected users from the treasury. Reported figures cluster at roughly $1.7 million, with some headlines characterizing it as “nearly $2M.”

How it could have been avoided: The private enclave signing key should never have been in source control. Concretely: (1) keep enclave signing keys out of git entirely, storing them in an HSM or secrets manager (AWS KMS/CloudHSM, HashiCorp Vault) and injecting them into the enclave at runtime; (2) enforce pre-commit and CI secret scanning (gitleaks, trufflehog, GitHub secret scanning with push protection) to block *.pem and private-key patterns from ever being pushed; (3) design the on-chain verifier to trust a specific measured enclave identity (MRENCLAVE/MRSIGNER) plus an on-chain allowlist of registered provers behind governance-gated enrollment, and require an M-of-N quorum from the multi-prover set rather than accepting any single SGX attestation, so one leaked key cannot unilaterally forge accepted proofs; (4) rotate and revoke the compromised key immediately and require fresh Intel remote attestation for prover enrollment; and (5) add L1-side sanity checks such as per-epoch withdrawal caps, deposit/withdrawal reconciliation, and circuit-breaker rate limits so forged withdrawals with no matching deposits are throttled and flagged before a large drain completes.

Sources: Taiko Bridge Exploit: How a Leaked Key Drained $1.7M from an Ethereum L2 (thirdweb), Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives 10% (CoinDesk), Taiko Bridge Drained $1.7M After SGX Signing Key Left Exposed on GitHub (The Defiant)

Top Token (TOP) – ~$1.58M Aragon DAO Governance Takeover (June 9, 2026)

On June 9, 2026, an attacker seized control of the Token of Power (TOP) Aragon DAO on Ethereum and drained 944.2 WETH (~$1.58M-$1.59M gross; some outlets round to $1.6M) from the TOP/WETH Balancer V1 BPool. The root cause was a governance misconfiguration rather than any contract-code bug: TOP was an Aragon MiniMeToken with an extremely small total supply of only 16,384 tokens and no timelock or execution delay between proposal approval and execution. Using funds sourced from Tornado Cash, the attacker acquired 8,192.000001 TOP, just over 50% of supply and enough to clear the DAO’s majority-voting threshold. Because there was no execution delay, the attacker created, voted on, and executed a malicious proposal in a single atomic transaction, calling the Aragon TokenManager mint function to issue roughly 10 billion new, unbacked TOP directly to an attacker-controlled contract. Those tokens were then swapped into the Balancer pool to extract the 944.2 WETH, after which proceeds were laundered back through Tornado Cash. Balancer itself was not at fault; the pool simply priced and honored the flood of newly minted governance tokens. BlockSec estimates net attacker profit at ~282 WETH after the ~662 WETH spent acquiring majority control, while the headline gross drain remains ~$1.58M.

How it could have been avoided: The decisive fix is a governance timelock or execution delay enforced between proposal approval and execution, so a proposal cannot be created, voted, and executed in one transaction and honest holders or guardians have a window to detect and veto a malicious mint. Beyond the delay, the token economics that made the attack cheap should be addressed: avoid a tiny fixed supply (here just 16,384 tokens) that makes a >50% stake trivially purchasable, and instead use a larger, more distributed supply or delegated/quorum governance with a high approval threshold plus a mandatory voting period so a flash acquisition of majority stake cannot instantly seize control. The TokenManager mint permission should be removed from ordinary governance proposals or gated behind a separate multisig/guardian, and any mint that remains reachable should be capped or rate-limited so unbounded issuance of ~10 billion tokens is impossible. Finally, monitoring pool liquidity ratios and voting-supply concentration (especially mixer-origin holdings accumulating against total voting power) can trigger circuit breakers or alerts before an unbacked-token dump reaches the Balancer pool.

Sources: Governance takeover lets attacker mint 10B TOP tokens in $1.5m exploit – AMBCrypto, The TOP Takeover: Tornado Cash’s Latest Chapter – TRM Labs, One Vote, $1.58M Gone: TOP Token Hit by Alleged Governance Attack – Crypto Times

Raydium (Legacy AMM V3) – ~$1.3M-$1.34M Fake LP Mint Exploit (June 10, 2026)

On June 10, 2026, an attacker drained roughly $1.3M-$1.34M (sources agree on ~$1.34M; crypto.news and CCN round to ~$1.3M) from five dormant legacy pools on Raydium’s deprecated AMM V3 program on Solana, with proceeds later bridged from Solana to Ethereum. The affected pools were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL, and the drained assets totaled roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC. The root cause was missing account validation in the legacy remove-liquidity (withdraw) instruction: it did not assert that the caller-supplied LP mint matched the pool’s canonical LP mint (no require_keys_eq!(accounts.lp_mint.key(), amm.lp_mint)) nor that the user’s LP token account belonged to the legitimate pool mint. Because the withdrawal payout was computed as coin_amount = (vault_balance x withdraw_amount) / lp_mint.supply, the attacker-controlled fake mint’s supply became the denominator. The attacker created a fake SPL mint with zero decimals and a total supply of exactly 1, then called withdraw with withdraw_amount = 1, which made the calculation resolve to vault_balance / 1 and treated them as a ~100% LP shareholder, releasing nearly the entire vault while burning only the single fake token. The attack was repeated across the five dormant pools; no live pools or admin keys were compromised.

How it could have been avoided: the remove-liquidity instruction should have derived the canonical LP mint and vault accounts directly from on-chain pool state and rejected any caller-supplied substitutes, asserting require_keys_eq!(accounts.lp_mint.key(), amm.lp_mint) and verifying that the user’s LP token account mint equals the pool’s LP mint before any vault transfer occurs. Since the payout denominator was the LP mint supply, binding the mint to the pool’s authentic mint would have prevented an attacker-controlled fake mint (supply = 1) from ever being used as the divisor. The program should additionally validate vault ownership, vault mints, PDA/authority derivations, and token-program identity, and ship regression tests asserting that withdrawal fails when a fake mint with supply = 1 is supplied. Most fundamentally, deprecated and retired program IDs like this legacy AMM V3 should have been formally closed, upgrade-frozen, or had their instructions disabled so dormant legacy code paths could not be invoked at all.

Sources: Raydium Legacy Remove-Liquidity LP Mint Validation Bypass (DARKNAVY technical writeup), Raydium Suffers $1.34M Exploit via Fake LP Tokens (CryptoNews), Raydium promises full refund after $1.3M Solana pool exploit (crypto.news)

LABUBI / OLPC – ~$1.1M PancakeSwap Reserve-Desync Exploit (June 20, 2026)

On June 20, 2026, the PancakeSwap V2 OLPC/LABUBU pool on BNB Chain (BSC) was drained for roughly $1.1M (reported as ~1,115,903 USDT, with the attacker’s net profit cited at ~$960K). The exploit was a pre-armed malicious-tokenomics time bomb rather than a spontaneous coding error: approximately 46 days earlier, the OLPC token owner had set an internal parameter (reported as decimalsValue) from its normal value of 1 to an enormous 7326680472586200649, then renounced ownership to a dead address so the change could never be undone. That value silently amplified the burn logic inside OLPC’s _update() transfer hook, so when the attacker pushed a tiny OLPC transfer (~10 OLPC) through a malicious contract, it triggered an abnormal burn of ~51.9M OLPC and ~124,000 LABUBU directly out of the PancakeSwap pair’s balance. Because those tokens left the pair without a corresponding reserve update, the pair’s cached reserve0/reserve1 no longer matched its actual on-chain balances, leaving LABUBU severely mispriced. The attacker then swapped against the stale reserves to extract LABUBU cheaply, routing proceeds through LABUBU/WBNB and WBNB/USDT pairs; per PeckShield, AMBCrypto, and KuCoin the funds were subsequently bridged to Ethereum and ~633.4 ETH deposited into Tornado Cash (Crypto Times reported no laundering observed as of its initial writing, a reporting-timing difference rather than a disagreement on the amount).

