ln

According to the Associated Press, Anthropic's Mythos model has discovered vulnerabilities in the U.S. government's classified systems.

The blockchain research organization Common Prefix disclosed that on June 10, hackers exploited a vulnerability in the Secret Network and Axelar cross-chain bridge contract to forge deposits and mint uncollateralized tokens, subsequently cashing out approximately $4.67 million.The attack went undetected for seven days until a normal cross-chain transfer failed due to insufficient funds in the escrow account on June 17, revealing the anomaly. The root of the vulnerability lies in the fact that when the contract changed from an escrow model to a minting model, it deleted two key functions responsible for verifying the source of transfers, and it had never undergone an external audit since its deployment in early 2023. Secret Network pointed out that the Axelar bridging infrastructure failed to trigger any effective anomaly monitoring or emergency pause mechanism before the assets were stolen on a large scale.The stolen funds were routed through Osmosis to Ethereum and exchanged for ETH on CoW Protocol, then dispersed into exchanges such as KuCoin, ChangeNow, and HitBTC. Currently, approximately $672,000 remains in the attackers' Axelar wallet. Secret Network has requested Axelar to freeze that address, but the request was denied. Axelar emphasized that its core protocol was never affected, and the exploited contract was not developed or maintained by Axelar. Currently, Axelar has disabled the related cross-chain connections and stated that it is coordinating follow-up actions with exchanges and law enforcement agencies.

The cross-chain protocol Axelar Network released a statement regarding the recent security incident related to Secret Network, stating that there is a misunderstanding within the community about the event. Both Axelar and the Inter-Blockchain Communication Protocol (IBC) were not attacked or compromised. The affected token smart contracts were neither developed, deployed, nor maintained by Axelar, and Axelar's firewall mechanism also prevented the impact from spreading to other chains.It is reported that the exploited contract is a forked version based on CW20-ICS20, but the developers removed two core security checks, resulting in an "infinite minting" vulnerability. By deleting the verification mechanisms originally used to prevent such issues, this fork altered the original trust model of the contract and did not undergo a new security audit.Axelar Network explained that anyone can deploy contracts for cross-chain asset wrapping through IBC, and similar contracts have also been used to wrap tokens from other chains into Secret Network. However, the Secret side fork version in this incident has vulnerabilities due to the removal of key security checks. This incident is not a unique logical flaw, nor is it an issue with the IBC protocol itself, but rather a security risk introduced by modifications to third-party contracts.

In response to rumors regarding the attack on the BNB Chain OLPC/LABUBU liquidity pool, PancakeSwap's official announcement stated that the platform has noted the news related to this security incident. After preliminary verification, PancakeSwap's own smart contracts do not have security vulnerabilities. The project team is still continuously investigating the complete causes of the incident and will promptly share the latest investigation progress once more clues are obtained. Meanwhile, the official reminds users that all relevant event information should be based on content released through PancakeSwap's official channels.

Regarding the suspected attack on the Aztec Router contract on the Ethereum chain, Aztec Labs has officially launched an investigation and clarified that Aztec Connect was deprecated three years ago. Aztec Labs does not hold any administrator keys or control over the system, and currently cannot pause or upgrade it. Therefore, the community is reminded to be vigilant against false "support" accounts and private messages.

David Sacks, the head of AI and crypto affairs at the White House, stated that although the commercial version of the Mythos series model Fable released by Anthropic this week includes safety barriers, once those barriers are bypassed, users will be able to access Mythos's advanced cyber attack capabilities. Sacks pointed out that Anthropic had previously described Mythos as a "cyber weapon" that requires regulation, so fixing the related vulnerabilities should have been its responsibility.Sacks mentioned that a partner trusted by both Anthropic and the U.S. government discovered a jailbreak method to bypass the safety barriers while testing Fable. The U.S. government subsequently requested Anthropic CEO Dario Amodei to fix the vulnerabilities or take the model offline, but this request was refused. Anthropic stated in a declaration that the vulnerability is "not serious," a claim that contradicts the judgment of the U.S. government and relevant partners.Sacks stated that Anthropic has always emphasized that safety should be prioritized, but this time it prioritized maintaining consumer-grade model services. In response, the U.S. government reluctantly imposed export control measures on Anthropic and hopes that Anthropic will resolve the safety issues as soon as possible to lift the related restrictions and restore the full release of Fable.Sacks also denied that this action is related to previous disputes between the U.S. Department of Defense and Anthropic, stating that the government recognizes Anthropic's technological capabilities and believes that the current issues can be resolved relatively easily, with the initiative currently in Anthropic's hands.

