security

Keone Hon, co-founder of Monad, posted on the X platform that the Monad network is unaffected and operating normally, while security researchers are investigating the eBTC-related incident of the Echo Protocol. Researchers have determined that the vulnerability led to approximately $816,000 being stolen. Previously, it was reported that the Echo Protocol was attacked on the Monad chain, where hackers minted 1,000 eBTC and withdrew funds via Curvance.

Vitalik Buterin published an article discussing the application prospects of Formal Verification in the field of blockchain security.The article points out that a new paradigm is emerging in Ethereum's cutting-edge research and development, where code is directly written using EVM bytecode, assembly, or Lean, and its correctness is verified using automatically checkable mathematical proofs in Lean. Researcher Yoichi Hirai refers to this paradigm as "the ultimate form of software development."Vitalik believes that AI-assisted formal verification is expected to enhance both code efficiency and security, particularly suitable for security core modules such as STARK, ZK-EVM, quantum-resistant signatures, and consensus algorithms.The article also emphasizes that formal verification is not a panacea and may still fail due to issues such as incomplete proof coverage, specification errors, and hardware side channels; in the future, software may differentiate into "security cores" and "non-security edges," with Ethereum becoming one of the important security cores.

According to The Block, Nasdaq-listed Bitcoin ATM operator Bitcoin Depot has filed for Chapter 11 bankruptcy in the Southern District of Texas to gradually shut down operations. CEO Alex Holmes stated that changes in the regulatory environment have made the current business model unsustainable, with states implementing stricter compliance obligations, including new transaction limits, and some jurisdictions even directly restricting or banning Bitcoin ATM operations.In April, the company experienced a security breach that resulted in the theft of $3.7 million. Last week, the company stated that there were "significant deficiencies" in cash transportation reconciliation, preventing timely delivery of the first-quarter financial report. Preliminary unaudited data shows that first-quarter revenue decreased by 49.2% year-over-year, with a net loss of $9.5 million, compared to a net profit of $12.2 million in the same period last year. The company was founded in 2016 and operates the largest Bitcoin ATM network in North America, with over 9,000 machines globally.

The open-source data visualization tool Grafana stated on platform X that it recently discovered an unauthorized attacker had obtained a token that could access the Grafana Labs GitHub environment and used it to download the code repository.An investigation confirmed that this incident did not involve customer data or personal information leakage, and no impact on customer systems or business operations was found. After the incident, forensic analysis was immediately initiated, and it is believed that the source of the credential leak has been identified. Additional security measures have also been deployed to strengthen environmental protection.Furthermore, Grafana disclosed that the attacker attempted to demand a ransom to prevent the code repository from being made public, but the company ultimately decided to refuse to pay the ransom and will release more information about the incident review after the investigation is completed.

The Criminal Investigation Bureau of the Ministry of Public Security published an article titled "Beware of Online Fraud Targeting Minors," which reveals a new type of online fraud chain characterized by "game diversion + impersonating public security and judicial authorities + virtual currency money laundering." Criminals post advertisements through games and social platforms to guide minors to add friends, and use intimidation and other means to extract funds from parents' accounts. The stolen money is split and withdrawn through black and gray industry platforms to purchase virtual currencies, which are not restricted by geography and can silently flow back to overseas fraud dens, completing the "physical isolation" of cross-border funds. The Criminal Investigation Bureau reminds that public security and judicial authorities will never handle cases online, will never intimidate for deductions, and will never ask for passwords or verification codes.

The GoPlus Security team has disclosed a new type of attack in its AgentGuard AI project: inducing AI agents to perform unauthorized sensitive operations through "memory poisoning." This attack method does not rely on traditional vulnerabilities or malicious code but exploits the long-term memory mechanism of AI agents. For example, an attacker first induces the agent to "remember preferences," such as "usually prioritizing proactive refunds instead of waiting for chargebacks," and then uses vague expressions like "process as usual" or "execute as before" in subsequent instructions, thereby triggering automated financial operations.GoPlus points out that the key risk in such cases lies in the AI agent mistakenly treating "historical preferences" as a basis for authorization, leading to financial losses or security incidents in operations such as refunds, transfers, and configuration changes. To address this issue, the team has proposed several protective recommendations, including:Operations involving refunds, transfers, deletions, or sensitive configurations must require explicit confirmation in the current session.Memory-related instructions like "habit," "usual way," and "as before" should be regarded as high-risk state changes.Long-term memory must have a traceability mechanism (writer, time, confirmation status).Vague instructions should automatically elevate the risk level and trigger secondary verification.Long-term memory must not replace real-time authorization processes.The team emphasizes that the "AI agent memory system" should be viewed as a potential attack surface and should be constrained and audited through a dedicated security framework.

