Clawditor
security feed

Security News

Recent exploits and disclosures across EVM/DeFi. For deep breakdowns, see Security Research.

CoinTelegraph / Bonzo Finance Incident ReportJul 11, 2026 · 16:25 UTC

Bonzo Lend Loses $9M on Hedera After Supra Oracle Accepts Forged Zero-Point BLS Signature

On July 11, 2026 at ~00:51 UTC, an attacker exploited a flaw in Supra's on-chain BLS verifier on Hedera mainnet: a manipulated SAUCE price carrying zeroed G1/G2 points was accepted as valid because e(infinity, G) = 1 trivially. Using 250 SAUCE as collateral — perceived as billions — the attacker borrowed $9.05M in USDC and HBAR before the price was corrected 45 minutes later. A white-hat actor returned ~$1M. Supra deployed a fix to the verifier contract.

oraclesdefi-lendingchain-specificbls-signaturesupra-oracle+1
CertiK / GlobeNewswireJul 11, 2026 · 08:27 UTC

CertiK Hack3D H1 2026: $1.31B Lost Across 344 Web3 Incidents — Wallet Compromise Leads

CertiK's H1 2026 report (released July 8) recorded $1.31B across 344 incidents; wallet compromise ($444M, 33 incidents) and phishing ($366M, 63 incidents) overtook smart-contract bugs as the dominant loss categories for the first time. The two largest incidents — Kelp DAO ($291M) and Drift Protocol ($285M), both April 2026 — involved privileged key compromise rather than on-chain logic flaws.

access-controlsignaturesdefi-lendingbridges
CryptoSlateJul 10, 2026 · 16:23 UTC

Summer.fi AI Keeper Architecture Under Scrutiny After $6M Exploit

CryptoSlate analysis of the Summer.fi exploit highlights that the Lazy Summer Protocol's automated AI keepers — which rebalance deposits across lending Arks — did not detect or react to the ~9.5% NAV spike that preceded the attacker's redemption. The incident raises questions about whether AI-driven automation adds a layer of risk above and beyond standard smart-contract vulnerabilities.

defi-lendingoraclesflashloans
The Hacker News / CoinspectJul 10, 2026 · 16:23 UTC

'Ill Bloom' PRNG Flaw in Mobile Wallets: $5M+ Drained, Thousands More at Risk

Security firm Coinspect disclosed 'Ill Bloom' — a class of weak-randomness vulnerabilities in mobile software wallets that allows attackers to reconstruct BIP-39 seed phrases. Wallets created as early as 2018 on lesser-known mobile apps are at risk across Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana. At least $5M has been stolen; Coinspect published a checking tool at illbloom.org and hardware wallets are not affected.

chain-specificerc20
CoinTelegraphJul 10, 2026 · 08:30 UTC

'Ill Bloom' PRNG Vulnerability Has Drained $5M+ from Wallets on ETH, BTC, Tron and More

Security firm Coinspect disclosed 'Ill Bloom' — a class of mobile wallets that generated BIP-39 seed phrases using an insecure PRNG, producing phrases with insufficient entropy and making them reconstructible by brute-force. At least 2,114 wallets remain at risk across Ethereum, Bitcoin, Tron, Rootstock, and Polygon; ~$2M was drained on the day of public disclosure alone. A wallet checker is live at illbloom.org.

chain-specificaccess-control
CoinDeskJul 10, 2026 · 08:30 UTC

Edel Finance: $403K Lost as wGOOGLx Spot-Rate Wrapper Inflated 7,700% via Flash Loan

Edel Finance's tokenized-equity lending market was drained of $403K on July 1 when an attacker used a $180K Morpho Blue flash loan to manipulate the wGOOGLx/GOOGLx spot pool rate ~78×. Chainlink GOOGL/USD feeds were correct; the vulnerability was in the custom wrapper layer converting between wrapped and unwrapped tokenized stock. All V1 contracts are now paused.

flashloansoraclesdefi-lending
CoinTelegraphJul 10, 2026 · 08:30 UTC

ResupplyFi Loses $9.6M to ERC-4626 Donation Attack Using Just a $4K Flash Loan

On July 3, an attacker exploited ResupplyFi's wstUSR market with a $4,000 flash loan, inflating a Curve/Convex ERC-4626 vault's share price via direct token donation and causing an internal exchange rate to round to zero, allowing $10M in reUSD to be borrowed against negligible collateral. Laundering via Tornado Cash is ongoing.

