News linked to both this project and an event.
Humanity released a post-mortem report on the H token security incident that occurred between June 8 and 9, stating that the incident was not caused by a smart contract vulnerability, but rather by a malware intrusion into a developer's device, which led to the leakage of private keys. Humanity stated that the attacker still holds the ProxyAdmin permissions for the ETH bridge and the BNB Chain token. Preliminary investigations confirmed that a colleague's device was infected with malware, which the attacker used to obtain the hot wallet private key of the administrator and the private keys for signing on 6 Gnosis Safe wallets. The team has hired an external security agency to conduct a forensic investigation and stated that they are formulating a recovery plan for affected users.
Humanity released an incident update stating that its H token was subject to a coordinated attack on Ethereum and BSC on the evening of June 8, resulting in approximately $36 million worth of tokens stolen and dumped across both chains. The project disclosed that the attack originated from a compromised employee laptop, which led to the leakage of multiple owner keys for the Gnosis Safe controlling the Hyperlane bridge ProxyAdmin. On Ethereum, the attacker seized ownership of the ProxyAdmin and upgraded the contract to a malicious implementation, transferring approximately 141.2 million H tokens in a single transaction. On BSC, after similarly gaining control of the ProxyAdmin, the attacker deployed a malicious implementation with infinite minting capabilities, minting 200 million H tokens in two transactions and continuously dumping them. Humanity has suspended deposits and withdrawals on the affected cross-chain bridge and is cooperating with exchanges and law enforcement to investigate the incident and seek partial recovery of the stolen funds.
Humility Protocol released a security incident update on the X platform, stating that its H token suffered a coordinated attack on the Ethereum and BSC chains yesterday, with confirmed losses exceeding $36 million in stolen and dumped assets.Preliminary investigations indicate the incident originated from a compromised employee computer, which led to the leakage of private keys for the multi-signature wallet controlling the Hyperlane Bridge ProxyAdmin. Specifically, the attacker obtained 3 out of 6 private keys of the Gnosis Safe wallet on the Ethereum chain, transferred ownership of the ProxyAdmin to a wallet under their control, upgraded the bridge contract to a malicious implementation, and subsequently transferred approximately 141.2 million H tokens in a single transaction.Simultaneously, the attacker also gained control of 3 out of 5 private keys of the Safe wallet on the BSC chain, took over the ProxyAdmin using the same method, deployed a malicious contract with unlimited minting functionality, and minted 200 million H tokens in two separate transactions to their own wallet.Humility stated that it has suspended all deposit and withdrawal operations on the affected bridge services and is collaborating with partners such as exchanges to mitigate losses. Meanwhile, it is cooperating with the police investigation and attempting to recover part of the stolen funds.
Ledger's Donjon security research team successfully bypassed the firmware verification system of the TROPIC01 chip inside the Trezor Safe 7 using laser attacks in a laboratory setting. Chip manufacturer Tropic Square subsequently discovered another attack path affecting the chip's MAC-and-Destroy security mechanism. This vulnerability currently impacts all TROPIC01 chips in production within the field. Trezor stated that the TROPIC01 chip is one of three independent security layers within the Trezor Safe 7, and user funds, wallet backups, and private keys are not stored on it.The chip's hardware encryption storage mechanism completely withstood Ledger's extraction attempts during initial testing. Tropic Square has delayed the release of technical details regarding the vulnerability until the launch of a reinforced silicon version of the TROPIC01 chip later in 2026, with full details expected to be disclosed in the spring of 2027.A firmware mitigation is currently available by disabling the chip's MAINTENANCE mode. Trezor CEO Matej Zak stated that PINs, wallet backups, and user fund keys have never been stored on a single chip. (The Block)
SUPERFORTUNE AI released a 24-hour investigation update stating that the May 27 GUA security incident was not, as previously suspected, address poisoning—but rather resulted from the leakage of private keys belonging to multi-signature signers. The attacker then forged valid signatures pointing to a malicious address and exploited the “premium address” feature—where the malicious address shared the same first four and last four characters as the legitimate address—to mislead the remaining signers into completing the signing process via the Safe interface.
Odaily news Squid posted on X platform, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate with Squid and other protocols, and has no connection with Squid.The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. By inputting this string, the attacker could execute arbitrary calldata arrays and freely steal funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and was unaffected. Squid users' funds, authorizations, and integrations are completely safe.Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares the name with Squid, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant changes.
Odaily Planet Daily reported that Iran has launched a state-backed digital marine insurance platform, Hormuz Safe, which provides maritime insurance for vessels transiting the Persian Gulf and the Strait of Hormuz, settled in Bitcoin and other cryptocurrencies. The Iranian government believes that if the platform captures a significant share of the Persian Gulf shipping insurance market, it could generate over $10 billion in revenue. Hormuz Safe aims to bypass the SWIFT network and Western intermediaries, reducing reliance on traditional financial infrastructure. The platform faces challenges related to international recognition, and ship owners, trading companies, or port authorities interacting with it may risk triggering secondary sanctions. (Cryptobriefing)
According to an official announcement, Consensys submitted a comment letter to the U.S. Securities and Exchange Commission (SEC) on May 11, stating that the SEC’s latest interpretive framework for digital assets may leave regulatory gaps, creating compliance uncertainty for self-custodial wallet providers such as MetaMask. Consensys requested that the SEC clarify—through a targeted safe harbor or other exemption—that self-custodial, user-directed interfaces need not register as broker-dealers solely because they facilitate transactions involving non-security digital assets that may be associated with investment contracts. Consensys stated that this measure aims to ensure U.S. users can continue using open, neutral peer-to-peer blockchain tools.
According to Reuters, Greek maritime risk management company MARISKS has warned that some shipping companies stranded west of the Strait of Hormuz have received fraudulent messages impersonating Iranian authorities, demanding payment of a “transit permit fee” in Bitcoin or Tether (USDT). These messages are scams and not issued by official Iranian authorities. MARISKS stated that the scam messages claim documents must first be submitted and assessed by the “Iranian Security Department” before the cryptocurrency fee is determined. Currently, approximately hundreds of vessels and around 20,000 seafarers are stranded in the Gulf. During Iran’s brief opening of the Strait on April 18, at least two vessels—including one oil tanker—were forced to turn back after Iranian vessels opened fire on them.
According to The Block, Avihu Levy, a researcher at StarkWare, published a paper proposing the Quantum Safe Bitcoin (QSB) scheme, claiming it enables quantum-resistant transactions under Bitcoin’s existing script rules—without requiring a soft fork. This scheme replaces elliptic-curve cryptography with the RIPEMD-160 hash function via a “hash-to-signature” puzzle, thereby enhancing resilience against quantum attacks. The paper notes that QSB’s current per-transaction cost ranges from $75 to $150—significantly higher than today’s average transaction fee—and involves complex user experience; thus, it is recommended only as a “last resort.” The scheme remains constrained by script opcodes and size limits, and does not yet support all use cases—such as the Lightning Network. Compared to BIP-360—which requires protocol-level changes—QSB needs no modifications to the Bitcoin protocol, but remains experimental.