News linked to this event type.
According to Cointelegraph, Tezos ecosystem developers have launched the quantum-resistant privacy payment prototype TzEL on the testnet. TzEL employs post-quantum cryptography and zk-STARK proofs to defend against “harvest now, decrypt later” attacks, safeguarding transaction data and encrypted payment metadata. The prototype also integrates Tezos’ data availability layer to handle the relatively large size of post-quantum proofs. According to the whitepaper, the quantum-resistant zk-STARK proofs used by TzEL are approximately 300 KB in size. TzEL is currently running on the Tezos testnet, and the Tezos ecosystem’s transition to post-quantum cryptography remains in its early stages.
Ranger Finance co-founder cobra stated that Ranger Finance is winding down operations. Some personnel and vendors who collaborated with, built, and supported the project have not received full payment. He explained that during periods of cash shortage, the founders personally injected funds to keep operations running and advanced fundraising efforts within MetaDAO; however, the delayed fundraising led to an accumulation of unpaid bills. After the fundraising was completed, the project only secured approximately two months of runway before the funds were returned. Ranger Finance noted that treasury liquidation exceeded expectations, negatively impacting employees, vendors, and growth budgets. Subsequently, the Drift vulnerability further hampered project progress. Vault users affected by the Drift vulnerability will receive recovered tokens when distributed by the Drift team.
Ronghui Gu, co-founder and CEO of CertiK, stated that AI tools are exacerbating the imbalance between attack and defense in DeFi security, making it easier for attackers to discover vulnerabilities and replicate attack paths across different protocols.He pointed out that the DeFi security situation was particularly severe in April of this year, with only 3 days that month free from hacker attacks, resulting in cumulative losses exceeding $690 million for DeFi protocols. Excluding the Bybit attack in February 2025, April has become the month with the highest losses from DeFi hacks since March 2022.Ronghui Gu believes that attackers can concentrate significant computing power to repeatedly test a single protocol, whereas security companies need to serve multiple clients simultaneously with dispersed resources, putting the defense side at a natural disadvantage. Meanwhile, the focus of recent attacks is also shifting from smart contract vulnerabilities to operational security and weak points in the supply chain.He emphasized that even if AI fails to find vulnerabilities over an extended period, it does not prove the code is completely secure; under current technical conditions, formal verification remains a more reliable method for ensuring security.
that, according to official sources, AaveLabs has proposed restructuring the Aave DAO bug bounty framework into multiple specific subsystem programs, operating on the Immunefi, Sherlock, and Cantina platforms respectively. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will be covered by Immunefi; Aave V4 and the Aave App Stack will be covered by Sherlock; and Aave V3 on Aptos will be covered by Cantina.The proposal suggests adjusting the bounty scale for each system. The maximum reward for critical vulnerabilities in Core Aave V3 is $5 million, while the maximum reward for critical vulnerabilities in Aave V4 is $2.5 million. Additionally, the funding source for the Aave V3 bug bounty on Aptos will be transferred from Aave Labs to the Aave DAO. This ARFC proposal has currently been passed.
Aave announced that its bug bounty program has been updated to better align rewards with the risk profile of each component within the ecosystem and to streamline the review process. The reward cap for critical vulnerability fixes in Aave V4 and Core Aave V3 has now been increased fivefold.
the deliberation of the "Cryptocurrency Market Structure Act" (i.e., the CLARITY Act) has commenced in the U.S. Senate Banking Committee. As of now:1. An amendment proposed by Senator Mike Rounds to create an AI regulatory sandbox was passed with 15 votes in favor and 9 against, indicating some bipartisan support, despite Senator Elizabeth Warren urging Democratic members to vote against it.2. An amendment proposed by Elizabeth Warren, aimed at "preventing high-risk assets from entering retirement accounts," was rejected with 11 votes in favor and 13 against.3. An amendment previously proposed by Senator Katie Britt of Alabama, which would have allowed certain retirement accounts to invest in pooled investment vehicles, was withdrawn before the vote.It is reported that one of the most contentious amendments comes from Elizabeth Warren, concerning the strengthening of sanctions authority over cryptocurrency mixers. In her remarks, she referenced the U.S.-sanctioned mixing protocol Tornado Cash, stating it has been used to launder over $7 billion for criminal organizations and North Korean hacker groups, including over $450 million in related funds. Warren argued that the current bill does not grant the U.S. Treasury Department sufficient legal authority to isolate or restrict mixer services, potentially creating loopholes in anti-money laundering oversight. In response, Cynthia Lummis countered that the illegal financial activities are already covered in Parts Two and Three of the bill.