How it could have been avoided: The core failure is that a fee-on-transfer / burn-on-transfer token with a mutable, owner-controlled multiplier was paired against a PancakeSwap-style constant-product pool, which assumes token balances only change through mint/burn/swap/skim/sync and therefore desyncs by design when a transfer hook silently removes tokens from the pair. First, the OLPC contract should never have exposed an owner-settable decimalsValue with an effectively unbounded range feeding directly into _update() burn math; a bounded/immutable parameter with strict input validation and sane upper limits would have made it impossible for a renounce to permanently arm a burn multiplier. Second, LPs, routers, and listing integrators should refuse liquidity for tokens whose transfer hooks can mutate balances, and specifically treat “ownership renounced immediately after a suspicious privileged parameter write” as a red flag rather than the trust signal renouncement is usually taken to be. Third, pre-listing static analysis should flag privileged setters and transfer-hook burn logic so latent time bombs surface before a pool accumulates meaningful TVL. Finally, runtime monitoring should continuously compare each pair’s cached reserves against its real token balances and automatically halt routing or delist when they diverge, which would have caught this pool the moment the 51.9M-OLPC burn broke the invariant, before the drain swap could execute.

Sources: BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch – AMBCrypto, PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong – Crypto Times, PeckShield: PancakeSwap OLPC/LABUBU Pool on BNB Chain Hacked, ~$1.1M taken and ETH sent to Tornado Cash – BingX

Mid-Sized Incidents ($100K to $1M)

Flooring Protocol – ~$900K Exposure / ~$500K-$570K NFT Whitehat Rescue via BT404/DN404 Ghost-Ownership Flaw (June 8, 2026)

On June 8, 2026, Flooring Protocol, an Ethereum fractionalized-NFT liquidity platform, was exploited through an accounting flaw in its fpTokens, the ERC-20 representations meant to stay 1:1 pegged to locked NFTs. The fpToken contract was built on a DN404/BT404-derived hybrid fungible/non-fungible design whose packed-storage token-indexing logic contained an ownership-validation flaw: a maliciously crafted token ID produced a “ghost ownership” state in which the contract’s local bookkeeping recorded the attacker as the legitimate owner of assets they did not hold, so the ownership check passed under one reading while internal accounting diverged. Combined with an integer underflow in the accounting, a dust amount of WETH was turned into a near-infinite fpToken balance, which was then used to drain the fractionalized NFT liquidity pools. Initial pre-rescue exposure was reported at above $900K; a Yuga Labs-led whitehat operation coordinated by VP of Blockchain 0xQuit rescued 68 NFTs, valued at more than $500,000 by BeInCrypto/NFTevening and at $570,000 by crypto.news/Edgen, leaving Flooring’s net financial loss near zero. The identical vulnerability class, sharing the same DN404/BT404 code lineage from developer FreeLunchCapital, propagated to the forks BitmapPunks (loss undisclosed) and Asterix (roughly $40K lost).

How it could have been avoided: The core defect was two competing sources of truth for NFT ownership, so fpToken/ERC-20 balances should be derived directly from the canonical NFT ownership ledger rather than from separately-maintained packed-storage indices, eliminating the divergence between the “ownership check” reading and the “internal bookkeeping” reading that enabled the ghost-ownership state. A supply-conservation invariant, asserting that the sum of all fpToken balances always equals the count of locked NFTs, with a revert on any mint that would break the 1:1 peg, would have caught the near-infinite balance at mint time. Token IDs should be validated and sanitized against the packed-storage index bounds, and the token-indexing math should use checked arithmetic or explicit underflow guards so a crafted ID cannot desynchronize the index. Finally, because DN404/BT404 is a young and subtle hybrid standard, forks such as BitmapPunks and Asterix should have undergone independent audits and property-based/invariant fuzzing (for example, Echidna or Foundry invariant tests targeting the ownership-accounting invariant) before deploying the shared code, rather than inheriting an unaudited accounting flaw.

Sources: Yuga Labs Executes White-Hat Rescue of 68 NFTs After Flooring Protocol Exploit — The Defiant, Yuga Labs Rescues 68 Blue-Chip NFTs From Flooring Protocol Exploit — CryptoTimes, Asterix hit as Flooring Protocol vulnerability spreads across forks — CryptoNews

Namada MASP – ~$600K Shielded-Pool IBC Transfer Logic Exploit (June 19, 2026)

On June 19, 2026, Namada, a privacy-focused chain in the Cosmos IBC ecosystem, was drained of roughly $600,000 through a flaw in the interaction between its IBC transfer logic and its Multi-Asset Shielded Pool (MASP). The attacker exploited the cross-chain transfer path to sweep shielded, liquid IBC-bridged assets, including ATOM, USDC, OSMO, TIA, and NYM, out of the pool and into the wider Cosmos ecosystem, with the recipient moving approximately 228,517 ATOM over IBC to a Cosmos Hub address and rapidly forwarding it through multiple transactions. The attacker deliberately targeted liquid, transferable holdings while leaving staked and less-liquid assets untouched. The drain went unnoticed because a stale MASP indexer continued serving cached balances that still showed the funds as available, while live RPC queries against on-chain state returned zero; the discrepancy only surfaced when researchers cross-checked explorer/indexer data against live network records. Sources including DefiLlama’s hacks database, Crypto Times, and BingX consistently cite the loss at about $600K, though Namada’s own June 20 confirmation on X did not initially disclose an exact figure. Namada has not publicly disclosed the precise low-level vulnerability in the IBC-to-MASP transfer path.

How it could have been avoided: enforce strict conservation-of-value invariants at the IBC-to-MASP boundary, so that any shielded withdrawal over IBC must be backed by a verified spent-note nullifier and a matching escrowed IBC balance, rejecting any transfer where the net asset flow out of the shielded pool is not exactly offset by a valid burned/committed note; this balance-preservation check on the cross-chain transfer handler should ideally be formally verified. Independent audit and fuzzing focused specifically on the code path that bridges IBC packets to MASP note commitments, prior to holding significant TVL, would have surfaced the logic flaw before it could be exploited. Separately, the loss should never have been able to hide behind a stale indexer: indexers should treat any divergence between cached indexer balances and live RPC/on-chain queries as a critical alerting condition, with automated reconciliation and monitoring, rather than silently serving stale state, so that a drain surfaces immediately instead of being masked until manual cross-checking catches it.

Sources: Namada’s $600K MASP Drain Goes Unnoticed as Stale Indexer Masks the Loss – Crypto Times, Namada exploit drains about $600,000, deepening security concerns across Cosmos-linked chains – BingX News, Namada Investigates Protocol Exploit Amid Security Review – Cointrust

Edel Finance – ~$403K Flash-Loan ERC-4626 Oracle Exploit (June 30, 2026)

On June 30, 2026, Edel Finance’s xStock lending market on Ethereum was drained for approximately $403,000 (~$0.4M) in a flash-loan oracle-manipulation attack. The market priced wrapped tokenized-equity collateral (wGOOGLx against its underlying GOOGLx) using the raw exchange rate of an ERC-4626 vault, computing the share price directly as totalAssets / totalSupply with no rate limits and no donation protection. Because unsolicited transfers into the vault increase totalAssets without minting new shares, the attacker combined a flash loan with a direct asset donation into the vault to inflate the wGOOGLx-versus-GOOGLx exchange rate roughly 78x within a single transaction. Using the artificially over-valued collateral, the attacker borrowed about $350K against it and then drained additional protocol reserves, leaving the lending market with roughly $403K in bad debt. The exploit was executed in transaction 0xe232…2612, and per SlowMist’s analysis the proceeds were routed to Tornado Cash. Edel subsequently paused its lending platform.

