News linked to both this project and an event.
Odaily Zcash founder Zooko Wilcox posted on X stating that a security audit conducted by Anthropic's Claude Mythos AI model did not find any "more severe vulnerabilities" in the Zcash protocol. The audit was commissioned by Shielded Labs, a Swiss non-profit organization supporting Zcash development. On June 3, Zcash developers temporarily paused Orchard transactions after discovering a vulnerability in the shielded pool, restoring functionality through an emergency upgrade the same day. The issue stemmed from a four-year-old forging vulnerability in the Orchard shielded pool, identified by security researcher Taylor Hornby with the assistance of Anthropic's Claude Opus 4.8 model. The Zcash Foundation stated there is no evidence that the vulnerability was exploited, nor was any unauthorized value creation detected, and user privacy remained unaffected.Anthropic released the first public version of the Claude Mythos model, Fable 5, on Tuesday, and stated on Friday that it has suspended access to the Fable 5 and Mythos 5 AI models due to export control directives issued by the U.S. government citing national security concerns. (Cointelegraph)
According to Cointelegraph, Zcash founder Zooko Wilcox stated that a security audit of the Zcash protocol—commissioned by Shielded Labs and conducted using Anthropic’s Mythos AI model—did not uncover any new critical vulnerabilities. Previously, security researcher Taylor Hornby discovered, using Claude Opus 4.8, a four-year-old forgery vulnerability in the Orchard shielded pool, prompting developers to urgently suspend Orchard transactions on June 3 and complete the fix the same day. The Zcash Foundation confirmed there is no evidence the vulnerability was ever exploited, and user privacy remained unaffected.
A cryptography expert advisory committee led by Coinbase released a report stating that Bitcoin should immediately begin preparing for potential quantum computing attacks. However, the committee did not take a clear stance on whether to freeze the millions of bitcoins potentially vulnerable to quantum-computing theft in the future. The committee includes several leading experts, such as Justin Drake, a researcher at the Ethereum Foundation. They argue that the current debate is not about *how* to introduce quantum-resistant signature schemes, but rather *how to handle* bitcoins held in long-dormant addresses that fail to migrate. One camp advocates setting a final deadline after which Bitcoin’s existing ECDSA and Schnorr signature schemes would no longer be supported, and unmigrated funds would be frozen—thereby preventing future quantum attackers from seizing large amounts of BTC and destabilizing markets. The other camp contends that freezing funds would effectively amount to asset confiscation, violating Bitcoin’s core principles of immutability and full user control over assets—and could set a precedent for future regulatory-driven freezes. The Coinbase advisory committee notes that these approaches are not mutually exclusive and could be combined. Yet it declines to state a position on whether “legacy BTC” should be frozen, asserting that the ultimate decision rests with Bitcoin’s community governance. It emphasizes two key points: first, technical development of quantum-resistant signature migration must begin immediately—not wait for governance debates to conclude; second, users must receive clear, timely risk communication to prevent prolonged uncertainty from harming the Bitcoin ecosystem.
The Zcash Foundation released Zebra versions 4.5.3 and 5.0.0 to address a critical soundness vulnerability in the Orchard zero-knowledge proof circuit. Version 4.5.3 temporarily disables Orchard operations via an emergency soft fork, while version 5.0.0 activates NU 6.2, re-enables Orchard using the patched circuit, and permanently closes the vulnerability.
Odaily news: The Zcash Foundation has announced the release of Zebra 4.5.1 version update to fix a consensus-critical security vulnerability and strongly recommends that all node operators upgrade immediately. The vulnerability, identified as GHSA-2prc-cj5x-4443, involves a sigops (signature operation count) counting error in P2SH transactions, which could lead to potential consensus fork risks. This fix corrects an incomplete patch in the previously released 4.5.0 version, which was just released yesterday.The Zcash development team stated that the issue stems from discrepancies in sigop counting logic between different implementations, which could cause nodes to produce different results when verifying transactions, thereby affecting consensus consistency on the chain. The fix resolves this by reverting and adjusting the Rust implementation logic to ensure alignment with the expected protocol behavior.The Zcash Foundation emphasized that there is currently no workaround for this issue, and upgrading to 4.5.1 is the only method to ensure nodes remain on the correct chain and avoid potential fork risks.