Kraken announced on X platform that Chainlink CCIP will become the sole cross-chain infrastructure for kBTC and future wrapped assets, replacing the original LayerZero protocol. This decision followed last month's $292 million LayerZero cross-chain bridge exploit incident at Kelp.Currently, a total of over $3 billion in total value locked has migrated from LayerZero. The migration covers blockchains including Ethereum, Ink, Unichain, and Optimism. The current market cap of kBTC is approximately $260 million. Kraken stated that it will continue to be responsible for the issuance and custody of assets, while Chainlink CCIP will handle cross-chain asset transfers. (coindesk)
Odaily Odaily News Gate Research recently released its "April 2026 Cryptocurrency Market Review" report, indicating that the overall cryptocurrency market saw a volatile upward trend in April, with total market capitalization significantly higher than in March. BTC and ETH ETF trading volumes maintained high volatility overall. The report shows continued divergence in activity across major public chain ecosystems. Solana's daily transaction volume remained in the range of approximately 90 million to 110 million transactions, maintaining its leading position.Regarding trending sectors, the report notes that Pokemon TCG RWA has become one of the fastest-growing on-chain RWA sub-sectors, entering a second explosive growth phase in April. Major trading platforms saw monthly trading volumes exceed $220 million, with weekly revenue briefly approaching $6 million, setting new historical records. Meanwhile, Aave experienced its most severe liquidity crisis ever in April, with TVL outflows reaching tens of billions of dollars within a few days and net outflows exceeding $9 billion for the entire month.In terms of fundraising and security incidents, the Web3 industry completed 51 financing rounds in April, totaling approximately $834 million, with capital further concentrating on leading financial and infrastructure tracks. Among these, Payward ranked first for the month with a $200 million financing round. On the security front, Web3 security incidents in April resulted in losses of approximately $306 million, a month-over-month increase of about 858%, primarily driven by a single cross-chain infrastructure attack on Kelp DAO worth approximately $293 million. The report suggests that against the backdrop of a recovering market, on-chain activity and capital liquidity are both increasing simultaneously. However, the security risks associated with cross-chain infrastructure and high-leverage protocols remain worthy of continued attention.
According to The Block, the T3 Financial Crime Unit (T3 FCU), jointly established by Tether, TRON, and TRM Labs, announced that since its founding in 2024, it has frozen over $450 million worth of illicit crypto assets globally. In 2025, the unit’s interception of illicit proceeds increased by 43.9% year-on-year, covering 23 jurisdictions including the United States, Spain, and Germany, and has been recognized by the Financial Action Task Force (FATF) as “a critical resource for global law enforcement agencies.” The T3 FCU has participated in investigations across multiple crime categories, including exchange hacks, North Korea–related activities, terrorist financing, and violent crimes, and assisted Brazil’s Federal Police in freezing over $5.989 billion in assets—including 4.3 million USDT.
According to Cointelegraph, a New York judge has postponed the hearing on Aave’s emergency motion to unfreeze approximately $71 million worth of ETH and ordered Aave and Gerstein Harrow LLP to submit additional case briefs. A new hearing is scheduled for June 5. The court noted that Aave previously failed to adequately explain why users’ funds would suffer “derivative losses” if the restraining order remained in effect. The assets in question are linked to the Kelp DAO hack, which involved approximately $293 million and was previously frozen by Arbitrum. The judge also directed both parties to further clarify several legal issues, including the applicable law governing the hacker’s transactions, the legal distinction between fraud and theft, the priority ranking of creditors’ claims, the applicability of constructive trust, and whether assets can be proportionally returned to victims.
GoPlus Security reported that a user fell victim to a typical address poisoning attack: the user mistakenly sent 100,000 DAI to a spoofed address after copying a visually similar address from their transaction history. In this incident, the user had previously sent 300,000 DAI to the legitimate target address; the attacker then sent 0.0003 DAI to the user from a malicious address with characters nearly identical to the legitimate one—before and after the address—thereby tricking the user into selecting the wrong address during their subsequent transfer. GoPlus Security advises users not to copy wallet addresses from transaction history, always verify the full address before sending funds, and conduct a small test transaction prior to any large transfer.
the L1 blockchain TAC team stated they have confirmed a security incident on the cross-chain layer resulted in approximately $2.8 million in assets being transferred, involving assets such as USDT, BLUM, and tsTON.TAC stated that if the attacker returns the relevant funds to the designated multi-signature address, the team will consider this incident a "white hat rescue" and will not take legal action against the operator of the involved ETH/BSC, ZEC, and TON addresses.As a reward, the attacker can receive an approximately 10% bounty, equivalent to about 13 ETH and 300 ZEC.