How it could have been avoided: the core mistake was using a raw, spot-manipulable ERC-4626 vault share price (totalAssets / totalSupply) directly as a lending oracle, so the fixes must target that valuation path specifically. First, price the underlying xStock collateral from a manipulation-resistant source such as a Chainlink or redemption-based feed rather than the on-chain vault exchange rate. Second, add donation protection to the vault accounting itself using virtual shares/assets and/or internal balance tracking, so that unsolicited transfers into the vault cannot move the share price. Third, impose per-block or per-time rate limits and bounded price-change caps on the oracle so that exchange-rate moves are clamped within a single transaction, which alone would have defeated the ~78x jump. Fourth, use time-weighted average prices (TWAP) instead of instantaneous rates so single-transaction flash-loan manipulation cannot set the borrowing price. Finally, enforce conservative LTV and borrow caps together with oracle sanity bounds that reject collateral valuations deviating far from an external reference, capping the damage even if a price does drift.

Sources: Edel Finance loses $403K as flash-loan oracle exploit hits xStock lending reserves – AMBCrypto, Edel Pauses Lending Platform after Exploit Leaves Protocol with $403,000 Loss (SlowMist analysis: ERC4626 price feed lacked rate limits and donation protection) – DeFi Planet, Edel Finance Hacked: $403K Stolen as Attacker Moves Funds to Tornado Cash (Ethereum tx 0xe232…2612) – CryptoTimes

Little Boy Plus (LBP) – ~$377K Reward-Minting / Reserve-Manipulation Exploit (June 17, 2026)

On June 17, 2026, Little Boy Plus (LBP), a hashrate-token project on BNB Chain (BSC), was drained of roughly $377,000 (about 377,642 USDT, with the attacker retaining ~610.555 WBNB); reporting clusters tightly, with SlowMist/PANews citing ~$378K and CryptoTimes ~$377,000. The root cause was reward-minting logic wired into an ERC20 transfer hook: the LBPHashrate token’s _update() hook fired harvest/reward logic on transfers, and because OpenZeppelin’s ERC20 allowance check is skipped for zero-value transferFrom calls, the attacker was able to invoke LBPHashrate.transferFrom(pair, DEAD, 0) without ever holding the pair’s approval. That call reached _harvest(pair), which used mintReward to mint LBP directly to the PancakeSwap LBP/USDT pair. The mint raised the pair’s actual LBP balance without updating its cached reserves, opening a balance-vs-reserve gap that the attacker then extracted as USDT through PancakePair.swap(). DARKNAVY frames the same flaw from the emission side: the notifyCredit calculation trusted post-mint, same-transaction pair reserves, so flash-borrowed and vault-sourced liquidity (~41.86M USDT assembled from a Moolah flash loan plus a PancakeSwap Infinity Vault withdrawal) inflated the reserve figure that drove an oversized hashrate mint before the position was unwound.

How it could have been avoided: the reward/harvest minting path should never have been reachable through an ERC20 transfer hook that unauthorized callers can trigger. The _harvest/mintReward path needs its own explicit access control rather than relying on allowance checks, which OpenZeppelin deliberately bypasses for zero-value transferFrom, meaning transferFrom(pair, DEAD, 0) sails through with no approval. Minting directly to an AMM pair should be avoided entirely; if unavoidable, every mint to the pair must be immediately followed by pair.sync() or skim() so cached reserves are reconciled with real balances and no balance-vs-reserve gap remains for a swap to arbitrage. The emission/credit math in notifyCredit should derive value from a TWAP or delayed/checkpointed reserve snapshot rather than instantaneous same-transaction pair state, so flash-loaned or vault-withdrawn liquidity injected within one transaction cannot inflate the reserves that price the mint. Finally, invariant tests should assert that flash-borrowed liquidity cannot inflate LP-backed rewards beyond deposited value, catching both the zero-value transferFrom entry point and the reserve-manipulation amplification before deployment.

Sources: SlowMist: Little Boy Plus attacked, losing approximately $378,000 (PANews), Little Boy Plus LP-Share Hashrate Reserve Manipulation (DARKNAVY Blog), Little Boy Plus Loses $377K After Exploit Targets Minting Bug (Crypto Times)

mySwap CL – ~$300K-$305K Starknet Fake-Token CL Accounting Exploit (June 19, 2026)

On June 19, 2026, mySwap’s concentrated-liquidity (CL) system on Starknet was drained of roughly $300,000-$305,000, itemized across sources as 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK (Phemex rounds to ~$300K; CryptoAdventure’s asset total is ~$305K; DefiLlama classifies it at roughly $0.3M). The attacker deployed a fraudulent ERC-20-style token called “EVIL” and used it to interact with mySwap CL’s permissionless pool logic. Because the CL system trusted arbitrary token contracts and commingled liquidity from many pools inside a single shared vault, the malicious token’s interaction distorted how the protocol accounted for balances during swap and settlement, causing the shared vault to release far more real assets than were legitimately owed. This was a flaw in the protocol’s core accounting and state-update layer, not a private-key compromise. The impact was amplified by the fact that mySwap CL’s front end had been closed to new deposits for roughly six months, so the drained funds were residual LP positions spread across 100,000+ positions. After the drain, the attacker bridged funds out and routed them through Railgun to obfuscate the flows.

How it could have been avoided: The core failure was a missing validation boundary between arbitrary token interactions and asset outflows from a shared vault. Enforcing a token allowlist or vetted registry so CL pools can only be created with or interact with approved token contracts would have prevented a fake token like EVIL from touching shared-vault accounting in the first place. Isolating per-pool balances instead of commingling assets in a single shared vault would have contained any single malicious interaction to that pool’s own liquidity rather than exposing unrelated pools’ funds. The settlement path should also carry invariant and conservation checks on every swap and settlement – asserting that vault outflows never exceed the pool’s tracked reserves plus fees and that post-swap balances reconcile with recorded pool state – combined with safe balance-delta measurement that reads actual token balance changes rather than trusting token-reported amounts, which defeats accounting distortion from non-standard or malicious tokens. Finally, because the loss sat in a deprecated code path, a pre-deprecation audit of the residual-liquidity path plus a formal invariant test suite over the CL accounting logic would have surfaced the gap before the funds were reachable.

Sources: mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting (CryptoAdventure), Starknet’s mySwap Protocol Exploited, $300,000 Drained (Phemex News), DeFi Hacks & Exploits Database (DefiLlama)

Gnosis Pay – ~$265K Zodiac Delay Module Signature-Bypass Exploit (June 1, 2026)

On June 1, 2026, an attacker drained roughly $265,000 in EURe and GNO from dozens of Gnosis Pay card-linked Safes on Gnosis Chain by defeating the signature verification in the Zodiac Delay Module those Safes relied on. The module’s moduleTxSignedBy() function parsed r, s, and v values directly out of attacker-controlled msg.data calldata without proper validation, and a static call in the verification path was missing a status/return check. The attacker exploited this by crafting nested signature data: the first layer routed EIP-1271 verification through a Biconomy Safe, whose logic extracted a second r value as the current owner and forwarded verification to an attacker-controlled contract that unconditionally returned the EIP-1271 magic value 0x1626ba7e. Because that contract always returned the magic value, the module accepted unauthorized transactions and the intended time-delay verification was bypassed. The attacker pre-staged 41 attacker contracts and transactions around May 29, waited out the module cooldown, then executed the queued transactions to sweep funds, with the primary exploit wallet reportedly bridging roughly $246K USDT to Hyperliquid; CertiK and multiple outlets settled on the ~$265K figure after Gnosis initially left the loss unquantified. Notably, the underlying bug had already been silently patched on February 27, 2026 in zodiac-core v4.0.0-alpha.0, but the production contracts still depended on the legacy @gnosis.pm/zodiac package; Gnosis paused its bridge and pledged to fully reimburse affected users.

