$2.28 million drained from Aztec Connect, a deprecated ZK-rollup built by @AztecLabs_, across two consecutive days. The ZK proof and settlement layer processed different transaction sets, attackers exploited the gap to mint unbacked balances and drain real funds.
https://t.co/LJSwImByhc
$5.4M gone from @gravity_bridge. An attacker minted worthless tokens on Osmosis, poisoned the token registry with a fabricated denom string, and walked out with real assets. They didn't break the code. They just found where it stopped asking questions.
https://t.co/OPFcsqimxS
One poisoned VS Code extension silently auto-updated to 2.2 million developers, TeamPCP walked out with 3,800 GitHub internal repositories in 11 minutes, the culmination of 8 months spent climbing the developer supply chain one trusted tool at a time.
https://t.co/LpNblQcPsS
A malicious node is believed to have exploited @THORChain GG20 TSS signing stack to leak vault key material, reconstructed the private key offline, and drained $10.7M across multiple chains. Safeguards fired automatically, node operators completed the rest.
https://t.co/mF6XQIjXV2
@ItsBione kerja IT Infrastruktur. Jagain aplikasi marketplace yang ada di hape lu itu bisa pada checkout pas flash sale dan mastiin dapet VA/QRIS dari bank
Admin key compromised, UUPS upgrades pushed to over a dozen vaults across four chains, @wasabi_protocol lost $5.9M before most users saw a single alert.
No multisig. No timelock. April 2026 was DeFi's worst month on record. Are we April Fools?
https://t.co/HFOlxxvONR
DPRK breached @LayerZero_Core infrastructure, forged a bridge message, and walked $290 million out of @KelpDAO in one transaction. @aave is holding hundreds of millions in bad debt. The dominoes are still falling. DeFi United is scrambling to catch them.
https://t.co/GsV2FcU4aF
On April 13, 2026, a missing bounds check in @hyperbridge MMR proof verifier allowed forged proofs to pass. 1 billion DOT minted.
Two attacks, combined with opportunistic withdrawals from drained pools, leading to $2.5M in losses according to Hyperbridge.
https://t.co/lM5h1MKwyy
DPRK hackers spent 6 months sending proxies to befriend @DriftProtocol. Conferences, trust, $1M deposited. $285M later, those friends vanished.
No code broken. No bug found. Just a six-month con, a fake token, and a culture that never saw it coming.
https://t.co/vs4LU2GOmF
A misconfigured oracle cap triggered $27.78M in healthy wstETH liquidations (10,938 wstETH) on @aave on March 10. 34 accounts liquidated for a configuration error they had no part in. No attacker, no hack, no market crash. Full reimbursement planned.
https://t.co/1hvRvWlUIR
Two protocols. One skipped command. The first confirmed live exploits of ZK cryptography weren't sophisticated, they were a setup ceremony nobody finished. It turns out default settings ship faster than trust.
https://t.co/hr8lSO9b8g
Rekt Security Summit.
March 27, 2026.
Cannes, France.
One day with the security researchers, white hats, and investigators who document every exploit.
https://t.co/9iuS2V6y9H