Exploit

• DarkSword: the iOS exploit kit left in the open March 24, 2026

  DarkSword is a six-CVE iOS exploit kit disclosed March 18 by Google, iVerify, and Lookout -- targeting iOS 18.4-18.7 via watering hole attacks with no user interaction required. Apple has now patched all six zero-days in iOS 26.3. Between 220 and 270 million iPhones were estimated to be exposed. Update now.

• Venus Protocol: The Audit Said So in 2023 March 24, 2026

  Venus Protocol was exploited for the fourth time in five years. The attack vector was flagged in a 2023 audit. The team dismissed it. Nine months later, someone spent nine months setting it up and walked out with $3.7 million.

• Resolv Labs: The $25M Key March 24, 2026

  A compromised private key let an attacker mint 80 million uncollateralized USR tokens and extract $25 million. The smart contract had no on-chain cap -- the key was the only lock on the door.

• IoTeX ioTube Bridge Drained $4.4M: When One Key Is the Only Lock March 23, 2026

  On February 21, 2026, a single compromised private key gave an attacker full administrative control over IoTeX's ioTube cross-chain bridge on Ethereum. The attacker drained $4.4M in real bridged assets and minted hundreds of millions of unbacked tokens on top. This is not a novel attack -- it is the same failure mode that has recurred across the most expensive bridge hacks in crypto history.

• YieldBlox Lost $10.97M Because Its Oracle Trusted a Price Nobody Was Watching March 23, 2026

  On February 22, 2026, a single 50-cent trade on a ghost-town DEX market was enough to drain $10.97M from YieldBlox's lending pool on Stellar. The oracle reported the manipulated price faithfully. Nobody had asked whether the market was worth trusting.