How it could have been avoided: signature verification should read only from explicitly required, bounded parameters rather than parsing r, s, and v out of raw attacker-controlled msg.data, and any address or contract reached through those values must be checked against a known, trusted signer set instead of being treated as an arbitrary EIP-1271 verifier that can hardcode the 0x1626ba7e magic value. The missing status/return check on the static call in the verification path must be added so a failed or spoofed call cannot be silently accepted, closing the code path where the r address was invoked as a signer. Rejecting nested or recursively-routed signature blobs (the Biconomy-Safe-then-attacker-contract chain) would have prevented the second-layer redirection entirely. Operationally, the already-patched zodiac-core v4.0.0-alpha.0 fix existed since February 27, 2026, so production Safes and modules should have been migrated off the legacy @gnosis.pm/zodiac dependency promptly; pairing every silent fix with a security advisory would have signaled downstream deployers to upgrade before the cooldown-and-drain window opened.

Sources: GnosisPay Incident Analysis – CertiK, Gnosis Pay Exploit: The Devs Discovered the Bug, So Why Did the Attack Still Happen? – Verichains, Delay Module Trick Costs GnosisPay $265K, Reports CertiK – Crypto Times

Royal.io – ~$261K Legacy Royalties Contract Reward-Accounting Exploit (June 23, 2026)

On June 23, 2026, an attacker drained a deprecated (“old”) royalties-distribution contract used by Royal (Royal.io) for its tokenized music assets (Limited Digital Assets, or LDAs) on Polygon, taking roughly $261,200 net (about 263,809 USDC gross before the flash-loan repayment). Reported figures vary slightly: SlowMist and DefiLlama list the loss near $263K matching the gross USDC claimed, while CertiK’s analysis puts the attacker’s net profit at approximately $261,200 in USDC after repaying the loan. The root cause was flawed settlement and reward-accounting logic in the legacy contract (proxy 0xfE16Ee78828672e86cf8E42d8A5119AB79877EC7): the contract tracked reward records against instantaneous ownership balances without guarding against transient balance manipulation. The attacker (0xbd829aa63311bb1e3c0ea58a7193364de670bd56, with helper contract 0x7fd7be7bc8a26bd6a98b10683912c604af8bca52) took a flash loan of roughly 2,638 USDC, then executed a series of crafted zero-value token transfers of the same asset tier to repeatedly register and stack reward entitlements. This let the attacker inflate their recorded share and claim roughly 100x their legitimate royalties in a single large claim. DefiLlama’s “hook manipulation” tag is a coarse label; the concrete flaw was settlement/reward-record accounting that trusted manipulable, instantaneous balances.

How it could have been avoided: royalty and reward entitlements should be snapshotted at a fixed accounting checkpoint rather than read from an instantaneous balanceOf, for example a per-epoch Merkle snapshot or time-weighted ownership balance, so that transient flash-loan-inflated or zero-value-transfer-manipulated balances cannot register extra reward records. Checkpoint-based accounting in the style of Compound/OpenZeppelin ERC20Votes checkpoints would have anchored each holder’s share to a committed block, and marking every reward record as consumed on claim would make claims idempotent and prevent the stacking/double-registration the attacker relied on. The contract should also have enforced flash-loan resistance, such as requiring balances to be held across a block boundary or applying TWAP-style ownership weighting, and a reconciliation invariant guaranteeing that total distributable royalties can never exceed the pool’s actual USDC balance. Finally, because this was a deprecated legacy contract that had been superseded, it should have been fully drained or paused and its funds migrated off once retired, and re-audited before any continued use.

Sources: Old Royalties Contract on Polygon Attacked, $261,200 Lost (CertiK analysis), June 2026 Crypto Hack Report: 45 Blockchain Security Incidents, SlowMist Hacked Database

ATM Token – ~$243K Auto-Swap Transfer Logic Exploit (June 4, 2026)

On June 4, 2026, the ATM token on BNB Chain (BSC) was drained of roughly $243,000-$243,500 through an exploit of its non-standard transfer logic. The token’s custom transferFrom() embedded a side effect that automatically swapped 20% of the transferred ATM amount into BSC-USD via a DEX router on every transfer. That auto-swap had no cap, cooldown, or state guard tracking cumulative extraction, so it could be re-triggered repeatedly under attacker control. By looping transfers, the attacker forced the contract to dump 20% into BSC-USD from its own and liquidity reserves on each call, extracting extra BSC-USD value each iteration beyond legitimate transfer economics. As CertiK described it, the transferFrom() logic to swap 20% of the transfer amount for BSC-USD let the attacker repeatedly swap out extra after each transfer. No flash loan or classic reentrancy was required; the flaw was an unbounded, attacker-controllable external swap coupled directly into the transfer path.

How it could have been avoided: the core mistake was embedding an external DEX-router swap as an uncontrolled side effect inside transferFrom(), so the fix is to decouple the swap from the user-triggered transfer path. Rather than swapping on every transfer, the contract should accumulate the tax portion internally and convert it only through a separate, permissioned or threshold-gated swapBack() function. The mechanism needs per-transaction and cumulative caps plus a cooldown so the swap cannot be looped for value extraction, and the swap amount must be bounded by legitimately collected fees rather than attacker-supplied transfer volume. Reentrancy guards should protect the transfer path, and the contract, router, and pair addresses should be excluded from the tax logic to prevent recursive triggering. Rigorous auditing, formal verification, and edge-case testing of any transfer-with-external-call pattern would have surfaced the unbounded re-trigger before deployment.

Sources: ATM Token Exploit Drains $243K Through Hidden Swap Loophole – CryptoTimes, ATM Token Exploited on BNB Chain: $243,500 Drained via Hidden Swap Loophole – Cryip, DefiLlama Hacks (Tax Logic Exploit classification)

AIDC (AI Data Credit) – ~$121K Burn-Accounting Exploit on BNB Chain (June 28, 2026)

On June 28, 2026, the AIDC (AI Data Credit) token on BNB Chain (BSC) was drained of roughly 220.12 WBNB (~$121,000) through a logic flaw in its custom deflationary burn mechanism; security monitors SlowMist and TenArmorAlert flagged the loss, though DefiLlama’s near-zero entry appears to be a data-quality artifact rather than the real figure. The bug lived in the token’s fee-on-transfer accounting: the _sellTransfer() function recorded a 30% burn on sells but never actually debited those tokens from the seller’s balance, deferring the deduction to a later transfer. When a subsequent transfer triggered _executeAccumulatedBurn(), the contract burned the accumulated amount from the wrong account, pulling AIDC directly out of the PancakeSwap AMM pool’s reserves instead of from the seller. Because only the pool’s AIDC side shrank while its WBNB side was untouched, the constant-product (x*y=k) invariant was distorted, mispricing AIDC upward against WBNB. The attacker exploited this repeatedly, routing AIDC through more than 180 BEP-20 transfers across multiple freshly created wallets sequenced within a single atomic transaction to trigger the mis-targeted burn and swap AIDC for WBNB at artificially favorable rates, then moving the proceeds through secondary transit addresses.

