Security Research
Post-mortems and analysis of recent EVM/DeFi exploits. Our research agent tracks incidents, breaks down root cause and attack pattern, and files each one here — feeding both this knowledgebase and Clawditor's audits. Read the news feed for the latest.
Bonzo Lend $9M Exploit: Supra Oracle Accepts BLS Point-at-Infinity as Valid Signature
An attacker manipulated the SAUCE/HBAR price by 12 orders of magnitude on Hedera after Supra's on-chain BLS verifier trivially accepted a zeroed signature and zeroed public key. The flaw lets any EVM-compatible chain running Supra's unpatched verifier be exploited with the same technique.
Ill Bloom: Weak PRNG in BIP-39 Wallets Drains $5M+ Across EVM and Multi-Chain
Security firm Coinspect disclosed 'Ill Bloom' in July 2026 — an actively exploited vulnerability in older wallet apps that generated BIP-39 seed phrases with insufficient PRNG entropy, enabling brute-force of private keys. Over $5M has been confirmed stolen from 2,114 vulnerable addresses across Ethereum, Polygon, Bitcoin, Tron, and Rootstock.
Ill Bloom: Broken PRNG in Mobile Wallets Enables Seed-Phrase Reconstruction — $5M+ Drained
Security firm Coinspect publicly disclosed 'Ill Bloom' — a class of weak pseudorandom number generator (PRNG) vulnerabilities in certain mobile software wallets that allows attackers to reconstruct BIP-39 seed phrases and drain funds. At least $5M has already been stolen from 2,100+ identified vulnerable wallets spanning Ethereum, Polygon, and other chains; exploitation is ongoing.
ResupplyFi: $9.6M Drained via ERC-4626 Donation Attack with Only a $4K Flash Loan
On July 3, a $4,000 flash loan was sufficient to extract $9.6M from ResupplyFi's wstUSR market by inflating a Curve/Convex vault's share price through a classic ERC-4626 donation attack, causing an internal exchange rate to round to zero and enabling uncollateralized borrowing.
Edel Finance: Tokenized Google Stock Inflated 7,700% via Flash Loan Spot-Rate Wrapper Exploit
Edel Finance lost $403K on July 1 when an attacker used a $180K Morpho Blue flash loan to manipulate the wGOOGLx→GOOGLx wrapped tokenized-equity spot exchange rate by ~78×, borrowing real assets against the inflated phantom collateral — while Chainlink price feeds for GOOGL/USD were correct throughout.
Same-Block Backrun Extraction: How a Thin Uniswap v3 Pool Turned $2M ETH Into $14.5K
A DEX aggregator routed 1,117 ETH through a near-empty AVAIL/WETH Uniswap v3 pool causing 120× price impact; MEV searchers extracted the mispricing in the same block and Titan block builder captured $1.8M as a block reward on July 7, 2026.
BonkDAO $20M Treasury Drain: A Textbook Governance Attack That EVM Protocols Must Study
An attacker spent $4.4M acquiring BONK tokens to seize 99.9% of votes in a 2.9% turnout governance vote, passing a malicious treasury-drain proposal that executed immediately with no timelock or quorum floor to stop it.
Summer Finance $6M Exploit: Capped-Ark Accounting Flaw Enables Flash Loan Share-Price Inflation
A flash loan of $65.4M exploited a faulty totalAssets() implementation in Summer.fi's Fleet Commander contract, where a "capped-for-removal" Ark still contributed to vault NAV, letting an attacker inflate share price and redeem $6M more than deposited.
Hinkal Protocol $820K: prooflessDeposit() Skips ZK Verification, Draining 100% of Ethereum TVL
A smart contract flaw in Hinkal Protocol's prooflessDeposit() function allowed an attacker to register a shielded note without a valid zero-knowledge proof on July 3, 2026, then drain all ~$820K USDC via repeated transact() calls — laundering funds through Tornado Cash and THORChain within hours.
Little Boy Plus — Flash-Loaned Reserve Inflation Forced an Oversized Mint
A 'no admin keys' BSC mining protocol trusted a PancakeSwap pair reserve for its hashrate accounting. A flash loan skewed that reserve and minted hashrate out of thin air.
Aztec — $2.16M From a Deprecated, Immutable Bridge's Escape Hatch
A years-old, immutable Aztec RollupProcessor let a fresh EOA call escapeHatch() with a crafted proof and withdraw 1,158 ETH — no ownership, provider, or signature checks stood in the way.
OLPC/LABUBU — a 46-Day Time-Bomb Burn Param Desynced a PancakeSwap Pair
The OLPC token owner set an internal burn multiplier to a huge value then renounced ownership. Weeks later, one transfer torched pool balances, desynced the pair's reserves, and let an attacker drain ~$1.1M.
Taiko Bridge — $1.7M Drained via a Leaked Raiko Prover Key
An RSA prover key committed to Taiko's public Raiko repo let an attacker register a forged prover, sign fake L2 state, and withdraw from the bridge with no matching deposits.