News linked to this event type.
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.
Wasabi Protocol released a security incident update, stating that the attacker exploited a Spring Boot Actuator configuration vulnerability in its AWS infrastructure to steal private keys controlling EVM smart contracts, and subsequently drained approximately $4.8 million in user funds and $900,000 from the protocol’s treasury—totaling roughly $5.7 million in losses. The attack chain originated from a public-facing analysis server whose Actuator heap dump was not properly password-protected, enabling the attacker to obtain credentials for another server and ultimately gain control of the smart contract private keys. This incident affected only EVM deployments—including certain treasuries on Ethereum, Base, Blast, and Berachain—while Solana deployments and the Prop AMM remained unaffected. No final user compensation plan has been announced yet; however, “ensuring all affected users are compensated” remains the team’s top priority. Updates on the investigation will be shared with the community via Discord.
Odaily News: Margaret Garnett, a U.S. District Judge in Manhattan, has approved Aave's asset recovery proposal, allowing the transfer of approximately $71 million in ETH previously frozen on Arbitrum and linked to North Korean-linked attacks, to a wallet controlled by Aave LLC, while preserving the legal claims of terrorism victim plaintiffs over the funds. The ruling also amended the earlier freeze notice against the Arbitrum DAO, permitting the transfer to be executed through an on-chain governance vote and exempting those who propose, vote on, or participate in the transfer from liability under the freeze order. The transfer is still subject to an official vote by Arbitrum's on-chain governance. (CoinDesk)
According to BusinessMirror, the Bangko Sentral ng Pilipinas (BSP) issued a warning on May 8 urging the public—especially cryptocurrency users—not to transact with unauthorized Virtual Asset Service Providers (VASPs). The BSP noted that such activities carry operational risks including fraud, cyberattacks, and insolvency, as well as a lack of legal recourse. The BSP stated it will collaborate with regulatory bodies such as the Securities and Exchange Commission (SEC) and the National Telecommunications Commission (NTC) to strengthen market oversight, restrict Filipino access to unauthorized platforms, and call on consumers to protect their personal information, practice good cybersecurity hygiene, and transact only with licensed entities.
Odaily Odaily: Aave posted on the X platform stating that the second phase of the technical solution for the rsETH incident recovery has progressed. On May 6, eight positions of the hacker on Aave V3 were liquidated, and the recovered rsETH collateral has been transferred to the recovery guardian. The Arbitrum DAO has passed a proposal to return the previously recovered $71 million in ETH.Regarding the application for asset freezing filed by the plaintiff, the judge has approved Aave LLC's proposal, allowing the transfer of the $71 million in ETH to Aave LLC through an on-chain vote by the Arbitrum DAO. Subsequent plans include burning rsETH on Arbitrum and restoring the rsETH reserve. After the reserve is restored, withdrawals will be reopened, and the WETH Loan-to-Value (LTV) ratio on the Aave V3 Ethereum mainnet will be restored.
According to The Block, blockchain security firm CertiK released a report on May 8 stating that 34 confirmed “wrench attacks” (i.e., offline physical assaults and extortion targeting cryptocurrency holders) occurred globally in the first four months of 2026—an increase of 41% compared to the same period in 2025. Victims’ total losses amounted to approximately $101 million. If this trend continues, the annual number of incidents is projected to reach around 130, with losses potentially totaling hundreds of millions of dollars. Geographically, 28 of the 34 incidents (82%) occurred in Europe, with France standing out particularly: 24 cases were recorded there in the first four months of 2026 alone—exceeding the full-year total of 20 incidents in 2025. CertiK attributes this surge to France’s hosting of flagship crypto firms such as Ledger and Binance, frequent data breaches, and a community culture of conspicuous wealth display and proactive doxxing. In contrast, reported incidents in the U.S. dropped from nine in Q1 2025 to three in Q1 2026, while Asia saw a decline from 25 to two. Regarding attack patterns, CertiK notes that criminal groups have shifted toward a “data-driven targeting” model—purchasing victims’ names, addresses, and asset information from data brokers, thereby reducing the need for physical reconnaissance. Over half of this year’s incidents involved threats against or direct harm to victims’ family members (spouses, children, elderly parents) as a coercive tactic. Operationally, small gangs of three to five individuals typically carry out these attacks via
LayerZero’s official tweet: LayerZero Labs has formally apologized for the security incident that occurred over the past three weeks and for insufficient communication. Regarding the incident, an internal RPC of LayerZero Labs was compromised by the North Korean hacking group Lazarus Group, contaminating the data sources for its Decentralized Verifier Nodes (DVNs). Concurrently, external RPC providers also suffered DDoS attacks. This incident affected a single application—0.14% of all applications—and involved assets valued at approximately 0.36% of LayerZero’s total assets. The LayerZero protocol itself remained unaffected; over $9 billion in assets continued to flow across chains normally following the incident. LayerZero Labs acknowledged that it previously permitted its DVNs to operate under a “1/1” single-node configuration to secure high-value transactions—a setup inherently vulnerable to single-point failure. LayerZero Labs accepts managerial oversight responsibility for this decision. Additionally, LayerZero disclosed that, three and a half years ago, one of its multi-signature signers had mistakenly used a multi-sig hardware wallet for personal transactions. That signer has since been removed, and the associated wallet has been rotated. As corrective measures, LayerZero Labs announced: - It has discontinued support for “1/1” DVN configurations; - It is migrating all paths to a default 5/5 multi-signature configuration, with a minimum threshold of 3/3; - It has developed a second DVN client written in Rust to ensure client diversity.
