News linked to both this project and an event.
According to on-chain security platform Blockaid (@blockaid_), the MILC Platform cross-chain bridge suffered a private key leak on both the BNB Chain and Ethereum networks. The attacker exploited a historical bridge administrator wallet to grant the DEFAULT_ADMIN_ROLE and MANAGER_ROLE permissions to the attacker’s address. Subsequently, assets were withdrawn from the bridge contract, and administrative control was transferred to the attacker’s wallet. Confirmed losses currently stand at approximately $97,003 USDT (on BNB Chain) and approximately 39.21 ETH (on Ethereum, transferred out via Rhino.fi), totaling roughly $161,000.
Odaily reports: In response to the "Humanity theft incident," on-chain detective ZachXBT has released a new post stating that this "incident" was very likely a staged event. He fundamentally does not believe the team's corresponding explanation, which he sees as nothing more than an excuse fabricated by those with ill intentions to escape blame.According to earlier news, ZachXBT stated that it has not been confirmed whether the Humanity theft was a security attack or a malicious sell-off by the project team. The sell-off of the H token originated from a DEX rather than a CEX.
: The Zcash Foundation has released version 4.5.0 of its node client, Zebra. This update includes multiple security fixes, addressing a critical consensus vulnerability and several high-severity Denial of Service (DoS) issues. All node operators are strongly urged to upgrade immediately.Key fixes in this release include a sigop counting error in P2SH script parsing (which could cause a consensus fork with zcashd), a logic flaw in NU5 block validation caching, a crash risk related to transparent address balance overflow, along with multiple crash and resource exhaustion vulnerabilities in RPC interfaces and mempool processing. The Foundation stated that some vulnerabilities could be exploited by malicious nodes, leading to node stalls, restart loops, or even permanent stoppage.Additionally, this version adds support for ZIP-213 (enabling shielded coinbase outputs to Sapling) and optimizes network performance and security boundaries. This includes limiting resource allocation during the pre-handshake phase, fixing risks related to multi-threaded queue abuse, and enhancing the misbehavior scoring mechanism.The Zcash Foundation stated that this update addresses over 80 security reports from the ZCG Vulnerability Disclosure Program (spanning April to May 2026), covering multiple layers including consensus security, memory management, RPC processing, and the P2P network attack surface. Officials emphasized that there is no alternative to this upgrade; upgrading is the only way to ensure nodes do not experience a chain split and remain secure.
SUPERFORTUNE AI released a 24-hour investigation update stating that the May 27 GUA security incident was not, as previously suspected, address poisoning—but rather resulted from the leakage of private keys belonging to multi-signature signers. The attacker then forged valid signatures pointing to a malicious address and exploited the “premium address” feature—where the malicious address shared the same first four and last four characters as the legitimate address—to mislead the remaining signers into completing the signing process via the Safe interface.
Polymarket staff member Shantikiran Chanal posted on platform X, stating that they have taken note of the security reports related to reward distribution, and that user funds and market settlements remain safe. The investigation indicates that a private key leak occurred in a wallet used for internal operations, and the issue is not related to contracts or core infrastructure. Further updates will be provided.Previous report: ZachXBT stated that the Polymarket UMA CTF Adapter contract allegedly came under attack on Polygon, with over $520,000 having been drained.
Odaily Kelp announced on X platform that it has coordinated with multiple DeFi protocols to complete the liquidation of the attacker's positions, achieving key progress in the rsETH recovery process. Among them: Compound participated in coordination multiple times over the past four weeks, providing approximately 3,000 ETH in support, and jointly completed the liquidation with Aave, recovering a total of approximately 17,426.20 rsETH; Euler Finance liquidated the attacker's positions within its protocol and plans to return the excess ETH to the DeFi ecosystem fund.