TAC stated that its cross-chain layer on the TON side was exploited by external attackers, resulting in approximately $2.8 million in losses involving USDT, BLUM, and tsTON. TAC confirmed that the TAC token, TON, and all ERC-20 tokens bridged from Ethereum remain unaffected. The bridge has been temporarily suspended, and the team is conducting forensic analysis and implementing fixes. Additionally, the team plans to legally structure a sale of the foundation’s TAC token treasury reserves to restore bridge liquidity and compensate affected users. A post-mortem report and further details will be released within the next 48 hours.
the smart contract auditing platform Code4rena has announced it will gradually cease operations. All ongoing audit contests and bug bounty programs will still be completed as normal.Web3 security platform Immunefi subsequently stated that it will collaborate with Code4rena to take over its bug bounty clients and security researchers, assisting in the migration of bounty scope, rules, and reward structures.Code4rena was known for its "competitive audit" model, allowing independent security researchers to earn rewards by discovering smart contract vulnerabilities. The platform secured $6 million in funding from Paradigm in 2023 and was acquired by blockchain security firm Zellic in 2024.
According to the official announcement by Transit Finance, an outdated smart contract—originally deployed on the TRON blockchain and deprecated in 2022—was recently exploited via a historical vulnerability, affecting a small number of users. The team completed its investigation, isolation, and remediation efforts on May 12, 2026; no action is required from users. The current version of the smart contract remains unaffected, has been operating securely for over four years, and continues to undergo regular security audits and monitoring. Affected users will receive full compensation; details of the compensation plan will be announced separately via official channels. The team also reminds users to remain vigilant against impersonator accounts and never disclose private keys or mnemonic phrases to anyone.
According to on-chain analyst PeckShield (@PeckShieldAlert), Transit Finance appears to have been hacked, resulting in losses of approximately $1.88 million. The stolen funds are currently held in DAI at the address 0x8a634DfA2609358849D7D65FFA270C8A57a8abA5.
Avant announced that, based on comprehensive market feedback and its own assessment, it has decided to postpone the Token Generation Event (TGE) to mid-September. Avant stated that the broader decentralized finance (DeFi) token market is currently under pressure, and multiple protocols have recently suffered security incidents—conditions unfavorable for launching a token sale. Avant Rewards points will cease accruing on May 15; however, users’ already-earned points will be preserved and remain eligible for participation in the upcoming TGE. During the postponement period, Avant will advance partnerships, expand total value locked (TVL), and enhance its product suite. It also plans to host a public Space this Thursday at 2:00 PM Eastern Time.
Aave posted on X, stating that the first phase of the rsETH technical recovery plan has been completed, including the burning of the attacker's rsETH on Arbitrum.In the coming days, funds will be gradually replenished for the LayerZero OFT adapter, and rsETH-related operations will be restored.
According to Decrypt, Microsoft’s Threat Intelligence team disclosed that attackers had injected malicious code into Mistral AI packages distributed via the PyPI platform. This malicious code automatically executes when developers use the packages on Linux systems, downloading and running a malicious file named <code>transformers.pyz</code> in the background—the filename deliberately mimics the widely used Hugging Face Transformers library to evade detection. Microsoft noted that the malware primarily steals developers’ login credentials and access tokens. It avoids execution on Russian-language systems and includes logic that can randomly delete files on devices located in Israel or Iran. This attack is linked to the “Shai-Hulud” supply-chain campaign launched in September. In response, Mistral stated that its investigation found the attack originated from compromised developer devices, and its corporate infrastructure was not breached.
Coinbase, a cryptocurrency trading platform, has disclosed in a technical sharing session that its internal multi-agent development tool "Mux" is reshaping software engineering workflows, transitioning the engineer's role from traditional code implementers to task orchestrators for AI agents.With the widespread internal adoption of AI programming tools such as Cursor, Copilot, OpenCode, and Claude Code, code generation efficiency has significantly improved. However, development workflows have long remained stuck in a traditional "single-task, single-branch, sequential execution" mode, creating a new collaboration bottleneck.Mux was born as an internal tool against this backdrop. By assigning each AI agent an independent git worktree, branch, and terminal environment, the system enables parallel multi-task development and conflict-free collaboration, allowing engineers to simultaneously direct multiple agents to handle tasks such as API development, test writing, vulnerability fixes, and code refactoring.Data shows that as of April 2026, Mux has covered over 600 users within Coinbase (including engineers, product managers, and designers), with 335 actively using it and 197 being high-frequency users. It has facilitated over 5,000 PR merges across 461 code repositories and 10 organizations. Engineers using Mux achieved an average of 39.6 PR merges, approximately 3.5 times the baseline of 11.4.Coinbase stated that Mux's success relies on its internal infrastructure capabilities, including an LLM Gateway, secure model access, and a code flow deployment system, enabling deep integration of multi-agent tools into real development workflows. This trend marks a structural shift in the software engineering paradigm: as AI reduces the cost of code generation, the core value of engineers is transitioning from "implementation capability" to "problem definition and agent orchestration capability."