Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Resolv Labs is restoring redemptions to pre-incident holders today after an attacker used a compromised private key to mint 80 million USR tokens on March 22 – causing the stablecoin to crash from its $1.00 peg to $0.025 before partial recovery. The actual financial drain is reported at around $25 million, with roughly 9,100 ETH extracted and approximately 9 million of the minted tokens since burned. Simultaneously, IoTeX has opened a live claims portal offering 100% compensation to users affected by the February 21 ioTube bridge exploit, which drained around $4.4 million. Together, these two incidents landing in the same news cycle are a useful prompt to look at where Q1 2026 is sitting against historical baselines – and what, if anything, is structurally different about the current threat environment.
Changelog
| Date | Summary |
|---|---|
| 23 Mar 2026 | Initial publication. |
$137 million lost across 15 incidents in the first quarter of 2026, according to blockchain researcher CipherResearchx. For comparison, DeFi-specific losses in Q1 2025 were around $106.8 million, per Immunefi’s quarterly report. We’re not yet through Q1 and the 2026 figure has already surpassed it.
The incident distribution is worth noting. Step Finance sits at $27.3M, Truebit at $26.2M, Resolv at over $25M, and SwapNet at $13.4M. These aren’t small edge-case protocols – they’re platforms with real TVL and user bases. The IoTeX bridge hack from February adds to a month that security firm Halborn described as containing four major incidents.
The Resolv mechanics
Resolv’s post-incident statement describes the root cause as a compromised private key that gave an attacker access to the minting function. 80 million USR tokens were created and sold into DeFi liquidity pools. The collateral pool holds approximately $141 million, and the protocol’s response – pausing redemptions, then restoring them for pre-incident holders – has been coordinated across a cluster of downstream protocols.
Morpho’s CEO Paul Frambot confirmed around 15 of the platform’s 500-plus vaults had non-negligible exposure to impacted markets. Risk management firm Gauntlet stated it has reduced deposits and caps to zero for specific affected vaults and is working on a compensation plan. Lending protocol Fluid secured short-term loans backed by personal commitments from contributors to cover 100% of bad debt – with the Resolv team confirming they will cover all USR positions that originated before the incident.
The response is, frankly, more coordinated than these situations often produce. Whether that’s maturity in the ecosystem or a function of how quickly the damage was contained is harder to say. A full post-mortem hasn’t been published yet.
IoTeX’s bridge resolution
The IoTeX situation is older and simpler. The ioTube bridge was exploited on February 21, with losses around $4.4 million. IoTeX offered a 10% white-hat bounty at the time and committed to full user compensation regardless of whether funds were recovered. That compensation portal is now live. Users with losses up to $10,000 get immediate payment; losses above that threshold are distributed over 12 months with a 10% bonus, according to reporting on the recovery plan. The claims portal is at iotube-claims.iotex.io.
The AI dimension
The more interesting thread is the one the primary source raises briefly: whether AI-assisted development is introducing a new class of vulnerability.
In February, Moonwell – a lending protocol – lost $1.78 million. Security auditor Pashov noted publicly that the project’s pull requests showed commits co-authored by Claude Opus 4.6. Some in the space described it as the first significant DeFi exploit with a traceable link to vibe coding. That’s a strong claim and the causal chain isn’t fully established – but the Algorand Foundation responded the following day with guidance on security for AI-assisted blockchain development, which suggests the concern is being taken seriously at an ecosystem level.
The underlying problem isn’t that AI writes bad code per se. It’s that AI-assisted development optimises for velocity. Smart contract development has always had an asymmetric risk profile – code is deployed immutably, value is locked immediately, and the attack surface is public from the moment of deployment. That profile punishes exactly the kind of speed-first, audit-later workflow that vibe coding encourages.
A purpose-built AI security agent evaluated 90 previously exploited DeFi contracts and detected vulnerabilities in 92% of them, per a CoinDesk report from February. A baseline coding agent managed 34% of the same set. The gap is significant, but the implication is uncomfortable: generic AI coding tools aren’t providing meaningful security signal, and the audit market cannot keep pace with deployment volume as AI lowers the barrier to shipping new contracts.
Compromised private keys, like the one in Resolv’s case, sit outside the code quality debate entirely. Key management is operational security, not a code review problem. But the broader Q1 trajectory – $137M and counting, outpacing 2025 – suggests the tooling and processes around DeFi development haven’t kept up with deployment velocity.
The question for teams building on-chain in 2026 isn’t whether to use AI-assisted development. It’s whether the security review process has been upgraded to match the speed at which AI lets you ship. If the audit is still a PDF you get three weeks before launch, and the development loop is now measured in hours, that gap is where the $137M goes.