Defi

• State of DeFi: March 2026 April 4, 2026

  A living snapshot of decentralised finance: Aave V4 deployment imminent, Lido Earn platform live with EarnUSD and EarnETH vaults, Solana Alpenglow consensus upgrade on testnet targeting mid-2026 mainnet, and Bitcoin DeFi led by Babylon at ~$5B TVL searching for a new catalyst. TVL recovering in the $95-130B range.

• Crypto Security: Exploits, Hacks, and the State of On-Chain Defence April 4, 2026

  Tracking the crypto security landscape: Q1 2026 DeFi losses confirmed above $142M across 15+ incidents; Balancer Labs winds down from hack fallout; Resolv Protocol loses $25M to an AWS KMS key compromise; and the first major US criminal prosecution for a DeFi smart contract hack charges the Uranium Finance attacker five years on.

• One Attack. $284M. CertiK's Q1 2026 Crypto Loss Data Puts It in Context. March 28, 2026

  CertiK has tracked 103 security incidents and 36 phishing scams since January 1, totalling roughly $480M in losses. The headline is alarming. The breakdown is more instructive.

• Solv Protocol's Third Incident in 14 Months: Unaudited Contract, $2.73M Gone March 28, 2026

  On March 5, 2026, an unaudited BitcoinReserveOffering contract on Solv Protocol was exploited via a reentrancy-style callback. 135 BRO tokens in, 567 million out. $2.73M drained in 22 loops. The third security incident in 14 months for the protocol calling itself the largest on-chain Bitcoin reserve.

• The ZK Math Was Fine. The Ceremony Was Never Finished. March 28, 2026

  Veil Cash and FoomCash became the first confirmed live exploits of deployed ZK cryptography in production. The flaw wasn't a broken proof -- it was a trusted setup ceremony that was never completed. FoomCash lost $2.26 million to an attacker who read a post-mortem and executed.

• Aave CAPO Oracle Misfired. $27.78M in Healthy Positions Were Liquidated. March 28, 2026

  On March 10, 2026, Aave's own anti-manipulation oracle system triggered $27.78 million in liquidations against 34 healthy wstETH positions. No hack. No market crash. One automated parameter update.

• BSC Stake Contract Drained $133K via TUR Token Price Manipulation March 27, 2026

  A BSC Stake contract lost $133K after an attacker manipulated spot prices in the low-liquidity TUR-NOBEL pool, inflated staking rewards, and drained the contract via referred accounts -- a textbook unprotected oracle vulnerability flagged by BlockSec Phalcon.

• Hardcoded at $1.13: How the Resolv Exploit Spread to 15 Morpho Vaults March 27, 2026

  When USR depegged to $0.05, 15 Morpho vaults kept valuing wstUSR collateral at a hardcoded $1.13. That gap was the attack.

• Audited Once Is No Longer a Security Model March 27, 2026

  AI has changed the economics of smart contract exploitation. Code you deployed in 2021 and haven't touched since is being scanned continuously. The one-time audit model is structurally broken.

• AI-Powered DeFi Hacking: Anthropic Research Shows Profitable Autonomous Exploitation Now Feasible March 26, 2026

  Anthropic AI agents autonomously scanned 2,849 deployed smart contracts, found 2 novel vulnerabilities, and produced $3,694 in exploits while spending only $3,476 in compute costs. The economics of DeFi hacking have permanently shifted.

• Moonwell Governance Attack: $1,808 Buys Control of $85M Protocol March 26, 2026

  An attacker spent $1,808 and 11 minutes to submit a malicious governance proposal that could hand them full control of Moonwell, a DeFi lending protocol with $85M TVL. Voting ends Friday. The outcome is still uncertain.

• cbETH Was Worth $1.12 on Moonwell. It Cost Them $1.78M. March 26, 2026

  Moonwell Finance's governance proposal MIP-X43 deployed a cbETH oracle that output $1.12 instead of $2,200. Liquidation bots moved within the same block. Four minutes later the damage was done. The commit was co-authored by Claude Opus 4.6.

• One Compromised Key: How the Resolv Hack Printed $23M March 24, 2026

  An attacker compromised an AWS KMS private key to bypass oracle controls and mint ~$80M in unbacked stablecoin, crashing the Resolv protocol and cascading into 15 Morpho vaults. The engineering lesson is about key management and oracle architecture, not crypto.

• Price Impact Kills: $50M Aave Trade Routed Into $73K CoWSwap Pool March 24, 2026

  On March 12, a $50M collateral rotation through Aave's interface -- routed via CoW Protocol into a SushiSwap pool with $73K liquidity -- returned 327 AAVE worth $36,000. Every contract performed as designed. MEV bots extracted $12.5M on the next block. The missing safeguard was a slippage cap that didn't survive a frontend migration.

• Venus Protocol: The Audit Said So in 2023 March 24, 2026

  Venus Protocol was exploited for the fourth time in five years. The attack vector was flagged in a 2023 audit. The team dismissed it. Nine months later, someone spent nine months setting it up and walked out with $3.7 million.

• YieldBlox: When Your Oracle Trusts a $1 Market March 24, 2026

  An attacker pumped a thinly traded collateral asset 100x on the Stellar DEX and borrowed $10.97 million against the fake price. The oracle had no minimum liquidity threshold -- it just reported what it saw.

• Resolv Labs: The $25M Key March 24, 2026

  A compromised private key let an attacker mint 80 million uncollateralized USR tokens and extract $25 million. The smart contract had no on-chain cap -- the key was the only lock on the door.

• Moonwell Rekt: When the AI Writes the Oracle and Nobody Catches the Missing Multiplication March 23, 2026

  A missing ETH/USD multiplication in a Moonwell oracle priced cbETH at $1.12 instead of $2,200. Liquidation bots extracted 1,096 cbETH in four minutes, leaving $1.78M in bad debt. The commit was co-authored by Claude Opus 4.6. What that actually means for engineers shipping AI-assisted production code.

• Q1 2026 DeFi Losses Hit $137M -- And Vibe Coding May Be Making It Worse March 23, 2026

  Q1 2026 DeFi losses have hit $137M across 15 incidents, already outpacing Q1 2025. With Resolv Labs restoring redemptions after an $80M unauthorized mint and IoTeX opening its compensation portal, there's a harder question worth asking: is AI-assisted smart contract development making the security picture worse?

• The Scanner Got Scanned: How Trivy Became a Supply Chain Weapon March 23, 2026

  On March 19, 2026, attackers compromised Aqua Security's Trivy vulnerability scanner, force-pushing malicious code into 75 GitHub Actions tags and a trojanized v0.69.4 release. Stolen credentials from that breach then fuelled CanisterWorm, a self-propagating npm worm that hit 47 packages and used a decentralised ICP canister as its command server.

• IoTeX ioTube Bridge Drained $4.4M: When One Key Is the Only Lock March 23, 2026

  On February 21, 2026, a single compromised private key gave an attacker full administrative control over IoTeX's ioTube cross-chain bridge on Ethereum. The attacker drained $4.4M in real bridged assets and minted hundreds of millions of unbacked tokens on top. This is not a novel attack -- it is the same failure mode that has recurred across the most expensive bridge hacks in crypto history.

• YieldBlox Lost $10.97M Because Its Oracle Trusted a Price Nobody Was Watching March 23, 2026

  On February 22, 2026, a single 50-cent trade on a ghost-town DEX market was enough to drain $10.97M from YieldBlox's lending pool on Stellar. The oracle reported the manipulated price faithfully. Nobody had asked whether the market was worth trusting.