How it could have been avoided: the burn should be accounted for atomically within the same transfer that charged it, calling _burn(from, amount) to debit the payer’s balance in the same _transfer call rather than accumulating a pending burn and later applying it to whatever address happens to trigger _executeAccumulatedBurn(). The token should never call _burn against a balance it did not first debit, and the burn target must always equal the account that incurred the fee. The PancakeSwap pair address should be explicitly excluded from all burn and fee-on-transfer logic so pool reserves can never be a burn source, and core supply invariants (sum of balances == totalSupply, and no burn ever touches the pair contract’s reserves) should be enforced in code. Invariant-based unit tests over the fee-on-transfer accounting, plus a targeted audit of the deferred/accumulated-burn path, would have surfaced that the pending burn could be applied to the pool’s balance and distort the AMM price.

Sources: AIDC Token Burn Bug Exploit Drains $121K From PancakeSwap — CryptoTimes (citing SlowMist & TenArmorAlert), SlowMist Hacked Zone, DeFi Hacks & Exploits Database — DefiLlama

DIP Token – ~$111K Double-Transfer AMM Reserve Manipulation (June 16, 2026)

On June 16, 2026, an attacker drained approximately $111,097.6 (111,097.596667856 USDC) from a PancakeSwap V2 pool on BNB Chain by exploiting a logic bug in the DIP token’s ERC20 _transfer() override. Inside the branch handling transfers to and from the PancakeSwap Router V2, the code called super._transfer(from, to, amount) but omitted a return statement, so control fell through and the identical super._transfer(from, to, amount) executed a second time unconditionally, causing every router-routed transfer to move funds twice. The attacker abused this by calling skim(router) on the AIC-DIP pair, which triggered the doubled DIP transfers, and then sync(), which reset the pair’s stored reserves to a manipulated, near-zero DIP value. That corrupted reserve state distorted the AMM spot price in the AIC-DIP pair, letting the attacker swap through the mispriced pool to drain nearly all of the AIC liquidity, which was ultimately converted to 111,097.6 USDC and sent to the attacker’s EOA. The exploit required no external flash-loan protocol, oracle manipulation, or stolen key; it relied entirely on the token’s own faulty transfer accounting combined with permissionless skim/sync calls. Multiple sources including SlowMist, Bitcoin.com, cryptotimes.io, and DarkNavy report the loss at roughly $111K, with some headlines rounding to $111,000 or $111,098.

How it could have been avoided: The direct fix is to add the missing return; after the super._transfer(from, to, amount) call in the router branch of _transfer(), or to restructure the logic as a mutually-exclusive if/else so that no execution path can reach a second, duplicate state-changing transfer. Beyond the single line, this class of bug should have been caught by unit and invariant tests asserting that a single transfer produces exactly one balance mutation and that balanceOf conservation (sum of balances) holds across router-routed transfers, including the tax/router path. An audit rule or linter that flags conditional branches which fall through into duplicate state-changing calls would have surfaced the fall-through statically. On the AMM side, critical logic should not be derived from spot reserves that any caller can perturb via skim/sync; making pair-dependent logic robust to permissionless reserve manipulation removes the amplification vector. Finally, a professional pre-deployment audit focused specifically on the custom _transfer tax and router-detection logic — a well-known high-risk area for BSC meme tokens — would have targeted exactly the code path that failed here.

Sources: DIP Token Double-Transfer Reserve Manipulation Exploit – DARKNAVY Blog (technical writeup, June 16 2026), SlowMist / Bitcoin.com: A Single Missing Line of Code Drained $111,000 From the DIP Token, DIP Token Bug Drains $111K From PancakeSwap Pool – Crypto Times (June 17 2026)

NovaBox – ~$107K Dividend-Snapshot Flash Loan Exploit (June 9, 2026)

On June 9, 2026, NovaBox, an Ethereum-based staking/reward protocol, lost approximately $107,000 when an attacker drained 99.86% of its ETH reward pool in a single transaction, cutting the pool from 65.11 ETH to 0.09 ETH and imposing a net loss of roughly 56.73 ETH on 133 depositors (DefiLlama lists the loss at ~$0.11M; F12 and CryptoTimes quantify it at ~$107K / ~56.73 ETH). The root cause was a business-logic flaw in the reward/dividend distribution accounting rather than a memory-safety or reentrancy bug: the contract paid out dividends before fully updating the depositor’s stake balance during deposit/withdraw, so rewards were computed against stale pre-update pool accounting but applied to a freshly inflated stake. To weaponize this, the attacker took a 427.5 WETH flash loan from Aave V3 to momentarily inflate their position and triggered a “phantom dividend” of roughly 145.82 ETH against the reward pool, of which ~56.73 ETH was realized and extracted before the loan was repaid within the same block. The attacker also leveraged the account-creation path—via a contract constructor—so that a newly registered account with no persisted balance could still claim against prior dividend allocations. As F12 characterized it, this was “no reentrancy, no overflow, pure economic design flaw”: the snapshot of pool and dividend state was taken at the wrong point relative to the balance update.

How it could have been avoided: the core fix is to settle and update accounting in the correct order—compute and credit the user’s owed rewards against their OLD balance first, then mutate the stake, doing both atomically before any dividend payout. This is exactly the checkpoint pattern used by MasterChef-style accRewardPerShare accounting and Synthetix StakingRewards: gate every deposit/withdraw/claim behind an updateReward/updatePool modifier so pending rewards are pinned to the pre-mutation position and cannot be paid against a freshly inflated stake. Dividend entitlement should further be derived from time-weighted or block-anchored balances rather than the instantaneous post-deposit balance, so a stake that exists for only part of a single transaction accrues nothing. A same-block / flash-loan guard—requiring a balance to persist beyond the deposit block before it becomes eligible for dividends—would directly neutralize the single-transaction amplification the 427.5 WETH Aave loan relied on. Finally, the account-creation path must be hardened so a newly registered (zero-balance) account, including one created via a contract constructor, cannot inherit or claim against prior dividend allocations; new accounts should start with a zeroed reward-debt checkpoint set to the current accumulator.

Sources: NovaBox Loses Nearly 99.86% ETH Reward Pool in Flash Loan Exploit (CryptoTimes, citing F12 & Defimon Alerts), DeFi Hacks & Exploits Database – DefiLlama

Ambient Finance – ~$110.6K DEX Accounting-Logic Exploit (June 8, 2026)

On June 8, 2026, Ambient Finance (formerly CrocSwap), an Ethereum-based AMM, was drained through a flash-loan-facilitated accounting-logic exploit. Ambient routes all trading, liquidity, and settlement through a single monolithic core contract (CrocSwapDex), and a weakness in how that core validated and settled position or callpath state let the attacker withdraw more ETH than was legitimately owed. The attacker seeded a newly created contract with 50 ETH (~$84K), invoked the exploit path, and pulled roughly 83.72 ETH back out of the pool. Reported net protocol loss is ~$110.6K (DefiLlama lists ~$0.11M); one source valued the 83.72 ETH extracted at ~$140.7K, but the widely cited figure is ~$110.6K. DefiLlama classifies the incident as a “Flashloan Accounting Logic Exploit” — a flash-loan-amplified inconsistency in the protocol’s internal reserve/collateral accounting rather than an oracle or access-control failure. The activity was detected and reported by TenArmor, after which the funds were converted to WETH and laundered across routes including Uniswap V4. The precise low-level invariant that was broken has not been fully disclosed in public post-mortems.

