2026The year in breaches

Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.

Volo Protocol's Sui vaults lost $3.5M after social engineering compromised the admin key. The team froze $500K in 30 minutes and blocked a $2.1M WBTC bridge.

$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.

Rhea Finance on NEAR lost $18.4M after a two-day setup of fake tokens, 423 wallets and 8 Ref pools exploited a slippage-summing flaw in margin trading.

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

DPRK social-engineers tricked Drift Security Council members into blind-signing durable-nonce txs that handed over admin control, draining $285M on Solana.

Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.

Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.

A Venus Protocol user was phished into delegating account control, losing ~$3.7M from their supplied position. Venus contracts were never compromised.

$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.

~$1.78M drained from Moonwell on Base after a newly listed market used a price feed with a decimals mismatch, mis-valuing collateral so attackers borrowed out.

YieldBlox's Stellar lending pool lost $10.2M after a single USTRY-for-USDC sell at 501x market rate defined the Reflector oracle price in a quiet 15-min window.

Step Finance lost 261,854 SOL ($27M) from treasury and fee wallets to a 'sophisticated' actor. STEP fell 96%; Step, SolanaFloor and Remora all shut down.

$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.

SagaEVM lost $7M in 11 minutes when an Ethermint bug let crafted messages bypass validation, minting Saga Dollar (D) without collateral and bridging to ETH.

TMXTribe, a staking/rewards protocol, lost ~$1.4M when a distribution accounting flaw let an attacker repeatedly over-claim, draining the reward reserve.

Truebit lost $26.4M when an integer overflow in TRU's five-year-old bonding-curve contract let the attacker mint TRU near-free and sell back for 8,500 ETH.