Cases
The Drift Exploit: When the Admin Key Is the Vulnerability
$280 million was drained from Drift Protocol on April 1 — not through a smart contract bug, not through a compromised seed phrase, but through a weeks-long operation that obtained two signatures from a five-member admin council and used them to seize complete protocol control. This is the admin key problem, executed at its logical extreme.
When the Corporate Entity Becomes the Liability: The Balancer Labs Shutdown
On March 24, Balancer co-founder Fernando Martinelli announced that Balancer Labs — the corporate entity that built and funded one of DeFi's foundational DEX protocols — will shut down. The direct cause was a $110 million exploit in November 2025. The actual cause was the legal architecture that made the company inseparable from the damage.
$1,808 to Hold a Protocol Hostage: The Governance Attack as Security Failure
On March 24, an attacker spent $1,808 on MFAM tokens, submitted a malicious governance proposal titled 'MIP-R39: Protocol Recovery – Admin Migration', cleared quorum in 11 minutes, and put $1.08 million in user funds at risk. Moonwell is now scrambling to vote it down before the March 27 deadline. The attack is not unusual. Governance tokens are not just voting shares — they are access credentials.
USR Stablecoin Depegs in $24 Million Exploit
On March 22, an attacker minted 80 million unbacked USR tokens using roughly $200,000 in USDC and a single unguarded minting role. Resolv's website listed 14 audit engagements from five firms. The service role controlling the mint had no oracle check, no maximum limit, and no multisig. The collateral pool is fine. USR holders are not.
Venus Protocol's $2.15M Bad Debt: When You Dismiss the Audit Finding, the Attacker Reads It Too
On March 15, Venus Protocol was left with $2.15M in bad debt after a nine-month oracle manipulation campaign against the THE token. The donation attack vector had been flagged in Venus's own security audit. The team disputed the finding. The attacker did not.
Oracle Misconfiguration at Curve: Why Pool Creators Are the New Attack Surface
The Curve LlamaLend sDOLA exploit wasn't a bug in the core protocol. It was a configuration error made at deployment. When a protocol lets anyone configure oracle parameters at pool creation, the attack surface is every pool creator who ever gets it wrong.
$328 Million Reasons to Verify Your Liquidity Lock
For three years, Goliath Ventures told investors their capital was in crypto liquidity pools. Blockchain analysis later confirmed only $1.5 million ever reached one. On-chain verification exists. Most investors never asked for it.
A Government Published a Seed Phrase. $4.8M Was Gone in Hours.
On February 26, South Korea's National Tax Service published an unredacted photo of a seized Ledger wallet and its handwritten recovery mnemonic. An attacker drained 4 million PRTG tokens within hours. The incident is not a crypto failure — it is a custody failure. And it has direct implications for how any institution handles digital asset keys.
Why Upgradeability Is a Liability: The Moonwell Oracle Lesson
On February 15, a governance proposal misconfigured a Chainlink oracle and left Moonwell with $1.78M in bad debt in minutes. It was the protocol's third oracle incident in six months. The common thread isn't AI code or auditor failure — it's that the contract could be changed at all.
Crypto Hacks Hit a 12-Month Low in February. Here's What the Data Actually Says.
PeckShield recorded $26.5M in crypto losses across 15 incidents in February 2026 — the lowest monthly figure since March 2025. The numbers reflect real progress. They also reveal where the residual risk still lives.
Seven Hacks. One Month. The Common Thread Is Not the Code.
Seven DeFi hacks over $1M each in January 2026 alone. Step Finance ($30M) and a major social engineering attack both traced to compromised private keys — not smart contract flaws. Halborn's monthly roundup makes the case that admin key architecture is the real vulnerability.
Pool Reserve Manipulation via Burn: What the PancakeSwap V2 Exploits Reveal About LP Mechanics
Two PancakeSwap V2 pools on BNB Smart Chain — XPL/USDT ($717K) and PGNLZ/USDT ($100K) — were exploited in late January via flawed token burn mechanisms that allowed direct pool reserve manipulation. A technical breakdown for developers on what deterministic pool mechanics require.
The Truebit Exploit: What a Single Integer Overflow in a Legacy Contract Costs
A legacy Truebit smart contract with an integer overflow flaw allowed attackers to mint TRU tokens for free and drain $26.4M from the protocol. A clinical post-mortem on what aging code costs — and why immutable, minimal contracts do not accumulate this category of risk.
What Is a Liquidity Lock and Why Does It Exist
A technical primer on liquidity pool mechanics, the conditions that make rug pulls possible, and the on-chain infrastructure built to prevent them.