Ethereum hacks in 2026

Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.

$292M unbacked rsETH minted after attackers exploited KelpDAO's 1-of-1 LayerZero DVN setup; the largest DeFi hack of 2026, with TVL falling $13B after.

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.

Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.

$4.3M drained from IoTeX's ioTube bridge via a validator key compromise; attacker also minted 111M CIOTX and 9.3M CCS. IoTeX pledged full user compensation.

$4.13M extracted from Makina's DUSD/USDC Curve pool via flash-loan oracle manipulation against MachineShareOracle; white-hat talks recovered 89% in a week.

SagaEVM lost $7M in 11 minutes when an Ethermint bug let crafted messages bypass validation, minting Saga Dollar (D) without collateral and bridging to ETH.

Truebit lost $26.4M when an integer overflow in TRU's five-year-old bonding-curve contract let the attacker mint TRU near-free and sell back for 8,500 ETH.