News linked to both this project and an event.
David Sacks, co-chair of the President's Council of Advisors on Science and Technology, responded to the regulatory implications of the Anthropic “security controversy,” stating that he has communicated with multiple parties regarding the current situation at Anthropic. He concluded that the core of the event lies in the security controversy sparked by its newly released model “Fable” (the commercial version of the Mythos-class models). Although Anthropic publicly stated the vulnerability was “not severe,” the U.S. government and testers disagreed with this assessment, believing it was significant enough to impact the model's security, even involving “cyber weapons operability” risks.David Sacks further criticized that Anthropic has long emphasized “safety first,” yet in this instance, it was more inclined to keep the consumer version continuously online rather than prioritizing the repair of the security issue. He stated this matter should not be conflated with previous defense or regulatory controversies and noted that the U.S. government still recognizes Anthropic's technical capabilities. The current problem “could have been resolved quickly, the ball is in Anthropic's court.”
The Bitcoin Core Project released a security advisory confirming a privacy vulnerability in the -privatebroadcast feature introduced in version 31.0.
Sui officially announced a network outage on its mainnet due to a vulnerability in the Gas billing logic of version 1.72, temporarily halting all transactions and on-chain activities. The Sui Core team has now completed emergency response, and the mainnet has resumed normal operations. The official statement indicated that a comprehensive post-mortem report will be released subsequently, detailing the cause of the incident and the fix.
Odaily news Squid posted on X platform, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate with Squid and other protocols, and has no connection with Squid.The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. By inputting this string, the attacker could execute arbitrary calldata arrays and freely steal funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and was unaffected. Squid users' funds, authorizations, and integrations are completely safe.Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares the name with Squid, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant changes.
that, according to official sources, AaveLabs has proposed restructuring the Aave DAO bug bounty framework into multiple specific subsystem programs, operating on the Immunefi, Sherlock, and Cantina platforms respectively. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will be covered by Immunefi; Aave V4 and the Aave App Stack will be covered by Sherlock; and Aave V3 on Aptos will be covered by Cantina.The proposal suggests adjusting the bounty scale for each system. The maximum reward for critical vulnerabilities in Core Aave V3 is $5 million, while the maximum reward for critical vulnerabilities in Aave V4 is $2.5 million. Additionally, the funding source for the Aave V3 bug bounty on Aptos will be transferred from Aave Labs to the Aave DAO. This ARFC proposal has currently been passed.
Aave announced that its bug bounty program has been updated to better align rewards with the risk profile of each component within the ecosystem and to streamline the review process. The reward cap for critical vulnerability fixes in Aave V4 and Core Aave V3 has now been increased fivefold.
According to CoinDesk, at the “Perp DEX Explosion: Bullish Volumes and Bear Market Resilience” panel at Consensus Miami, several industry insiders stated that institutional investors are still largely avoiding decentralized exchanges offering perpetual futures (Perp DEXs). Veteran trader Wizard of SoHo pointed out that Drift’s recent multi-million-dollar hack highlights security vulnerabilities in the DeFi ecosystem, making secure onboarding of institutional capital a core competitive focus for major Perp DEXs. Anderson of Canary Labs expressed concern about DeFi’s current security posture, noting that large institutions face significantly greater challenges adopting decentralized exchanges compared to centralized platforms. Additionally, the structural tension between DeFi’s permissionless, open design and institutions’ stringent KYC compliance requirements is seen as a key barrier to scaling adoption. Michaël van de Poppe, founder of MN Fund, shared his views on AI-powered trading tools, stating that AI agents represent an evolutionary extension of algorithmic trading—and that trading will increasingly become fully automated.
: Bitcoin Core developers have disclosed a high-risk vulnerability numbered CVE-2024-52911, affecting versions 0.14.1 through 28.4. Attackers can exploit this vulnerability by constructing a special block to remotely crash other nodes and execute code. The vulnerability was discovered and privately reported by developer Cory Fields in November 2024. The fix was merged in December 2024 and officially launched in the v29 release in April 2025.Currently, support for the last vulnerable version in the 28.x series ended on April 19, 2026. However, since upgrading Bitcoin nodes is voluntary, it is estimated that approximately 43% of nodes are still running vulnerable old versions, posing a potential security risk.
慢雾创始人余弦于 X 平台发文表示,“Ekubo 有关合约被恶意利用。原因是如果用户之前将相关代币授权给:0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd;如这位用户 0x765DEC 的这笔 WBTC 无限授权(158 天前):攻击者可指定已授权用户作为 payer,在 payCallback 中让该合约调用 WBTC transferFrom(victim, Ekubo Core, amount),再通过 Ekubo Core(0xe0e0e08A6A4b9Dc7bD67BCB7aadE5cF48157d444) 的 withdraw/pay 平账流程把资产转给攻击者。这个操作执行了 85 次,每次 0.2 WBTC,最终用户 0x765DEC 损失 17 WBTC。建议用户尽快安装官方提醒检查以下合约授权:0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd (V2)0x4f168f17923435c999f5c8565acab52c2218edf2 (V3)Arbitrum: 0xc93c4ad185ca48d66fefe80f906a67ef859fc47d (V3)。”
Aave risk service provider LlamaRisk has released an incident report: On April 18, 2026, the attacker exploited a vulnerability in Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH routing (a 1-of-1 DVN configuration flaw), forged inbound packets, and illicitly released 116,500 rsETH from the Ethereum-side adapter. Of these, 89,567 rsETH were deposited as collateral into multiple Aave V3 markets—including Ethereum Core and Arbitrum—enabling the borrowing of approximately 82,650 WETH (valued at ~$191 million) and 821 wstETH. Currently, only 40,373 rsETH remain in the adapter, while the total claimable rsETH on the remote chain stands at 152,577—creating a substantial shortfall. Depending on the loss allocation methodology, Aave faces two potential bad-debt scenarios: - Scenario 1 (global pro-rata allocation): Estimated bad debt of ~$123.7 million, with Ethereum Core bearing the greatest pressure; - Scenario 2 (loss confined to L2s): Estimated bad debt of ~$230.1 million, with Mantle facing a WETH reserve shortfall of up to 71.45% and Arbitrum facing a 26.67% shortfall. Following the incident, Aave Protocol Guardians and Risk Administrators immediately froze rsETH/wrsETH reserves across all 11 affected markets.
Odaily News Bitcoin Core developer Jameson Lopp stated that compared to potential future quantum computing attacks, he would prefer to "freeze" approximately 5.6 million long-dormant BTC from the network rather than letting them be acquired by attackers. These bitcoins have not moved for over 10 years and may be permanently lost, valued at around $420 billion at current prices. If future breakthroughs in quantum computing lead to the private keys of old addresses being cracked, these assets could be transferred again, potentially triggering severe market volatility or even a crisis of confidence. Although the community recently proposed BIP-361, the proposal is still in its early stages and is not a formally promoted solution, but rather more like a contingency plan for an "extreme risk." (CoinDesk)