Zcash founder Zooko Wilcox posted to express gratitude to Anthropic for helping to protect Zcash users.At the request of Shielded Labs, they conducted a security audit of Zcash using Mythos, and no other serious vulnerabilities were found in the Zcash protocol. Shielded Labs and other teams are continuing to advance security reinforcement work, and updates will be released later.

The Bitcoin Core team posted on the X platform that the new -privatebroadcast feature introduced in Bitcoin Core version 31 has a privacy vulnerability that may expose the sender's IP address to the receiving node under certain network conditions. A fix will be released with version 31.1.

According to Arkham monitoring, a certain address has just withdrawn approximately 1% of the total amount from the Zcash privacy pool Orchard Pool. Currently, Orchard Pool theoretically still holds about 3.88 million ZEC, valued at approximately 1.65 billion dollars at the current price.

According to Bits.media, the reward pool of the NovaBox platform was hacked on June 9 on Ethereum, resulting in a loss of approximately 56.73 ETH, affecting over 130 deposit users. The attacker drained the pool's funds from 65.11 ETH to 0.09 ETH in a single transaction, accounting for about 99.86%.Security company F12 stated that the incident was not due to a smart contract vulnerability, but rather a flaw in the reward distribution mechanism. The attacker borrowed 427.5 WETH through an Aave V3 flash loan, exploiting a loophole in NovaBox's mechanism of distributing dividends before updating balances when users deposit or withdraw. The hacker first deposited a small amount of NOVA tokens to trigger the dividend calculation, then deposited a large amount of ETH, significantly increasing the actual share. However, since the system did not update the balance in time, dividends were still calculated based on the previous small share, while payments were made based on the new large share, resulting in approximately 145.82 ETH of "phantom dividends," which drained the reward pool.

The founder of Slow Fog, Yu Xian, stated that the attack Asterix encountered is similar to that of Flooring Protocol and BMP yesterday (the underlying protocols are DN404 and BT404), with high-level NFT ID displacement operations overflowing and being reused. It seems the attackers are looking for common vulnerabilities.It is reported that Asterix disclosed an attack incident affecting the ASTX token contract yesterday, stating that its Uniswap v4 liquidity pool was attacked on June 8, with attackers stealing approximately 30 ETH through 242 transactions. The vulnerability originated from a lack of token ID restriction checks on approval operations in an early version of DN404. Attackers exploited the outdated token approval to repeatedly sell tokens in the pool to obtain ETH, and then extracted equivalent tokens through forged IDs, leading to a cycle that drained the funds.Smart contracts are immutable and cannot be patched. The team advises users to stop interacting with the current pool and tokens and is planning to migrate to deploy secure tokens. The team suspects that the attackers used a jailbroken AI tool for fuzz testing to discover unconventional logic paths.

According to CoinDesk, security engineer Taylor Hornby, who discovered a serious vulnerability in Zcash using the Anthropic Opus 4.8 AI model, stated that Monero (XMR) has been added to the audit queue, and more privacy coin projects will undergo security reviews in the future.Hornby previously discovered a critical vulnerability in the Zcash Orchard privacy pool on May 29, which had gone unnoticed since May 2022 and could theoretically allow attackers to create unlimited undetectable fake ZEC. The development team at Shielded Labs completed an emergency fix before June 1 and subsequently disclosed the details of the vulnerability. As a result of the incident, ZEC dropped by as much as 38% within 24 hours after the news broke, with the market concerned that attackers may have exploited the vulnerability to steal funds from the privacy pool without leaving on-chain traces.Hornby stated that he was commissioned by the nonprofit organization Shielded Labs in April of this year to identify protocol vulnerabilities before attackers could exploit them. Although he had the means to profit from the vulnerability, he chose to report the issue to the development team, stating that "such betrayal is unacceptable." Additionally, Hornby plans to apply for funding from the Zcash community to support subsequent security research efforts.

