Web3 Security

On April 13, 2026 at 03:55:23 UTC, a helper contract deployed by the attacker used Hyperbridge's Ethereum-side ISMP message path to deliver a forged governance-style `PostRequest` into `TokenGateway`. The exploit is best classified as an access-control failure at the …

On April 12, 2026, SubQuery Network, a staking protocol on Base, (block 44,590,469) suffered an access-control exploit that drained approximately **218.29M SQT** (about **$131.2K**) from the protocol's Staking contract. The attacker deployed two ephemeral contracts, abused the …

On April 5, 2026, Denaria Finance, a perpetual DEX on Linea, (block 30,067,821) suffered a virtual AMM manipulation attack that drained approximately **165,618 USDC** from the protocol's Vault. The attacker flash-loaned 60,000 USDC from Aave V3, deployed pairs of ephemeral LP and …

Two compounding flaws in InfinitySix's (`$i6`) BSC staking contract were chained to extract **273,802 USDT** in block 89,703,286. The contract credits referral bonuses to a sponsor's withdrawable balance immediately upon the referral's `invest()` call; separately, its TWAP oracle …

On March 31, 2026 at 20:39:02 UTC, the attacker used flash-loaned capital on BNB Chain to manipulate the LML/USDT market, then batch-triggered reward claims for pre-seeded accounts through APower and immediately sold the resulting LML back into the distorted pool. The primary …

On March 31, 2026 at 22:56:21 UTC (Polygon block `84938872`), an attacker exploited WhaleBit's unverified staking system through a **same-transaction spot-oracle manipulation** funded by a flash loan. The attacker EOA `0xe66b37de57b65691b9f4ac48de2c2b7be53c5c6f` used helper …

On 2026-03-28, the VTSwapHook contract (`0xbf4b4a83708474528a93c123f817e7f2a0637a88`) deployed on Arbitrum was exploited through a **logic error** in its custom pricing formula. The hook implements a nonlinear (logarithm-based) price curve but approximates execution price using a …

On 2026-03-27, the EST / BNBDeposit system on BNB Smart Chain was exploited through a **flash-loan-assisted reward-accounting flaw** in `BNBDeposit`, amplified by **fee-exempt routing and pair-state manipulation** in EST. The attacker borrowed `250,000 WBNB`, built a temporary …

On March 22, 2026, the CyrusTreasury protocol on BNB Chain was exploited through a price manipulation attack against its `withdrawUSDTFromAny` function, which is called internally by `exit()`. The vulnerable contract (`CyrusTreasury`, `0xb042ea7b35826e6e537a63bb9fc9fb06b50ae10b`) …

An unverified escrow-like contract at `0xf0a105d93eec8781e15222ad754fcf1264568c97` on Ethereum Mainnet was fully drained in block 24,707,679 (timestamp 2026-03-22 UTC) through an **integer overflow** in its deposit function `0x317de4f6`. The deposit function accumulates entry …