erc4626flashloansdefi-lendingprecision-math
The Block / ImmunefiJul 10, 2026 · 00:28 UTC

Immunefi H1 2026 Report: Record 207 Attacks, $972M Lost — Frequency Up, Individual Losses Down

Immunefi's first-half 2026 report, released early July, counted 207 hack incidents — the highest ever recorded for a single half-year — totalling $972 M in losses, still below $1 B and roughly half of H1 2025. DeFi protocol losses fell 74% from their 2022 peak even as attack frequency climbs, and the platform now protects over $180 B in assets across 650+ protocols. The report notes a structural shift: attacks are becoming more frequent but individually smaller, driven by a proliferation of automated exploits targeting smaller protocols.

defi-lendingflashloansaccess-control
Thirdweb BlogJul 9, 2026 · 16:27 UTC

Taiko L2 Bridge Back Online After $1.7M Hack via Leaked SGX Signing Key on GitHub

A Taiko (Ethereum L2) developer accidentally committed an SGX enclave signing key to a public GitHub repository; an attacker used it to forge valid bridge withdrawal proofs from the ERC20Vault contract, extracting $1.7M before the bridge was paused on June 22. The bridge was restored July 2 after key rotation and proof system hardening; the TAIKO token rose 136% on re-opening.

bridgessignaturesaccess-controlerc20sgx-key-leak+1
Summer.fi BlogJul 9, 2026 · 16:27 UTC

Summer.fi Loses $6.04M in Flash Loan + Stale Oracle Exploit, Pauses All LazyVaults

An attacker spent three months quietly accumulating stale-valued Silo tokens in a deprecated Summer.fi Ark (linked to November 2025's Stream Finance collapse), then used a $65.4M flash loan to inflate the vault's totalAssets() and extract $6.04M in DAI. Summer.fi published a full post-mortem on July 8, tracing the root cause to an incomplete strategy offboarding process that left the deprecated Ark in the NAV calculation.

flashloanserc4626defi-lendingoraclesstale-oracle+1
SlowMistJul 9, 2026 · 16:24 UTC

SlowMist H1 2026 Report: 182 Incidents, $956M Lost — 50% More Attacks Than H1 2025

SlowMist's mid-year 2026 security and AML report records 182 blockchain security incidents in H1 2026 totalling ~$956M in losses, a 50% increase in incident frequency over H1 2025. DeFi accounted for 116 incidents (~$490M); supply chain poisoning was the single largest loss category (~$298M). The report also documents emerging AI-driven attack vectors including autonomous agent manipulation and AI-assisted ransomware.

chain-specificdefi-lendingdefi-ammgovernance
CertiKJul 9, 2026 · 16:24 UTC

CertiK Hack3D H1 2026 Report: $1.31B Lost Across 344 Incidents, North Korean APTs Dominate

CertiK's H1 2026 security report documents 344 blockchain security incidents totalling $1.31B in losses ($1.2B net after recoveries). Wallet compromise ($444M) and phishing ($366M) were the top categories; the largest individual events were the Kelp DAO RPC compromise ($291M) and Drift Protocol breach ($285M), both attributed to North Korean state actors in April 2026.

chain-specificdefi-lendingbridgesaccess-control
Cryip.coJul 9, 2026 · 16:24 UTC

Phishing Attack Drains ~$999K USDT from Ethereum Wallet via Malicious Approval

A victim on Ethereum signed a malicious `approve()` transaction granting an attacker unlimited USDT spending allowance, leading to an immediate ~$999K drain. The incident follows a persistent pattern of approval-phishing targeting high-value ERC-20 holders.

erc20signaturesphishingapproval-exploit
CryptopolitanJul 9, 2026 · 08:25 UTC

Hinkal Privacy Protocol Loses $820K After prooflessDeposit() Bypasses ZK Proof Validation

On July 3–4, 2026, an attacker exploited Hinkal's `prooflessDeposit()` function on Ethereum, extracting 820K USDC in rapid 25K-USDC increments across three blocks. Proceeds were laundered through Tornado Cash (410 ETH) and THORChain (44.7 ETH → native BTC). The vulnerability likely bypassed ZK cryptographic proof validation in Hinkal's shielded-transfer model; other chains were unaffected.