Vitalik published an article titled “A Shallow Dive into Formal Verification,” introducing recent progress in applying formal verification to Ethereum’s cutting-edge research and development. The article states that developers can write code in Lean, EVM bytecode, or assembly language and verify its correctness via mathematically rigorous proofs that can be automatically checked—thereby improving both code efficiency and security. He notes that formal verification is especially suitable for complex yet well-defined-security systems such as STARKs, Byzantine Fault Tolerant (BFT) consensus, ZK-EVMs, and post-quantum signatures, and mentions related projects including Arklib, VCV-io, and evm-asm. The article also emphasizes that formal verification is not a panacea: it remains subject to limitations such as incorrect specification definitions, unverified code paths, hardware-level constraints, and side-channel attacks.
privacy project Monero has released the graphical wallet software GUI version 0.18.5.0 "Fluorine Fermi". This update is a recommended upgrade version, primarily including numerous bug fixes and feature optimizations. Key highlights of this release include:Migration of the P2Pool installation path to LocalAppData on Windows systemsFix for an edge case in URI parsingProhibition of creating offline transactions in scenarios involving long payment IDsEscaping untrusted text during QR code scanning to enhance securityUpgrade of P2Pool to v4.15Numerous detail bug fixes and stability improvementsMonero officials stated that this version has been open-sourced on GitHub. Users can download and upgrade through official channels to obtain the latest security fixes and stability improvements.
Odaily News On the 10th local time, sources indicated the key points of Iran's response to the U.S., which include a demand for the U.S. Treasury Department's Office of Foreign Assets Control to lift sanctions related to Iran's oil sales within 30 days.The sources stated that the U.S. disclosure of Iran's response was inaccurate in some important aspects, particularly regarding nuclear issues. Iran's response emphasized the need to reach an agreement through political understanding, immediately end the war, ensure no further attacks against Iran, and that the U.S. must lift sanctions. Additionally, Iran's response also addressed changes in its control over the Strait of Hormuz if the U.S. fulfills certain commitments.The sources said that Iran stressed that after signing a preliminary understanding agreement, the U.S. must immediately lift the naval blockade on Iran and remove sanctions on Iran's oil sales within 30 days. Iran's response also included the U.S. unfreezing Iranian assets based on a preliminary understanding between the two sides, and the U.S. implementing certain measures within 30 days. (CCTV News)
According to the Wall Street Journal, algorithm development company MicroAlgo Inc. has announced the launch of a quantum technology–based blockchain architecture that enhances transaction security and transparency by integrating cyclic Quantum Secure Channels (QSC) with Quantum Key Distribution (QKD). The architecture features a four-layer design: a quantum communication layer, a blockchain core layer, a smart contract layer, and an application layer. QKD enables highly secure key generation and distribution, while quantum encryption safeguards transaction data against theft and tampering—and remains resistant to attacks from quantum computers.
Syndicate Labs disclosed a security incident: an attacker compromised the system through a private key leak and maliciously upgraded the cross-chain bridge contracts on two chains, leading to the transfer of approximately 18.5 million SYND and about $50,000 in user assets. The attack originated from a compromised development endpoint. The attacker exploited production environment permissions to upgrade the bridge contracts to a malicious version, but other chains were unaffected. The losses include:Commons Bridge: Approximately 18.5 million SYND were transferred and sold, worth roughly $330,000.Another Appchain: Approximately $50,000 in user assets were transferred.Syndicate Labs stated that affected SYND holders will receive full compensation, along with additional excess compensation, leaving their overall holdings higher than before the incident. Affected users on the Appchain will also be fully reimbursed for their losses.
Odaily, Berachain Foundation issued a warning on the X platform, stating that the Wasabi Protocol experienced a cross-chain security incident due to a deployer's private key leak, which has impacted multiple blockchains including Berachain. To prevent the risk from spreading, Berachain has suspended and blacklisted all affected Wasabi Reward Vaults within its network, immediately halting the distribution of BGT staking rewards to the compromised contracts and blocking the flow of new BGT into the affected vaults.The official team requires all users who have previously interacted with Wasabi on Berachain to immediately revoke token approvals for the specified contracts to avoid the risk of asset theft. Berachain also emphasized that the BGT reward funds within the native Reward Vaults remain secure and users can claim them normally; this incident does not affect core ecosystem interests.