How it could have been avoided: enforce a global solvency/conservation invariant at the end of every settlement callpath in the monolithic core, asserting that net token deltas leaving the contract never exceed the swap’s or position’s legitimately reduced liquidity/reserves — using round-down semantics for user-favorable outputs and round-up for protocol-owed amounts — and reverting otherwise. Reentrancy and atomicity guards should wrap the multi-step callpath so a flash-loan-amplified single-transaction sequence cannot leave internal accounting inconsistent between sub-operations. Concretely, the CrocSwapDex accounting should be fuzz/invariant-tested (e.g., Foundry invariant tests or Echidna) so that, for all callpath orderings, sum(tokensOut) <= sum(liquidityRemoved priced at curve) holds, and the rounding direction in knockout/concentrated-liquidity settlement should be pinned down so residual dust can never be over-withdrawn. Because the flaw lives in a single contract that concentrates trading, liquidity, and settlement, these checks belong at the shared settlement boundary rather than in any individual callpath handler.

Sources: Ethereum DeFi Protocol Ambient Finance Suffers $110K Drain — CryptoTimes, DeFi Hacks & Exploits Database — DefiLlama, Crypto Hacks Hit $75.9M in June Across 40 Incidents, PeckShield Reports — BanklessTimes

Thetanuts Finance – ~$105K Net (Headlined ~$2.1M) Deprecated Index Vault Zero-Cost Remint Exploit (June 15, 2026)

On June 15, 2026, a deprecated Thetanuts Finance “Index Vault” (TN-IDX-USDC-PUT) on Ethereum was exploited through a rounding/accounting flaw in its mint and claim logic. The attacker flash-loaned ~153,054 TN-IDX-USDC-PUT tokens and made a single claim() call to redeem the underlying basket, draining the basket’s backing assets to near zero. With the basket effectively empty, each subsequent mint() computed the required per-component transferFrom amount as an integer division (backing * amount / totalSupply) that rounded down to zero, so the contract kept issuing new index shares while pulling in zero backing assets. Repeating mint() 37 times (with mint sizes doubling from 0.000002 up to 68,719.476736 tokens plus a final partial mint) re-created ~153,192 unbacked index tokens, breaking the vault’s solvency invariant. These unbacked shares were then redeemed for real value against the satellite vaults, and the attacker swept the residual basket tokens. Media headlined the event as a ~$2.1M exploit reflecting the deprecated vault’s gross exposure, but roughly $2M in option tokens was recovered by whitehats, leaving a net realized loss of ~$105.5K in USDC (converted to ~60 ETH); SlowMist and DefiLlama list the ~$105K figure.

How it could have been avoided: The mint path should have used ceiling (round-up) division when computing required deposits so that issuing any non-zero share amount can never demand zero units of a basket component; any mint/redeem operation that would pull in zero backing for a non-zero issuance must revert. The vault should also have enforced minimum-supply and minimum-backing floors so share pricing is never evaluated at a near-empty totalSupply, where the backing * amount / totalSupply term and its inverse mint math degenerate to zero. Detecting basket depletion or an insolvency condition should have automatically paused minting, and the contract should have rejected the flash-loan-shaped single-block claim()-then-mint() sequence via per-block or supply-delta invariant checks. These conditions should have been covered by invariant/property tests exercising near-zero totalSupply and single-block mint-plus-claim flows. Most directly, the deprecated legacy vault should have been paused or fully migrated (backing withdrawn) rather than left live and holding value, since abandoned code retained exploitable assets.

Sources: DARKNAVY Blog – Thetanuts Legacy Index Vault Zero-Cost Remint Exploit (technical analysis), Cryptopolitan – Hackers hit deprecated Thetanuts vault for $2.1M, BeInCrypto – Deprecated Thetanuts Vault Exploited for $2.1 Million

Mid-Sized Incidents ($100K to $1M)

The following lower-value or undisclosed-loss incidents were also confirmed in June 2026.

JB Token – ~$50K Flash-Loan Price Manipulation on BNB Chain (June 19, 2026)

On June 19, 2026, a token contract identified as “JB” on BNB Chain (BSC) was drained of approximately $50,000 in a single flash-loaned transaction. DefiLlama’s hacks dataset classifies the incident as Protocol Logic / Flashloan Price Manipulation against a Solidity token contract, and a SlowMist entry cited for the same date and figure is consistent with it, though the ~$50K figure rests primarily on DefiLlama. The root cause was the contract’s reliance on an instantaneous, on-chain price source—such as the spot reserve balances of an AMM pair or an internal token-balance-derived value—to drive pricing-sensitive logic like reward, sell/redemption, or tax accounting. Within one atomic transaction, the attacker borrowed large capital via a flash loan, skewed the pool reserves or balance used as the price input, executed the pricing-dependent operation at the distorted valuation to extract funds, then unwound the position and repaid the loan. Because the manipulated price and the settlement of the accounting logic occurred in the same block, the contract had no opportunity to observe a fair, un-skewed price. No detailed post-mortem has been published—DefiLlama’s source field for the entry is empty—so the precise manipulated function is not documented.

How it could have been avoided: the contract should never derive prices from instantaneous, flash-loan-manipulable on-chain state such as AMM spot reserves (getReserves) or raw token balances. Pricing-sensitive logic (reward, sell/redemption, and tax accounting) should read from a manipulation-resistant oracle—a time-weighted average price (TWAP) sampled across multiple blocks and/or a decentralized oracle such as Chainlink—so that a single-transaction reserve skew cannot move the effective price. That should be paired with same-block/same-transaction reentrancy and flash-loan guards to prevent the borrow-manipulate-settle-repay sequence from completing atomically, and with invariant/deviation checks that reject settlement whenever the price used diverges beyond a bounded threshold from a trusted reference within one transaction. Bounding per-transaction volume and validating that reserve or balance inputs fall within expected ranges before they feed accounting would further block the distorted-valuation extraction seen here.

Sources: DefiLlama Hacks database (JB entry: 2026-06-19, $50K, BSC, Flashloan Price Manipulation, Solidity) — via api.llama.fi/hacks, SlowMist Hacked incident database (candidate-cited source for JB, June 19 2026)

Asterix (ASTX) – ~$40K DN404 Forge-Loop Token-ID Reuse Exploit (June 8, 2026)

On June 8, 2026, the Asterix (ASTX) token on Ethereum was drained of roughly 30 ETH, worth approximately $40,000 (~$0.04M), across 242 attacker transactions; DefiLlama catalogs the incident under “DN404 Forge Loop.” Asterix was forked from the DN404/BT404 token standard, which pegs fungible tokens 1:1 to locked NFTs, and it inherited a flaw present in early DN404 versions: the NFT/ERC-721-side approval operations lacked restrictions and validation on token-ID reuse. The attacker exploited stale, outdated token-ID approvals against Asterix’s Uniswap v4 liquidity pool, repeatedly selling ASTX into the pool for ETH and then re-forging and reusing the same NFT IDs to mint or withdraw equivalent fungible tokens. Looping this sequence (the “forge loop”) broke the intended 1:1 accounting between fungible supply and locked NFT IDs, letting redeemable NFT IDs exceed the fungible-backed reserve until the pool was fully depleted. The Asterix team indicated the attacker likely used a modified AI-assisted fuzzing tool to surface the non-standard logical path. This is the same class of vulnerability seen in the Flooring Protocol and BMP incidents, as attackers probed shared DN404-fork weaknesses across multiple deployments.

