News linked to both this project and an event.
According to The Block, security researcher Florent successfully unlocked approximately 1,003 ETH (valued at roughly $2 million) that had been locked for nearly a decade in the 2016 HongCoin ICO smart contract, using a white-hat vulnerability. The contract’s refund function had remained nonfunctional for years due to the absence of overflow protection in the legacy Solidity version used. Florent collaborated with the HongCoin team to reset token balances via an admin function, completing the process in about one week. Currently, 48 original investors are eligible to claim the unfrozen funds; two have already claimed a total of 96.5 ETH and voluntarily paid Florent a white-hat reward. Florent stated that this unlock was purely a technical exploration and that he charged no fees or commissions.
Aave has published a post-mortem of the April 18 rsETH incident, stating that the rsETH LayerZero V2 cross-chain bridge of liquid staking protocol Kelp accepted a forged message during a cross-chain transfer from Unichain to Ethereum. This caused the adapter on the Ethereum side to release 116,500 rsETH without a corresponding burn on the Unichain side. Aave stated that the attack occurred on a third-party cross-chain bridge infrastructure. However, the attacker deposited the stolen rsETH into 8 Aave V3 positions, borrowing 82,650 WETH and 821 wstETH, which impacted the Aave market.Aave stated that the attacker's rsETH on Arbitrum has now been burned. The LayerZero OFT adapter has replenished 116,131.72 rsETH in 5 batches, and the asset backing for rsETH has been fully restored. The affected WETH and rsETH markets have returned to normal.
Blockaid disclosed on X that the Alephium TokenBridge Ethereum cross-chain bridge was attacked. The attacker compromised three out of four Guardian private keys, forged a Verified Action Approval (VAA) message, and executed the attack within approximately seven minutes, stealing roughly $815,000 worth of assets. During the attack, the attacker minted 13.76 million Wrapped ALPH tokens out of thin air—exceeding the pre-attack circulating supply by over 100%—and simultaneously unlocked and withdrew assets including USDT, USDC, WBTC, and WETH from the custody pool. As of now, the attacker’s address still holds approximately $815,000 in stolen assets and 13.76 million uncollateralized Wrapped ALPH tokens; the largest anomalous transaction involved the out-of-thin-air minting of 13.76 million Wrapped ALPH tokens.
SUPERFORTUNE AI released a 24-hour investigation update stating that the May 27 GUA security incident was not, as previously suspected, address poisoning—but rather resulted from the leakage of private keys belonging to multi-signature signers. The attacker then forged valid signatures pointing to a malicious address and exploited the “premium address” feature—where the malicious address shared the same first four and last four characters as the legitimate address—to mislead the remaining signers into completing the signing process via the Safe interface.
According to on-chain analyst PeckShield (@PeckShieldAlert), StakeDAO (@StakeDAOHQ) on the Arbitrum network was exploited via an infinite minting vulnerability. The attacker minted a total of 5.4 trillion vsdCRV tokens, then swapped a portion of them for 43.781 ETH (approximately $91,200) and bridged the funds cross-chain to the Ethereum address 0xeF3C...aa25.
StakeDAO deployer's private key leaked on Arbitrum, attacker mints approximately 5.45 trillion vsdCRV and exchanges for ETH.
According to Cointelegraph, phishing ads impersonating the decentralized exchange protocol Uniswap have appeared in Google search results, enabling attackers to steal at least $400,000. On-chain analyst b-block stated that the associated counterfeit websites are draining funds from multiple wallets; the implicated addresses currently hold a combined total of 146 ETH—worth approximately $306,000 at press time. Security Alliance (SEAL) noted that such fraudulent Google ads are a common source of phishing attacks, with attackers either purchasing ad placements or compromising legitimate advertising accounts to impersonate popular crypto protocols in sponsored search results. SEAL also reported that between March 13 and March 30, these attacks resulted in total losses amounting to $1.27 million.
Cosine, founder of SlowMist, posted an analysis of the Squid security incident on X. He stated that sampling revealed all affected Safe wallets were single-signature, with different owners—but the issue was not related to private keys. Rather, the vulnerability lay in the module shown in the image (SquidRouterModule) used by these Safe addresses. Attackers could forge messages and easily bypass relevant validations to initiate subsequent swap operations, thereby draining funds from the targeted Safe wallets. Additionally, Cosine disclosed the attacker’s profit accumulation address. Earlier reports indicated that a third-party Gnosis Safe module was exploited on Base and Ethereum, causing approximately $3.2 million in losses. The victims were 86 Gnosis Safe wallets that had added this contract as a trusted Safe Module. The contract is named “SquidRouterModule” on Basescan. Subsequently, Squid clarified that it was not impacted by the Gnosis Safe-related vulnerability incident.
Odaily news Squid posted on X platform, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate with Squid and other protocols, and has no connection with Squid.The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. By inputting this string, the attacker could execute arbitrary calldata arrays and freely steal funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and was unaffected. Squid users' funds, authorizations, and integrations are completely safe.Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares the name with Squid, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant changes.
according to Blockaid monitoring, it detected an ongoing attack targeting the SquidRouter module on the Ethereum and Base chains. Within approximately 2 hours, 86 Gnosis Safe wallets were drained of about $3 million in assets. All stolen tokens were swapped for DAI via a Uniswap V3 pool controlled by the attacker.