According to The Block, the Sui Foundation released an incident report on May 31, disclosing three consecutive outages on its mainnet from May 29 to 30—each traced back to two independent bugs introduced in the v1.72 upgrade. The first two outages were caused by a gas fee calculation error stemming from the newly launched “address balance” feature: funds were deducted even when transactions were canceled, resulting in negative account balances and subsequent validator node crashes. The third outage was triggered by a latent vulnerability in the random number generator during node restarts, preventing the network’s epoch from closing normally. The Sui Foundation stated that all known issues have now been resolved; user funds remained unaffected throughout the incidents, and no settled transactions were rolled back. The Foundation plans to further enhance its fault-tolerance mechanisms to ensure future similar bugs impact only individual transactions—not the entire network.
: The Zcash Foundation has released version 4.5.0 of its node client, Zebra. This update includes multiple security fixes, addressing a critical consensus vulnerability and several high-severity Denial of Service (DoS) issues. All node operators are strongly urged to upgrade immediately.Key fixes in this release include a sigop counting error in P2SH script parsing (which could cause a consensus fork with zcashd), a logic flaw in NU5 block validation caching, a crash risk related to transparent address balance overflow, along with multiple crash and resource exhaustion vulnerabilities in RPC interfaces and mempool processing. The Foundation stated that some vulnerabilities could be exploited by malicious nodes, leading to node stalls, restart loops, or even permanent stoppage.Additionally, this version adds support for ZIP-213 (enabling shielded coinbase outputs to Sapling) and optimizes network performance and security boundaries. This includes limiting resource allocation during the pre-handshake phase, fixing risks related to multi-threaded queue abuse, and enhancing the misbehavior scoring mechanism.The Zcash Foundation stated that this update addresses over 80 security reports from the ZCG Vulnerability Disclosure Program (spanning April to May 2026), covering multiple layers including consensus security, memory management, RPC processing, and the P2P network attack surface. Officials emphasized that there is no alternative to this upgrade; upgrading is the only way to ensure nodes do not experience a chain split and remain secure.
The Resolv Foundation has announced its recovery plan following the protocol security incident. USR/wstUSR tokens held and snapshot-recorded prior to the incident will be redeemed for USDC at a 1:1 ratio, while USR/wstUSR acquired after the incident will be redeemed at a 1:0.5 ratio. RLP holdings will be restored at a core redemption rate of 0.71 USDC per token, with additional RESOLV token allocations based on a reference price of $0.03. The Foundation stated that eligible users may claim their recovery funds between May 26, 2026, and August 26, 2026.
the Saturn Foundation officially posted on X, stating that it has blacklisted addresses related to the Squid hacker incident and frozen the stolen funds. Affected users can submit tickets on Saturn's official Discord server.None of Saturn's contracts or infrastructure were affected by this incident.
the Compound Foundation stated on X platform that, in coordination with the Kelp and Aave teams, and to avoid disrupting broader DeFi recovery efforts, the Comet markets for WETH and wstETH on Ethereum have resumed trading. It also noted that depending on the specific timing of Kelp's thawing of rsETH, temporary suspensions may still occur in relevant markets during the liquidation window for vulnerability-related positions. Specific arrangements have yet to be determined.
The Zcash Foundation officially announced the release of Zebra 4.4.0, which addresses multiple critical consensus-level security vulnerabilities. All node operators are strongly advised to upgrade immediately. The vulnerabilities include a denial-of-service (DoS) flaw that could permanently halt the discovery of new blocks; a signature operation (sigop) counting error in block validation that may cause consensus divergence; abnormal handling of transparent transaction signature hashes; and a memory allocation amplification attack risk. The Zcash Foundation stated that some of these vulnerabilities could cause Zebra nodes to accept blocks rejected by zcashd, potentially triggering a chain fork. Without timely upgrades, nodes risk interruption of block discovery, consensus forks, and amplified resource consumption. No alternative mitigations are currently available.