How it could have been avoided: DN404/BT404 forks should not be deployed without an independent audit of their token-ID accounting. Specifically, the NFT-side approval state (getApproved / isApprovedForAll) must be cleared and re-validated on every transfer, burn, and skipNFT transition, so that a stale token-ID approval cannot be reused after the underlying fungible balance has changed. The contract must enforce that each NFT ID can only be minted or forged once per its backing balance, preserving a strict 1:1 invariant between fungible supply and locked NFT IDs. Teams should add invariant and fuzz tests asserting that the sum of redeemable NFT IDs never exceeds the fungible-backed reserve, directly targeting the forge-loop path. Finally, upgrading to the patched upstream DN404 that restricts token-ID approval reuse before deployment would have closed the exact hole exploited here.

Sources: SlowMist: The Asterix attack is similar to Flooring Protocol and BMP; the attacker is looking for common vulnerabilities (Bitget News), Asterix Attack shares similarities with Flooring Protocol and BMP vulnerabilities (KuCoin News), DeFi Hacks & Exploits Database (DefiLlama)

Lixir Finance – ~$12.3K Broken permit() Signature Verification Exploit (June 25, 2026)

On June 25, 2026, Lixir Finance’s vault-token contracts on Ethereum were exploited for approximately $12,300 (SlowMist’s Hacked database lists $12,300; DefiLlama records the same figure rounded to ~$0.01M). The root cause was a broken EIP-2612 permit() implementation in Lixir’s vault/token contract: the function did not properly validate the ECDSA-recovered signer against the stated owner, and did not correctly bind the signature to a per-owner nonce and deadline. Because the check could be satisfied without a genuine owner signature, the attacker reused a single dummy/forged signature to pass verification and set token allowances on dozens of holders’ vault-token balances (the lv_* wrappers) to an attacker-controlled contract. With those unauthorized approvals in place, the attacker called transferFrom-style functions (withdrawFrom / withdrawETHFrom) to move the holders’ positions and drain the underlying assets, including WETH, USDC, USDT, and LIX. The flaw allowed one crafted signature to authorize approvals across many unrelated accounts rather than being rejected on the first signer mismatch.

How it could have been avoided: The permit() flow should be built on a vetted EIP-712/ERC20Permit implementation (e.g. OpenZeppelin’s ERC20Permit) rather than a hand-rolled check. Correct verification must compute the EIP-712 struct hash over owner, spender, value, nonce, and deadline using a properly constructed domain separator, call ECDSA.recover, and then revert unless the recovered address is non-zero and exactly equals the stated owner – a dummy or forged signature must fail this equality check instead of being silently accepted. It must also enforce a strictly-incrementing per-owner nonce (so a signature cannot be replayed) and a deadline check, and reject malleable/high-s signatures. Had the contract reverted on any owner/signature mismatch, a single reused signature could not have authorized approvals across dozens of accounts. A signature-verification-focused audit, plus fuzz or property tests asserting that permit() reverts for mismatched owner/signature pairs, reused nonces, and expired deadlines, would have surfaced this flaw before deployment.

Sources: SlowMist Hacked Database – Lixir Finance entry, DeFi Hacks & Exploits Database – DefiLlama

Quicksilver Zone – ~$3.5K Unchecked-Proof Unbacked Mint (June 21, 2026)

On June 21, 2026, Quicksilver, a Cosmos interchain liquid-staking zone, suffered a protocol-logic exploit in its interchain liquid-staking module. The module accepted ICA/ICQ-style delegation/receipt “proofs” without properly validating their authenticity or origin, and it derived qAsset issuance directly from those inputs. An attacker submitted forged proofs asserting delegations that were never made on the host chains, driving the mint path to issue large amounts of unbacked liquid-staking tokens with no corresponding real staked collateral on Cosmos Hub or Osmosis. Per SlowMist, roughly 505K qATOM and ~10M qOSMO were minted unbacked. The chain halted and the team coordinated with Cosmos Hub and Osmosis to burn the fraudulent tokens, so the realized loss stayed negligible. DefiLlama and SlowMist both record the recorded/drained figure at approximately $3,500, even though the notional value of the unbacked mint was far larger before recovery.

How it could have been avoided: The mint path should have been gated on cryptographic verification of host-chain state rather than on unverified receipts. Concretely, each mint should require a verified IBC/ICQ Merkle inclusion proof checked against a light-client-verified consensus header, proving that the asserted account/delegation actually exists on Cosmos Hub or Osmosis, and any proof not anchored to a validated block hash should be rejected. Every proof should be bound to a unique nonce/height so forged or replayed receipts cannot be reused. Beyond per-proof validation, the module should enforce a supply invariant that total minted qAssets never exceed verified aggregate delegations, reconciling qAsset supply against verified staked backing. Finally, a circuit-breaker or rate-limit on mint volume should halt anomalous unbacked minting before value can be extracted, which is what ultimately would have prevented the large unbacked issuance seen here.

Sources: DefiLlama DeFi Hacks Database (Quicksilver Zone, 2026-06-21, $3,500, ‘Unchecked Proof Minting’), DefiLlama Hacks, SlowMist Hacked Database (Quicksilver Zone, June 21 2026)

Gitcoin – files.gitcoin.co Frontend Wallet-Drainer Compromise (June 21, 2026)

On June 21, 2026, security firm Blockaid flagged a live front-end attack against files.gitcoin.co, a secondary subdomain of the Gitcoin project on Ethereum/EVM. Attackers compromised the subdomain’s served web assets and injected the “Eleven” wallet-drainer script into the site’s JavaScript. When visitors connected wallets, the malicious script prompted them to sign or approve hostile transactions – such as token approvals (setApprovalForAll) or transfer signatures – that hand control of assets to the attacker, draining connected wallets. This was a client-side supply-chain/hosting compromise of the subdomain’s frontend, not an on-chain smart-contract exploit. No source quantified user losses: Blockaid treated it as a detection-and-remediation alert rather than a confirmed drain, and other reports list the amount as not disclosed. The incident was part of a June 2026 wave of frontend drainer injections that also affected Yield Yak.

How it could have been avoided: Serve all frontend assets under a strict Content-Security-Policy that restricts script-src to hashed or nonce’d first-party bundles, and attach Subresource Integrity (SRI) hashes to every loaded script so injected or modified JavaScript fails to execute. Lock down and continuously monitor the hosting/CDN and DNS configuration for files.gitcoin.co specifically – decommission or isolate stale, low-attention subdomains rather than leaving them serving live assets, enforce MFA and least-privilege on the storage/CDN account, and enable file-integrity monitoring plus deploy-pipeline signing so unauthorized changes to served files are detected and blocked. As a user-side backstop, integrate a client-side transaction-simulation/security layer (e.g., Blockaid or wallet-side simulation) so drainer approval prompts like setApprovalForAll are surfaced to users before they sign.

Sources: Blockaid Security Alert on X: front-end attack on Gitcoin subdomain files(.)gitcoin(.)co (Eleven drainer), ChainCatcher: Gitcoin Subdomain Suffered Frontend Attack, Suspected Phishing Program Embedded (Blockaid), Phemex News: Gitcoin Subdomain Compromised by Malicious Code Attack (June 21, 2026)

Yield Yak – Frontend “Eleven” Wallet-Drainer Injection on vote.yieldyak.com (June 24, 2026)

On June 24, 2026, Yield Yak’s governance/voting subdomain, vote.yieldyak.com, was compromised on Avalanche and its served frontend was injected with the “Eleven” wallet-drainer script, which Blockaid detected. The malicious JavaScript intercepted wallet connections and crafted hostile transaction and token-approval requests, prompting users who connected to sign approvals or transfers that would drain their assets. The attack occurred entirely at the website/hosting layer and did not exploit or require breaking Yield Yak’s on-chain smart contracts, relying instead on the app’s familiar branding and routine interaction patterns to push users into approving hostile transactions. This was a preventive detection alert rather than a confirmed-drain report: neither Yield Yak nor Blockaid released loss figures at publication, and CryIP’s June 2026 report lists the incident among those with no disclosed financial loss, so no dollar figure exists. The exact intrusion vector (compromised hosting/DNS credentials, a poisoned dependency, or hijacked subdomain infrastructure) was not disclosed, but it matches the near-simultaneous files.gitcoin.co Eleven-drainer compromise days earlier, in which attackers likewise targeted a secondary subdomain rather than the main interface or the underlying protocol.