According to PeckShield’s monitoring, the WUSD/GLOVE pool on Ethereum was attacked, resulting in losses of approximately $207,000. The attacker has swapped the stolen assets for roughly 98 ETH and deposited them into Railgun.
multiple blockchain and post-quantum cryptography researchers have warned that artificial intelligence (AI) is accelerating the development of quantum computing and could potentially impact the security systems of mainstream blockchains, including Bitcoin and Ethereum, earlier than anticipated.Alex Pruden, CEO of Project Eleven, a firm focused on quantum-resistant infrastructure, stated that the combination of AI and quantum computing is fundamentally reshaping the future security landscape. "People will no longer be able to rely on existing security assumptions as they have in the past," he said.Researchers point out that AI is already being used to optimize quantum error correction, which is one of the key technical bottlenecks in the development of quantum computing. Illia Polosukhin also noted that AI has been accelerating scientific breakthroughs for years, and in the future, there may even be a circular acceleration effect where "AI helps build the next generation of quantum computers."One of the industry's biggest current concerns is the "Harvest Now, Decrypt Later" strategy, where governments or advanced attackers begin mass-collecting encrypted data now, waiting to decrypt it all at once once quantum computing matures. Polosukhin warned that if quantum computers become viable within a few years, "most of today's important data on the internet could be decrypted in the future."Given that most blockchain networks and internet infrastructure currently rely on elliptic curve cryptography (ECC), a sufficiently powerful quantum computer could theoretically derive a private key from a public key, directly breaking wallets and on-chain systems. Simultaneously, AI itself is strengthening hacking capabilities. Pruden stated that AI models are becoming increasingly adept at discovering software vulnerabilities and cryptography implementation flaws, and may even be able to crack some encryption algorithms directly in the future.However, AI is also being used by developers for code auditing, formal verification, and testing post-quantum security systems, creating a "long-term security arms race" with simultaneous upgrades on both the offensive and defensive sides. Researchers believe the most significant change brought by AI and quantum computing together is that the core assumption of "long-term cryptographic reliability" in the digital age is being challenged. Future security systems may shift from "static upgrades" to continuous dynamic evolution. (CoinDesk)
stablecoin issuer StablR suffered a sustained attack, causing its euro stablecoin EURR and dollar stablecoin USDR to depeg.Blockchain security firm Blockaid stated that the attacker allegedly gained control by obtaining the private key of one of the owners of the minting multi-signature account. Exploiting the 1/3 signature threshold mechanism, the attacker replaced other administrators and minted an additional 8.35 million USDR and 4.5 million EURR.Subsequently, the attacker swapped tokens worth approximately $10.4 million for about 1,115 ETH on a DEX, yielding an actual profit of around $2.8 million. Following the incident, EURR fell to around $0.88, while USDR dropped to approximately $0.7.Blockaid noted that the incident was not caused by a smart contract vulnerability but rather by a failure in key management and governance mechanisms. (Cointelegraph)
According to on-chain analyst PeckShield (@PeckShieldAlert), the VerusCoin cross-chain bridge attacker has returned 4,052.4 ETH (approximately $8.5 million) to the project team’s address (0xF9AB...C1A74), representing 75% of the total stolen amount. The remaining 25% (1,350 ETH, approximately $2.8 million) is retained in the attacker’s wallet as a white-hat bounty.
according to monitoring by Specter Analyst, a high-net-worth investor holding significant assets on Kraken and Coinbase exchanges fell victim to an alleged personal intimidation attack, resulting in total losses of approximately $6.7 million across various assets.The attacker withdrew 1,554 ETH (approximately $3.3 million) and 10.5 BTC from the user's Kraken account. Simultaneously, the attacker also breached the user's Coinbase defenses, withdrawing 34.1 cbBTC. Subsequently, the attacker directly deposited over $5.3 million of the stolen funds into the privacy protocol Tornado Cash to obfuscate the transaction trail. (financefeeds)
Syndicate Labs stated that after five years of developing on-chain infrastructure for customizable Ethereum Rollups and sequencers, the company has decided to shut down due to a drastic contraction in the Rollup market. Syndicate Labs previously completed a $20 million Series A funding round led by Andreessen Horowitz in 2021.This decision caused the SYND token price to drop 21% in the past three hours, hitting an all-time low of $0.012, a 99.5% decline from its peak of $2.61 in September 2025.Additionally, Syndicate Labs stated that the Syndicate Network Collective operates independently of Syndicate Labs, so the governance of the SYND token will not be immediately affected. The decision to shut down was not influenced by the previous hacking incident involving bridged assets.
According to CertiK monitoring, the attacker of cross-chain aggregation protocol Transit Finance has deposited 832.9 ETH into Tornado Cash, valued at approximately $1.8 million.
Odaily Kelp announced on X platform that it has coordinated with multiple DeFi protocols to complete the liquidation of the attacker's positions, achieving key progress in the rsETH recovery process. Among them: Compound participated in coordination multiple times over the past four weeks, providing approximately 3,000 ETH in support, and jointly completed the liquidation with Aave, recovering a total of approximately 17,426.20 rsETH; Euler Finance liquidated the attacker's positions within its protocol and plans to return the excess ETH to the DeFi ecosystem fund.
According to CoinDesk, the total value locked (TVL) in ETH lending protocols has declined from a year-to-date high of $32 billion to $23 billion—a drop of approximately 28%. The oracle vulnerability incident involving KelpDAO triggered a market confidence crisis, and combined with overall bearish market sentiment, led to roughly $9 billion in outflows from the DeFi lending sector.
According to on-chain analyst PeckShield (@PeckShieldAlert), Echo Protocol was hacked on Monad. The attacker minted 1,000 $eBTC out of thin air (valued at approximately $76.7 million), then deposited 45 $eBTC (approximately $3.45 million) into Curvance and used it as collateral to borrow roughly 11.29 $WBTC (approximately $867,700). The attacker subsequently bridged the $WBTC cross-chain to Ethereum, swapped it for $ETH, and laundered 384 ETH (approximately $821,700) via Tornado Cash.