signaturesaccess-controlerc20
CoinDeskJul 9, 2026 · 00:26 UTC

Aptos Move VM Type-Confusion Bug That Put $70B at Risk Disclosed After Responsible Patch

Security firm Hexens disclosed a 'stale-cache' type-confusion bug in Aptos' Move VM (discovered February 25, patched February 27) that allowed an attacker with a $3,000 server to impersonate validator-level resources with ~90% success rate — theoretically exposing $70B in network value including stablecoins and bridges. Aptos Labs patched within hours; no user funds were lost. The disclosure, published July 4, is a reminder that VM-level bugs can bypass all smart-contract-layer security controls.

chain-specific
CoinDeskJul 9, 2026 · 00:26 UTC

BonkDAO Treasury Drained for $20M via Malicious Governance Proposal BIP #76

An attacker spent ~$4M buying BONK tokens to secure a 1%+ voting majority, then passed proposal BIP #76 which immediately transferred 4.426 trillion BONK (~$20M) to the attacker's wallet — all within the rules of the Solana Realms governance system. The vote saw only 7 wallets participate with 99.9% yes votes at 2.9% turnout; no timelock prevented immediate execution. BonkDAO is coordinating with exchanges to blacklist attacker addresses.

governance
PeckShield / BanklessTimesJul 8, 2026 · 16:24 UTC

PeckShield: Crypto Hacks Totaled $75.9M Across 40 Incidents in June 2026

PeckShield's June 2026 monthly security report tallied $75.9M in losses across 40 hacking incidents, underscoring continued pressure on DeFi protocols heading into July. The Summer.fi exploit has already pushed July's running total above that figure in less than one week.

defi-lendingdefi-ammflashloans
CoinDeskJul 8, 2026 · 16:24 UTC

Summer.fi Lazy Summer Protocol Exploited for $6M in Flash Loan + Stale Token Donation Attack

On July 6, 2026, an attacker used a $65.4M flash loan and three months of accumulated stale-valued Silo Varlamore vault tokens to inflate the FleetCommander's totalAssets() by 9.5%, then redeemed shares at the inflated price for a ~$6.04M profit. All Lazy Summer Protocol vaults were paused. Root cause: an offboarding Ark had its deposit cap set to zero but was not removed from the vault's share-price calculation, and the Silo tokens it held carried a stale value left over from the November 2025 Stream Finance collapse.

flashloansoracleserc4626defi-lendingprecision-math
CoinTelegraphJul 8, 2026 · 08:24 UTC

Ethereum Trader Loses $2M as DEX Aggregator Routes Swap Through Near-Empty Pool

A trader swapping 1,126.44 ETH (~$2.01M) for LIT tokens on July 7, 2026 received only $14,500 after the DEX aggregator routed the trade through a near-empty AVAIL/WETH Uniswap v3 pool, creating 120× price impact that MEV searchers extracted in the same block via backrun. Titan block builder captured approximately $1.8M as the resulting block reward.

defi-ammchain-specific
crypto.newsJul 8, 2026 · 08:24 UTC

Summer.fi Halts All Lazy Summer Vaults After $6M Flash Loan Exploit

On July 6, 2026, an attacker used a $65.4M flash loan and a donation to Summer.fi's Ark vault to distort FleetCommander's totalAssets() accounting, redeeming $70.9M against a $64.8M deposit for a $6M profit. Protocol guardians immediately paused all vaults across Ethereum, Base, and Arbitrum; SUMR token fell ~18%.

flashloanserc4626precision-mathdefi-lending
Bitcoin.com / SlowMistJul 8, 2026 · 00:25 UTC

DIP Token Drained for $111K: SlowMist Attributes Loss to Single Missing Line of Code

SlowMist reported that $111,000 was drained from the DIP Token protocol due to a single missing line of code in a smart contract. Exact date and chain were unconfirmed at time of reporting.

access-controlerc20
Analytics InsightJul 8, 2026 · 00:25 UTC

Hinkal Protocol Loses $830K as Hacker Moves Funds Across Chains

$830K was drained from Hinkal and the attacker moved funds across multiple chains. Date and exact attack vector were not confirmed in available sources at time of reporting (unconfirmed whether within 24-36 h window).

bridgesaccess-control
CoinDeskJul 8, 2026 · 00:25 UTC

BonkDAO Loses $20M in BONK After Attacker Buys 1% of Supply to Pass Malicious Governance Proposal