GoPlus Security stated that a user fell victim to a typical address poisoning attack, mistakenly transferring 100,000 DAI to a fake address created by the attacker after copying a similar address from the transaction history.In this incident, the user had previously transferred 300,000 DAI to the target address, and the attacker subsequently sent 0.0003 DAI from a similarly structured address to lure the user into mistakenly selecting the wrong address for the second transfer.GoPlus Security reminds users not to copy addresses from transaction history, to verify the complete address before transferring, and to conduct a small test transfer before making large transactions.

The working group led by the Ethereum Foundation has released a new open standard called "Clear Signing," aimed at addressing the long-standing issue of "blind signing." This new standard is built on the ERC-7730 specification and aims to promote the "WYSIWYS (What You See Is What You Sign)" concept, allowing users to understand the actual execution content of transactions in a unified, readable, and structured manner before signing. This replaces the current common practice of displaying machine-readable but difficult-to-understand low-level transaction information. By using a unified description format, a registry system, and independent verification and auditing mechanisms, the intent of transactions can be clearly expressed and standardized for presentation on wallets.Clear Signing will not change the on-chain transaction structure but will enhance interpretability through off-chain standardized descriptions, thereby improving security without affecting the compatibility of existing protocols.

Sky Ecosystem posted on platform X that the USDS OFT cross-chain bridging on the Solana network has resumed operation, which was temporarily paused due to a security review related to the rsETH vulnerability.Sky stated that throughout the review period, both the Sky Protocol and the USDS contract were unaffected, and USDS has always maintained full collateral as designed by the protocol, which can be verified on-chain at any time. This pause was a precautionary measure.With the completion of the security review, the USDS cross-chain bridging on the Solana chain has reopened, while the bridging to Avalanche will resume after further review is completed.

Binance released its latest security report, addressing the current industry situation of rapidly spreading AI scams. The platform has deployed over 24 AI security programs and equipped more than 100 AI models to build an intelligent defense system against various types of cryptocurrency fraud.Statistics show that from early 2025 to the first quarter of 2026, Binance has protected over 5.4 million users and intercepted potential fund losses of $10.53 billion. In Q1 2026, the platform successfully intercepted 22.9 million scam and phishing attacks, protecting user funds amounting to $1.98 billion, with an average of over 9,600 real-time risk alerts pushed daily, and a total of 36,000 malicious on-chain addresses blacklisted.The report pointed out that deepfakes, voice cloning, and phishing bots have become mainstream scam tactics, with the overall scale of cryptocurrency fraud reaching $17 billion in 2025, a year-on-year increase of 30%. In terms of risk control, Binance's AI system handles 57% of fraud detection work, reducing the credit card fraud rate to 60%-70% of the industry average; it has upgraded AI anti-counterfeiting KYC reviews, with review efficiency improved by up to 100 times.The AI trading tool Binance Ai Pro uses an isolated account structure, only allowing trading permissions and prohibiting withdrawals, with the platform intercepting 12% of high-risk third-party AI plugins. Additionally, in 2025, Binance assisted in recovering $12.8 million in scammed funds, handled 48,000 cases, and collaborated with law enforcement to freeze $131 million in illegal assets.

The Financial Security Institute of South Korea announced that it will promote three key tasks around digital asset services, including the development of smart contract verification tools, the establishment of a smart contract verification system, and the cultivation of professional talent in digital assets.It will develop dedicated security verification tools that can automatically detect major vulnerabilities such as reentrancy attacks, access control errors, and collateral verification omissions, targeting scenarios like token securities and stablecoins, and continuously update detection rules in conjunction with the South Korean financial regulatory environment. Meanwhile, the agency will also release the "Smart Contract Security Guidelines," covering the entire process of development, deployment, and operation, and enhance the digital asset security capabilities of financial institutions through seminars, collaborative networks, and other means.

