Web3 Security

On 2026-02-04 13:46:59 UTC (block 24,383,881), tx `0xee2b216b7d649513dc8ba102e130d3d86d189b393a0d5f387e479be3dbda799d` on Ethereum deployed helper contracts and invoked `depositWithCalldataMultiToken` and `withdrawWithCalldataMultiToken` on SingleAdapterRouter (Vault_reUSD) at …

On 2026-02-01 18:38:23 UTC (block 24,363,854), tx `0x37d9b911ef710be851a2e08e1cfc61c2544db0f208faeade29ee98cc7506ccc2` on Ethereum called `expressExecute` on ReceiverAxelar (`0xb2185950f5a0a46687ac331916508aada202e063`) with `sourceChain="berachain"` and …

On Ethereum mainnet, Gyro Finance's GYD bridge escrow was exploited on January 30, 2026. The attacker used a crafted CCIP message to make the escrow contract approve unlimited GYD allowance, then drained the escrow via `transferFrom`.

The transaction `0x9779341b2b80ba679c83423c93ecfc2ebcec82f9f94c02624f83d8a647ee2e49` on BNB Smart Chain exploited XPlayer's node distribution burn path to manipulate the XPL/USDT PancakeSwap pool and drain USDT. The attacker used a flash-loan style contract to burn XPL out of the …

The attacker used flash‑loaned USDC (Morpho + Aave) to temporarily skew spot‑based on‑chain state (Curve pools and oracle inputs, including the ERC4626 convertToAssets path used in pricing). In the same transaction, they invoked accountForPosition and updateTotalAum, locking an …

On 2026-01-10 08:30:35 UTC (Arbitrum block 419,829,771), tx `0xe1e6aa5332deaf0fa0a3584113c17bedc906148730cbbc73efae16306121687b` deployed an attacker contract that drained approximately 394,743 USDC.e from FutureSwap's unverified perpetual exchange contract at …

The unverified contracts of TMXTribe were exploited by a series of attack transactions exploiting a vulnerability in the accounting logic. The root cause is that the AUM calculation (used to price TLP) ignores USDG liabilities, so USDG minting inflates AUM and enables high‑price …