Crypto
- State of DeFi: March 2026
A living snapshot of decentralised finance: Aave V4 deployment imminent, Lido Earn platform live with EarnUSD and EarnETH vaults, Solana Alpenglow consensus upgrade on testnet targeting mid-2026 mainnet, and Bitcoin DeFi led by Babylon at ~$5B TVL searching for a new catalyst. TVL recovering in the $95-130B range.
- Crypto Security: Exploits, Hacks, and the State of On-Chain Defence
Tracking the crypto security landscape: Q1 2026 DeFi losses confirmed above $142M across 15+ incidents; Balancer Labs winds down from hack fallout; Resolv Protocol loses $25M to an AWS KMS key compromise; and the first major US criminal prosecution for a DeFi smart contract hack charges the Uranium Finance attacker five years on.
- Trustless Systems: ZK, DAOs, and the Architecture of Unstoppable Code
Tracking the development of trustless infrastructure: zero-knowledge proofs, zkEVM scaling, DAO governance experiments, smart contracts as programmable law, and the convergence of AI and cryptographic verification. This week: Drift Protocol lost $285M to an admin key compromise combined with oracle manipulation -- the largest DeFi exploit of 2026, and a clear demonstration of how trustless code fails when the control layer isn't trustless.
- One Attack. $284M. CertiK's Q1 2026 Crypto Loss Data Puts It in Context.
CertiK has tracked 103 security incidents and 36 phishing scams since January 1, totalling roughly $480M in losses. The headline is alarming. The breakdown is more instructive.
- Solv Protocol's Third Incident in 14 Months: Unaudited Contract, $2.73M Gone
On March 5, 2026, an unaudited BitcoinReserveOffering contract on Solv Protocol was exploited via a reentrancy-style callback. 135 BRO tokens in, 567 million out. $2.73M drained in 22 loops. The third security incident in 14 months for the protocol calling itself the largest on-chain Bitcoin reserve.
- The ZK Math Was Fine. The Ceremony Was Never Finished.
Veil Cash and FoomCash became the first confirmed live exploits of deployed ZK cryptography in production. The flaw wasn't a broken proof -- it was a trusted setup ceremony that was never completed. FoomCash lost $2.26 million to an attacker who read a post-mortem and executed.
- Aave CAPO Oracle Misfired. $27.78M in Healthy Positions Were Liquidated.
On March 10, 2026, Aave's own anti-manipulation oracle system triggered $27.78 million in liquidations against 34 healthy wstETH positions. No hack. No market crash. One automated parameter update.
- BSC Stake Contract Drained $133K via TUR Token Price Manipulation
A BSC Stake contract lost $133K after an attacker manipulated spot prices in the low-liquidity TUR-NOBEL pool, inflated staking rewards, and drained the contract via referred accounts -- a textbook unprotected oracle vulnerability flagged by BlockSec Phalcon.
- Crypto Regulation: MiCA, SEC, and the Global Patchwork
Tether hires KPMG for its first-ever full audit of $185B in USDT reserves as GENIUS Act compliance looms; CLARITY Act markup postponed after Coinbase rejects yield ban; SEC's March 27 statutory deadline on 91 ETF applications passes with no confirmed outcome by market close.
- Hardcoded at $1.13: How the Resolv Exploit Spread to 15 Morpho Vaults
When USR depegged to $0.05, 15 Morpho vaults kept valuing wstUSR collateral at a hardcoded $1.13. That gap was the attack.
- Audited Once Is No Longer a Security Model
AI has changed the economics of smart contract exploitation. Code you deployed in 2021 and haven't touched since is being scanned continuously. The one-time audit model is structurally broken.
- AI-Powered DeFi Hacking: Anthropic Research Shows Profitable Autonomous Exploitation Now Feasible
Anthropic AI agents autonomously scanned 2,849 deployed smart contracts, found 2 novel vulnerabilities, and produced $3,694 in exploits while spending only $3,476 in compute costs. The economics of DeFi hacking have permanently shifted.
- Moonwell Governance Attack: $1,808 Buys Control of $85M Protocol
An attacker spent $1,808 and 11 minutes to submit a malicious governance proposal that could hand them full control of Moonwell, a DeFi lending protocol with $85M TVL. Voting ends Friday. The outcome is still uncertain.
- cbETH Was Worth $1.12 on Moonwell. It Cost Them $1.78M.
Moonwell Finance's governance proposal MIP-X43 deployed a cbETH oracle that output $1.12 instead of $2,200. Liquidation bots moved within the same block. Four minutes later the damage was done. The commit was co-authored by Claude Opus 4.6.
- Q1 2026 DeFi Losses Hit $137M -- And Vibe Coding May Be Making It Worse
Q1 2026 DeFi losses have hit $137M across 15 incidents, already outpacing Q1 2025. With Resolv Labs restoring redemptions after an $80M unauthorized mint and IoTeX opening its compensation portal, there's a harder question worth asking: is AI-assisted smart contract development making the security picture worse?
- IoTeX ioTube Bridge Drained $4.4M: When One Key Is the Only Lock
On February 21, 2026, a single compromised private key gave an attacker full administrative control over IoTeX's ioTube cross-chain bridge on Ethereum. The attacker drained $4.4M in real bridged assets and minted hundreds of millions of unbacked tokens on top. This is not a novel attack -- it is the same failure mode that has recurred across the most expensive bridge hacks in crypto history.
- YieldBlox Lost $10.97M Because Its Oracle Trusted a Price Nobody Was Watching
On February 22, 2026, a single 50-cent trade on a ghost-town DEX market was enough to drain $10.97M from YieldBlox's lending pool on Stellar. The oracle reported the manipulated price faithfully. Nobody had asked whether the market was worth trusting.
- The AppsFlyer SDK Hijack: Registrar Attack, Crypto Stealer, and the SRI Gap
On March 9, 2026, attackers hijacked the AppsFlyer Web SDK via a domain registrar incident and served a professional-grade crypto-stealing payload to every site loading the SDK. The defence existed. Almost nobody had deployed it.