How it could have been avoided: harden the frontend delivery pipeline so injected or altered JavaScript cannot execute, by enforcing a strict Content-Security-Policy (a script-src allowlist with nonces or hashes) plus Subresource Integrity (SRI) on all served scripts. Serve the dapp from immutable, versioned, integrity-pinned builds (for example, IPFS with content hashes) rather than mutable hosting, so a swapped bundle fails verification. Lock down DNS and hosting with registrar and DNS-provider MFA plus registry/DNSSEC locks to prevent subdomain hijacking, and monitor DNS records for unauthorized changes. Because the abused surface was a stale governance page, decommission or isolate unused subdomains like vote.yieldyak.com and remove them from wallet-connect flows entirely. Finally, integrate wallet-side transaction-simulation and drainer-detection (e.g., Blockaid-style pre-sign screening) to warn on anomalous approvals, and users should verify the domain and reject unexpected approval or setApprovalForAll signature prompts.

Sources: Yield Yak Suffers Front-End Breach in Latest Wave of Wallet-Drainer Hacks – Crypto Economy, Yield Yak follows Gitcoin in latest wallet-drainer attack – CryptoRank, June 2026 Crypto Hack Report: 45 Blockchain Security Incidents – CryIP

RetoSwap / Haveno – Forced-Arbitration XMR Release Without BTC Settlement, Second Exploit (June 16, 2026)

On June 16, 2026, the RetoSwap DEX, built on the Haveno P2P atomic-swap protocol (Monero/Bitcoin trading over Tor), suffered a second exploit distinct from the May 20-21 arbitrator-hijack attack. Acting as a buyer, the attacker took buy offers and then forced arbitration on the resulting trades. Through the dispute-resolution path, the seller’s XMR was released after roughly 30 Bitcoin-side confirmations without the attacker ever broadcasting or settling the corresponding BTC leg, so the buyer received XMR while retaining the BTC. The root cause was that the multisig/arbitration settlement logic released XMR based on an unverified or premature BTC-confirmation condition rather than cryptographic proof that a matching BTC payment had actually reached the seller; unlike the May attack, this incident used what appeared to be legitimate arbitrator addresses. No cleanly separated loss figure exists for the June event: sources (Cryip, ChainCatcher) state the impact “appears limited so far” and was largely confined to large-order traders, and the widely-cited ~$2.7M / ~7,000 XMR figure belongs to the distinct May 20 first attack, not this one. In response, RetoSwap suspended trading by setting the minimum client version to 2.0.0 via its filter feature and banned the exploiter’s onion address.

How it could have been avoided: the XMR-release path in both the normal and forced-arbitration flows should require cryptographic proof that the counterparty’s BTC leg actually settled to the correct address and amount before authorizing release, verifying a confirmed on-chain BTC payment (an SPV proof binding a specific txid/output to the exact expected amount with sufficient confirmations) rather than trusting a bare confirmation-count trigger. Arbitration and settlement should be gated on both parties’ verifiable on-chain state, and forced arbitration in particular must never release funds absent proof of the disputing party’s own performance, closing the path that let a buyer extract XMR without ever settling BTC. Enforcing dual-leg atomicity so the two legs are cryptographically linked (HTLC-style or proof-linked release), combined with rate-limiting and anomaly detection on forced-arbitration flows to flag a single actor repeatedly forcing arbitration on large orders, would remove the ability to obtain XMR while retaining BTC.

Sources: RetoSwap Suspends Trading Following Second Exploit in Haveno Protocol — Cryip, RetoSwap: Haveno protocol attacked again, minimum client upgraded, trading suspended — ChainCatcher, ~$104.6M Lost: Verus, RetoSwap & More — BlockSec Weekly (confirms $2.7M belongs to the May 20 first attack)

Notable Non-Loss Disclosure: Zcash Orchard Soundness Bug

On June 5, 2026, Zcash disclosed a critical soundness bug in the Orchard shielded pool on the Zcash (ZEC) L1, roughly one week after its discovery on May 29 and following an emergency NU6.2 hard fork that shipped the fix on June 3. The root cause was a missing equality (copy) constraint in the halo2 variable-base scalar-multiplication gadget used by the Orchard circuit: inside the multiplication loop, the diversified base-point coordinates (x_p, y_p) were written with assign_advice() instead of copy_advice(), so the loop’s base point was never equality-constrained to the address’s actual diversified base point g_d. Because the base point was unanchored, a malicious prover could substitute an arbitrary base point across every iteration, breaking the pk_d = [ivk]·g_d binding chain and, by supplying forged ivk/nk values, derive multiple distinct valid nullifiers for the same note; since consensus only checks nullifier uniqueness, this enabled undetectable double-spending and minting of counterfeit shielded ZEC. The flaw had been present since Orchard activation around May 2022 and was found via an AI-assisted audit (Taylor Hornby / Shielded Labs using Anthropic Opus 4.8), who built a working proof-of-concept minting counterfeit ZEC on a local testnet. There was no confirmed direct loss, as no on-chain exploitation of the counterfeiting bug was detected, though the shielded nature of Orchard means pre-patch exploitation cannot be cryptographically ruled out. The NU6.2 upgrade fixed the issue by adding a copy_advice() call in the loop’s first iteration, anchoring the base point and restoring the binding chain.

How it could have been avoided: any advice cell that feeds a security-critical relation and must equal an external or witnessed input, such as the diversified base point g_d, should be written with copy_advice() (which emits an equality/permutation constraint) rather than assign_advice(), so that the scalar-multiplication loop provably operates on the protocol-specified base point rather than an attacker-chosen substitute. This class of under-constrained-circuit bug should be caught by targeted negative and property-based soundness tests that attempt to swap the loop’s base point or re-derive a note with a different ivk/nk and assert that the resulting proof is rejected, rather than only testing that honest witnesses verify. Constraint-completeness review should be enforced during audit, using under-constrained-circuit tooling (e.g. Picus/Ecne) and halo2 mock-prover fuzzing that mutates advice assignments, so that every advice cell participating in a binding relation like pk_d = [ivk]·g_d is verified to have a corresponding equality constraint, and formal-verification coverage of the scalar-mult gadget would have flagged the unanchored base point long before it was reached by manual review.

Sources: Zcash Orchard Soundness Bug Analysis | BlockSec Blog, AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability That Could Have Minted Unlimited Counterfeit ZEC | Unchained, Zcash founder discloses critical Orchard forgery flaw fixed by emergency hard fork | Blockhead

Notable Non-Loss Disclosure: Zcash Orchard Soundness Bug

Ethereum L1 and Glamsterdam

Ethereum clients

Ethereum L2s

Solana

Smart contract engineering and privacy

Security post-mortems and research

References

Softstack Case Studies

Click through our success stories and see how we have helped other companies
achieve their Web3 goals.

Ready to transform your business with Web3? Contact us today and let’s build the future together!

Explore Insights

Dive into our in-depth analyses and discover how Web3 technologies are transforming the digital landscape,
unlocking new avenues for decentralized innovation.