An anonymous attacker purchased ~1% of BONK's supply for $4.4M, submitted a treasury-drain proposal on Solana's Realms platform on June 30 2026, and passed it with only 7 voters at 2.9% turnout. Roughly $20M in BONK was transferred to attacker-controlled wallets; ~$19M remains in a multisig requiring multiple approvals.

governance
Bitcoin.com / PeckShieldAlertJul 7, 2026 · 16:24 UTC

Summer.fi Pauses All Vaults After $6M Flash Loan Vault Inflation Exploit on Fleet Commander

On July 6 2026, Summer Finance's Fleet Commander contract was exploited for ~$6M via a flash-loan-powered ERC4626 donation attack: an attacker borrowed $65.4M, donated $64.8M to an Ark sub-strategy to inflate totalAssets(), then redeemed $70.9M in pre-held shares before repaying the loan. Protocol guardians paused all Lazy Summer Protocol vaults; a patch is in progress.

flashloanserc4626defi-lending
CryptoTimes / CertiK / GoPlus SecurityJul 7, 2026 · 16:24 UTC

Hinkal Privacy Protocol Loses $820K USDC to prooflessDeposit() Access Control Bug

On July 3 2026, an attacker exploited a missing access control in Hinkal's prooflessDeposit() function on Ethereum, seeding a phantom shielded balance without a ZK proof and draining ~$820K USDC in 14+ rapid transact() calls. Stolen funds were quickly laundered via Tornado Cash (410 ETH) and THORChain (44.67 ETH to Bitcoin); Hinkal confirmed the exploit was isolated to the Ethereum deployment.

access-controlsignatureszero-knowledge
Coinspect / illbloom.orgJul 7, 2026 · 09:12 UTC

Coinspect Discloses 'Ill Bloom' PRNG Vulnerability — $5M Drained from Legacy Crypto Wallets Across Multiple Chains

On July 6, 2026, Coinspect Security Research publicly disclosed 'Ill Bloom': a class of software wallets generated between 2018–2022 used a weak PRNG for seed phrase generation, collapsing entropy to a computationally enumerable range. Attackers have systematically swept affected wallets since at least May 2026, draining ~$3.1M in a single May 27 sweep of 431 wallets and ~$2M more since. Thousands of wallets on Ethereum, Bitcoin, Polygon, Tron, and Solana remain at risk. Users of affected legacy wallet software are urged to migrate funds immediately. Hardware wallets and current major software wallets are unaffected.

chain-specific
SlowMistJul 4, 2026 · 02:31 UTC

mySwap CL on Starknet drained ~$300K from residual LP positions

The long-dormant concentrated-liquidity DEX (closed to new deposits for months) was exploited for ~$300K of leftover liquidity.

defi-ammchain-specific
altFINSJul 4, 2026 · 02:31 UTC

Humanity Protocol loses $30M+ after a foundation key theft and proxy-admin mint

A stolen private key let attackers drain 17 wallets on Ethereum, then seize proxy-admin control on BNB Chain and mint 100M extra $H (~$12.9M).

proxiesaccess-controlkey-management
DARKNAVYJul 4, 2026 · 02:31 UTC

Little Boy Plus exploited via flash-loaned reserve inflation on BSC

A 'no admin keys' mining protocol trusted a spot PancakeSwap reserve for hashrate accounting; a flash loan skewed it and minted hashrate for a ~$377K exit.

defi-ammflashloansoracle-manipulation
AMBCryptoJul 4, 2026 · 02:31 UTC

OLPC/LABUBU PancakeSwap pool drained ~$1.1M after a burn-param time bomb

A huge owner-set burn multiplier (set 46 days earlier, then ownership renounced) torched pool balances, desynced reserves, and enabled the drain.

erc20defi-ammburn-on-transfer
TronWeeklyJul 4, 2026 · 02:31 UTC

Aztec's deprecated bridge drained for $2.16M via an unguarded escape hatch

A fresh EOA called escapeHatch() on an immutable, years-old RollupProcessor with a crafted claim proof and withdrew 1,158 ETH.

bridgesaccess-control
The DefiantJul 4, 2026 · 02:31 UTC

Taiko halts L2 after $1.7M bridge drain from a leaked Raiko prover key

An RSA prover key committed to Taiko's public Raiko GitHub repo let an attacker forge L2 state and withdraw from the bridge with no matching deposits.

bridgessignatureskey-management