QCP Group’s analysis states that U.S.-Iran negotiations have once again collapsed, while the Middle East ceasefire continues, leaving the overall geopolitical landscape relatively static. A shooting incident occurred at the White House Correspondents’ Dinner, with Trump suspected as the target. Following Asia’s market open, BTC briefly surged past $79,000 and ETH above $2,400—but gains quickly reversed amid concerns triggered by news of Iran’s Foreign Minister traveling to Russia for talks with Putin. Since early April, BTC has rallied over 14% cumulatively, marking four consecutive weeks of positive closes. Spot ETFs recorded nine straight days of net inflows totaling approximately $2.11 billion. Strategy funds added over $3.8 billion worth of BTC in the past month. The current key resistance level for BTC lies near the CME gap around $82,000. BTC perpetual contract funding rates remain persistently negative; a breakout above this level could trigger short-covering. Implied volatility continues declining, and risk-reversal skew has narrowed somewhat, signaling gradually rising market interest in upside exposure. Key events this week: - April 29: Earnings reports from Microsoft, Amazon, Meta, and Google, plus the FOMC interest-rate decision. - April 30: Apple earnings report, U.S. Q1 GDP data, and March PCE inflation data.
SlowMist CISO 23pds (@im23pds) disclosed that the Bitwarden CLI version 2026.4.0 was subjected to a Checkmarx supply-chain attack between 17:57 and 19:30 ET on April 22. During this window, attackers abused a GitHub Action within Bitwarden’s CI/CD pipeline to briefly distribute a malicious package via npm. The official statement confirmed that Vault data was not compromised and production systems remained unaffected; only users who installed this specific version via npm during the aforementioned time window were impacted. Affected users are advised to immediately uninstall version 2026.4.0, clear their npm cache, rotate sensitive credentials—including API tokens and SSH keys—investigate anomalous activity in GitHub and CI environments, and upgrade to the patched version 2026.4.1.
Vercel has released an analysis of a security incident, stating that certain internal systems were accessed without authorization. The breach originated from a third-party AI tool, Context.ai, used by an employee, which was compromised. Attackers leveraged this to take over the employee’s Google Workspace account and access some environment configuration data. Preliminary impact assessment indicates that a small number of customers’ environment variables—unmarked as “sensitive” (e.g., API keys, tokens)—may have been exposed. Affected users have been notified and advised to immediately rotate their credentials. At present, there is no evidence that data explicitly marked as “sensitive” or the supply chain (e.g., npm packages) has been tampered with. Vercel notes that the attackers demonstrated a high level of technical sophistication. The company is collaborating with Mandiant and multiple security organizations to investigate the incident and has filed a report with law enforcement. Vercel also confirms that its platform services remain fully operational. Users are advised to enable multi-factor authentication, comprehensively rotate potentially exposed environment variables, and review account activity logs and deployment records to mitigate further risk.
According to an official announcement, in response to the recent Vercel platform security incident, Jupiter (@JupiterExchange) stated that it has received no notifications or indications of impact, and its jup.ag frontend does not store any sensitive information. Jupiter has proactively implemented all security measures recommended by Vercel, completed rotation of all keys, and conducted a comprehensive review of system logs—no suspicious activity was found. Monitoring remains ongoing.
23pds, Chief Information Security Officer of SlowMist Technology, retweeted: “The unauthorized access to Vercel’s internal systems appears linked to an internal data leak.” The related tweet states that someone claiming to be “ShinyHunters” on BreachForums is offering for sale—reportedly for $2 million—a purported Vercel internal database, access keys, source code, employee accounts, API keys, NPM tokens, and GitHub tokens. The data allegedly pertains to Vercel’s internal Linear system and internal user management system. Earlier reports indicated that Vercel, a cloud hosting platform, disclosed unauthorized access to its internal systems, affecting a small number of customers.