Dragonfly Managing Partner Haseeb published a statement regarding the recently patched Zcash vulnerability, indicating that there are many misunderstandings in the market about this event. He pointed out that even if the vulnerability had been exploited before it was fixed, attackers could only profit by faking ZEC in the privacy pool, and these tokens must first be converted from a privacy address to a transparent address to enter mainstream trading platforms.Since the supply of ZEC in transparent addresses can be publicly verified, any abnormal transfers exceeding the maximum supply will be detected and blocked, so the vast majority of investors holding transparent ZEC and exchange users will not be affected.Haseeb stated that the Zcash team plans to introduce a new "Turnstile" mechanism and a brand new privacy pool in future upgrades to verify that there is no inflation issue in the current privacy pool. He also mentioned that formally verified cryptographic systems can reduce implementation errors from a design perspective. Haseeb finally disclosed that Dragonfly still holds ZEC, and he is also a ZODL investor.

Dragonfly partner Haseeb tweeted to clarify the recently fixed vulnerability in Zcash. He stated that if the vulnerability had been exploited before the fix (although the probability is extremely low), it would manifest as the privacy pool minting false ZEC. Attackers would need to sell quickly, but since the market primarily trades transparent ZEC, they cannot directly sell the unmasked privacy ZEC on mainstream exchanges. Therefore, the losses would mainly be borne by users holding privacy ZEC, with almost no impact on holders of transparent ZEC and price discovery.Haseeb emphasized that the Zcash team will introduce a new turnstile mechanism and a brand new privacy pool in the next upgrade to verify that the privacy pool has not been inflated. He also has high hopes for formal verification technology, believing it is an important path for enhancing software security across the industry in the future, especially crucial for privacy protocols.

According to the THORChain blog, ZEC has been added to the THORChain launch queue, but due to a recently disclosed vulnerability in Zcash that affects the normal use of integrators, THORChain needs to complete a code modification in the Bifrost module before proceeding.The development team stated that the modification is very minor but must be completed before the launch of ZEC. Currently, Monero (XMR) is expected to launch at the end of this month, with ZEC following afterward.

The ZEC treasury company Cypherpunk posted on platform X in response to the market fluctuations of the ZEC token, stating that all software has vulnerabilities. Historically, Bitcoin has "over-minted" 18.4 billion BTC due to errors. However, this does not mean that blockchain technology should be abandoned; rather, security should be enhanced through formal verification and provable correctness.Cypherpunk emphasized that with the development of AI technology, vulnerability detection will become faster and broader, but the key lies in who can identify problems before malicious actors do. Zcash demonstrates its capability in this regard through an upcoming update.Previously, it was reported that the privacy coin ZEC faced market sell-offs due to the revelation of a security vulnerability that could potentially lead to unlimited issuance, causing the coin's price to drop over 50% in a single day.

Arthur Hayes (@CryptoHayes), co-founder of BitMEX and CIO of Maelstrom Fund, stated that he has liquidated all his $ZEC holdings due to a vulnerability attack on ZEC's Orchard Pool.Hayes pointed out that although the possibility of malicious minting is extremely low, it cannot be formally proven impossible at the cryptographic level; the privacy narrative demands "perfection" rather than "high probability safety." He also mentioned that if subsequent assumptions are falsified, he does not rule out the possibility of buying back at a lower price. Currently, his team still holds $WLD positions and maintains a bullish stance.

On May 29, 2026, Taylor Hornby discovered a critical forgery vulnerability in the Zcash Orchard funding pool. Taylor Hornby reported the vulnerability to the Zcash Open Development Lab, and all parties collaborated to complete the fix on June 2. This vulnerability could be exploited to secretly create an unlimited number of forged ZEC within Zcash Orchard. Due to the privacy features of Orchard, it is impossible to cryptographically prove whether the vulnerability was exploited before the fix was deployed. The vulnerability had existed since the activation of Orchard in May 2022, until an emergency fix was deployed on June 1, 2026.With the assistance of AI tools, Taylor Hornby wrote a complete exploit and generated unlimited and undetectable forged ZEC in a local testing environment. Currently, Shielded Labs is collaborating with other Zcash developers to explore network upgrade proposals that would allow anyone to verify the integrity of Zcash's supply.