Odaily, Berachain Foundation issued a warning on the X platform, stating that the Wasabi Protocol experienced a cross-chain security incident due to a deployer's private key leak, which has impacted multiple blockchains including Berachain. To prevent the risk from spreading, Berachain has suspended and blacklisted all affected Wasabi Reward Vaults within its network, immediately halting the distribution of BGT staking rewards to the compromised contracts and blocking the flow of new BGT into the affected vaults.The official team requires all users who have previously interacted with Wasabi on Berachain to immediately revoke token approvals for the specified contracts to avoid the risk of asset theft. Berachain also emphasized that the BGT reward funds within the native Reward Vaults remain secure and users can claim them normally; this incident does not affect core ecosystem interests.
According to an official disclosure by Aftermath Finance, the protocol expects to complete full compensation to users within the next 48–72 hours. The team is currently working at full capacity to return funds and expresses its gratitude for users’ patience. Earlier reports indicated that the perpetual contract protocol Aftermath Finance was exploited via a vulnerability yesterday, resulting in losses of approximately $1.14 million. The Sui Foundation, in collaboration with Mysten Labs, stated it will actively assist Aftermath Finance in recovering user funds and is committed to ensuring the continued operation of the Aftermath protocol.
According to an official announcement by Sui, Aftermath Finance’s perpetual contract protocol deployed on the Sui network was exploited due to a vulnerability, and the affected protocol has been immediately suspended. The Sui Foundation, in collaboration with Mysten Labs, stated that it will actively assist Aftermath Finance in recovering user funds and is committed to ensuring the continued operation of the Aftermath protocol. Aftermath Finance will provide further updates on the fund recovery progress in the near future.
According to on-chain analyst Ember (@EmberCN), the rsETH incident on April 18 resulted in a funding shortfall of approximately 68,900 ETH (around $160 million): the hacker collateralized rsETH to borrow 99,600 ETH; after Arbitrum recovered 30,700 ETH, the remaining funds were fully converted by the hacker into BTC. The incident has now entered the remediation phase. Aave is coordinating the establishment of a “DeFi United” relief fund, which has so far received cumulative donations totaling 13,500 ETH (approximately $31.45 million). Donors include Lido Finance (2,500 stETH), ether.fi Foundation (5,000 ETH), Aave founder Stani Kulechov (5,000 ETH), Golem Foundation (1,000 ETH), as well as LayerZero and Ink Foundation (amounts undisclosed).
According to an official announcement by Volo, a security vulnerability occurred today on the Sui network involving Volo—a BTCFi and LST protocol—resulting in the theft of approximately $3.5 million in assets (including WBTC, XAUm, and USDC) from three specific vaults. Immediately after the incident, the team notified the Sui Foundation and ecosystem partners and froze all vaults to prevent further losses. Volo stated that the vulnerability affected only these three vaults; the remaining vaults are not exposed to the same attack vector, and the other ~$28 million in TVL remains secure. The official announcement emphasized that Volo will bear the loss entirely and will not pass it on to users. A comprehensive post-mortem report and remediation plan will be released upon completion of the investigation.
Michael Egorov (@newmichwill), founder of Curve Finance, posted that recent security incidents in the DeFi space—triggered by centralized failure points—have occurred frequently and severely damaged the industry’s reputation. Citing examples such as Aave users being unable to withdraw funds following the rsETH exploit and the LayerZero cross-chain bridge hack, he emphasized that problems must be prevented *before* they occur—not addressed only after damage is done. He called on the industry to jointly establish DeFi security standards, proposing that the Ethereum Foundation and Solana Foundation take the lead in collaborating with projects across ecosystems, auditing firms, and risk-assessment teams to develop principles and specifications for secure system design—and suggesting that lessons could be drawn from traditional finance’s approaches to safeguarding centralized nodes.
The Ethereum Foundation announced that its jointly launched ETH Rangers program has completed its six-month run. The program aims to fund independent researchers who make public security contributions to the Ethereum ecosystem. Seventeen grantees achieved multiple accomplishments in areas including vulnerability research, security tool development, threat intelligence, and incident response—such as recovering or freezing over $5.8 million in funds, reporting or documenting 785+ vulnerabilities and client issues, identifying approximately 100 attackers, delivering security education content reaching over 209,000 users, and handling 36+ security incidents. Additionally, the program engaged over 800 teams in security challenges, produced over 80 technical talks and training sessions, and developed or improved seven or more open-source security tools. The Ethereum Foundation stated that these outcomes demonstrate that decentralized networks require “decentralized defense” to effectively enhance the overall security and resilience of the Ethereum ecosystem.