LayerZero Labs posted on platform X, stating that the internal RPC used by LayerZero Labs had been attacked by the Lazarus Group over the past three weeks, compromising the true source of its DVN (Decentralized Verifier Network). Meanwhile, external RPC providers experienced DDoS attacks. The incident affected 0.14% of applications and approximately 0.36% of asset value. LayerZero Labs stated that assets are currently secure, and over $9 billion in funds have been bridged through the protocol since April 19.In response to the security risk, LayerZero Labs has ceased providing services for its DVN in a 1/1 configuration. Default configurations for all pathways will migrate to a multi-DVN model of at least 3/3 or 5/5 signatures. Additionally, regarding an incident from three years ago where a multi-sig holder mistakenly used a hardware wallet for personal transactions, LayerZero Labs has removed that signer and replaced the wallet, while developing a custom OneSig multi-sig system. LayerZero Labs advises developers to lock configurations to avoid reliance on default settings and plans to launch an asset management platform, Console, to enhance security monitoring.
a report from CertiK shows that in the first four months of 2026, 34 "wrench attacks" (offline violence or coercion to obtain crypto assets) have occurred globally, a 41% increase year-over-year, with cumulative losses of approximately $101 million.The report indicates that attack patterns are shifting towards being "data-driven," involving prior collection of victim information and incorporating "proxy targets," such as family members, into the threat scope to apply pressure.Regionally, Europe accounts for 82% of incidents, with France being the most concentrated. Industry insiders believe that such attacks have become a significant security risk for crypto asset holders.
The Mantle community has approved proposal MIP-34, authorizing the Mantle Treasury to extend a loan of up to 30,000 ETH to the Aave DAO to address the non-performing loan impact on Aave V3 resulting from the rsETH cross-chain bridge security incident on April 18, 2026. Per the proposal, the loan term is up to 36 months, with an annual interest rate of LIDO + 1%; the borrower may repay early without penalty. Regarding risk control, Mantle will hold a first-priority security interest in the relevant collateral assets. Additionally, Aave will provide supplementary collateral comprising no less than $11 million worth of AAVE tokens and protocol revenue, and delegate 130,000 AAVE tokens to Mantle for governance participation.
According to The Block, the Arbitrum DAO voted to release 30,765.6 ETH (approximately $70 million), previously frozen, to support the DeFi United initiative—aimed at offsetting Kelp DAO’s $292 million exploit loss last month. The vote passed with 90.96% support (182.2 million votes). The attack was allegedly carried out by the North Korean Lazarus hacking group, which exploited a vulnerability in LayerZero’s OFT cross-chain bridge—a single-validator configuration—which allowed attackers to steal 116,500 rsETH and pledge most of the stolen assets as collateral on Aave, resulting in roughly $190 million in bad debt. DeFi United has secured contributions from multiple parties, including 30,000 ETH from Consensys and Joseph Lubin, a 30,000-ETH loan from Mantle, and 5,000 ETH from LayerZero.
According to CoinDesk, at the “Perp DEX Explosion: Bullish Volumes and Bear Market Resilience” panel at Consensus Miami, several industry insiders stated that institutional investors are still largely avoiding decentralized exchanges offering perpetual futures (Perp DEXs). Veteran trader Wizard of SoHo pointed out that Drift’s recent multi-million-dollar hack highlights security vulnerabilities in the DeFi ecosystem, making secure onboarding of institutional capital a core competitive focus for major Perp DEXs. Anderson of Canary Labs expressed concern about DeFi’s current security posture, noting that large institutions face significantly greater challenges adopting decentralized exchanges compared to centralized platforms. Additionally, the structural tension between DeFi’s permissionless, open design and institutions’ stringent KYC compliance requirements is seen as a key barrier to scaling adoption. Michaël van de Poppe, founder of MN Fund, shared his views on AI-powered trading tools, stating that AI agents represent an evolutionary extension of algorithmic trading—and that trading will increasingly become fully automated.
: SlowMist Chief Information Security Officer 23pds posted on Platform X stating that a privilege escalation vulnerability named "Dirty Frag" has been exposed in the Linux system, with full details and exploit code now publicly available.This vulnerability allows any local low-privileged user to directly gain root privileges on virtually all mainstream Linux distributions. It is a deterministic logic vulnerability; the attack does not rely on complex race conditions, has an extremely high success rate, and does not cause kernel crashes, making it highly dangerous. It is recommended that Linux users update their systems promptly.
According to CoinDesk, Ethereum co-founder Vitalik Buterin was sandwiched by the well-known MEV bot jaredfromsubway.eth on April 30 during a small token swap. On-chain data shows that Buterin exchanged 26,544 XDB tokens—valued at approximately $3.86—for 0.00197 ETH (worth about $4.56) in block 24993038. The bot then deployed roughly $1.14 million worth of WETH to manipulate prices across SushiSwap and Uniswap V2 to execute the sandwich attack. After deducting $5.14 in gas fees, the bot incurred an actual loss on this operation.
OpenAI has officially launched the GPT-5.5-Cyber model and the "Trusted Access for Cyber" (TAC) framework designed for cybersecurity defenders. Simultaneously, GPT-5.5-Cyber has been opened for a limited preview to defenders responsible for critical infrastructure, supporting specialized cybersecurity workflows.TAC is an identity and trust-based framework aimed at ensuring that enhanced AI capabilities are wielded by verified defenders. Defenders verified through this framework will encounter fewer instances of model refusal when performing tasks such as vulnerability identification, triage, malware analysis, binary reverse engineering, and patch verification. Starting from June 1, 2026, individual members accessing this capability will be required to enable advanced account security protection.OpenAI is currently collaborating with security vendors including Cisco, CrowdStrike, and Palo Alto Networks to accelerate the defense cycle of the security ecosystem through GPT-5.5, enhancing the efficiency of vulnerability research, patching, monitoring, and supply chain security.
Solv Protocol has announced the migration of over $700 million in tokenized Bitcoin assets to Chainlink's cross-chain protocol CCIP, and will gradually phase out LayerZero's bridging support across multiple chains. The migration involves core assets such as SolvBTC and xSolvBTC. Solv stated that the decision is based on the latest security reviews and recent cross-chain security incidents, and CCIP will become its standard cross-chain infrastructure. This move follows Kelp DAO's migration of approximately $290 million in assets to Chainlink, further strengthening the trend of "cross-chain infrastructure shifting toward security-first migration." (CoinDesk)
Linda Jeng, Chief Legal and Policy Officer at Aave Labs, stated during Consensus Miami 2026 that Aave's previous risk framework overly focused on financial risks and price volatility. Looking ahead, the protocol will incorporate assessments of cross-chain interoperability, cybersecurity vulnerabilities, and underlying asset architecture.This reform directly stems from the rsETH incident that occurred in April. At that time, an attacker exploited a vulnerability in the KelpDAO cross-chain bridge to mint approximately 116,500 unbacked rsETH (valued at around $293 million), deposited it as collateral into Aave, and borrowed real WETH, leading to significant bad debt risks for the protocol.Jeng revealed that Aave will also release a formal "listing standards handbook" for asset issuers in the future, and will begin evaluating the correlation between DeFi protocols from a systemic risk perspective, rather than analyzing individual pools in isolation.Additionally, a "DeFi United" bailout plan involving Lido Finance, EtherFi, Ethena, and others has been launched to cover collateral shortfalls and prevent further proliferation of bad debt. (CoinDesk)
Lido has provided the latest update on the Kelp security incident, stating that the Snapshot vote regarding the EarnETH first-loss protection mechanism falling below the 1% threshold has reached quorum and been approved. User losses from EarnETH will be fully covered by Lido Earn’s first-loss mechanism. The rsETH held by the attacker has been liquidated, and the related stETH has been transferred to the DeFi United rescue plan.Additionally, the EarnETH vault is expected to reopen shortly after the Kelp protocol resumes operation, at which point users will be able to deposit and withdraw funds normally. Lido emphasized that during the freeze period, both the EarnETH and EarnUSD vaults continued to generate yield. Currently, EarnETH users only need to wait for a brief unfreezing process to complete. Once funds are restored, compensation will be provided in accordance with the first-loss protection mechanism.
1inch market maker TrustedVolumes confirmed on the X platform that it had been attacked, disclosing that the stolen funds are currently held in three addresses, with a total amount of approximately $6.7 million. Two of the addresses each hold about $3 million in assets, while another address holds approximately $700,000 in assets. Meanwhile, TrustedVolumes expressed its willingness to engage in constructive communication with the attacker regarding a bug bounty and mutually acceptable solutions.
According to Cointelegraph, Marlon Ferro, a 20-year-old man from California known online as “GothFerrari,” was sentenced to 78 months in federal prison, three years of supervised release, and ordered to pay $2.5 million in restitution for his involvement in a cryptocurrency theft ring responsible for over $250 million in losses. Prosecutors stated that when co-conspirators were unable to remotely breach victims’ systems or trick them into surrendering their crypto assets, Ferro carried out physical break-ins to steal hardware wallets containing the funds. The group operated from late 2023 through early 2025 and its members were also involved in database intrusions, target identification, scam phone calls, and money laundering. The investigation was led by the FBI and the IRS Criminal Investigation Division.