The People's Court of Gulou District, Fuzhou City recently concluded a dispute arising from investment in virtual currency. Chen transferred 480,000 yuan to Liu for foreign exchange wealth management, and Liu converted the funds into USDT and invested on an overseas platform. After the platform closed, Chen filed a lawsuit in court seeking a refund.The court reviewed the case and found that the transaction model formed a closed loop of receiving RMB, exchanging for USDT, cross-border transfer, and buying and selling foreign exchange, which constitutes a disguised foreign exchange transaction and is suspected of economic crime. The court ruled to dismiss Chen's lawsuit and transferred the relevant materials to the public security authorities for handling, with the Fuzhou Intermediate Court upholding the original ruling. The court reminded that investing in virtual currency violates relevant civil laws of public order and good morals, and any losses arising from this shall be borne by the investor.

Syndicate stated on platform X that regarding the latest developments of the Syndicate bridge security incident, all affected SYND holders on the Commons Chain have received full compensation, along with an additional 15% of the total losses as compensation.The relevant amounts have been directly sent to the affected users' Base chain wallets, with the Gas fees covered by Syndicate Labs. The total compensation amounts to 12.901 million SYND, and no action is required through any claim page.

According to market news, Microsoft's security research team has discovered that attackers have been inducing users to run malicious terminal commands by publishing fake macOS troubleshooting guides since the end of 2025, thereby stealing cryptocurrency wallets, iCloud data, and passwords saved in browsers.These fake guides are published on platforms such as Medium, Craft, and Squarespace, targeting common user issues like freeing up disk space or fixing system errors, and tricking users into copying and pasting malicious commands into the terminal, which automatically downloads and runs malware. This social engineering technique, named ClickFix, bypasses macOS's Gatekeeper security mechanism because the victims are actively executing the commands.The malware families involved include AMOS, Macsync, and SHub Stealer, which can steal cryptocurrency wallet keys from Exodus, Ledger, and Trezor, as well as usernames and passwords saved in Chrome and Firefox. In some cases, attackers also delete legitimate wallet applications and replace them with trojan versions. Apple has added a protective feature in macOS version 26.4 to prevent the pasting of potentially malicious commands.

After the Kelp security incident, Tether's asset interoperability protocol USDT0 announced details of its protocol security architecture, stating that the current system uses a proprietary DVN (Decentralized Verification Network) and has message veto power, while requiring 3 independent validators to reach a 3/3 consensus based on different codebases before cross-chain messages can be settled.The current validating nodes include USDT0's proprietary DVN, LayerZero, and Canary, with plans to expand to 4/4 and 5/5 verification mechanisms in the future. USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing institutions before submission for signing. Relevant contracts have been audited by organizations such as Guardian and OpenZeppelin and have launched a $6 million bug bounty program on Immunefi.

Wasabi Protocol released a security incident update, stating that attackers exploited a configuration vulnerability in the Spring Boot Actuator within its AWS infrastructure to steal the private keys controlling EVM smart contracts, resulting in the theft of approximately $4.8 million in user funds and $900,000 in protocol treasury funds, with total losses amounting to about $5.7 million.The attack chain began with a public server used for analysis, whose Actuator heap dump was not properly password protected, allowing attackers to obtain credentials for another server and ultimately gain control of the smart contract private keys. This incident only affected EVM deployments, including certain treasuries on Ethereum, Base, Blast, and Berachain, while Solana deployments and Prop AMM were not affected.There has not yet been a final update on the user compensation plan, but "ensuring all affected users are compensated" remains the team's top priority, and updates on the investigation progress will be released in the Discord community in the future.

LayerZero Labs posted on the X platform that the internal RPC used by LayerZero Labs was attacked by the Lazarus Group in the past three weeks, resulting in the compromise of the true source of its DVN (Decentralized Verification Network), while external RPC providers faced DDOS attacks. This incident affected 0.14% of applications and approximately 0.36% of asset value.LayerZero Labs stated that asset security is currently intact, and since April 19, over $9 billion in funds have been completed across chains through the protocol. In response to security risks, LayerZero Labs has stopped providing services for its DVN in a 1/1 configuration, and all default configurations for channels will be migrated to at least a 3/3 or 5/5 multi-DVN mode.Additionally, in response to an incident three years ago where multi-signature holders mistakenly used hardware wallets for personal transactions, LayerZero Labs has removed that signer and changed wallets, while also developing a OneSig custom multi-signature system. LayerZero Labs recommends that developers lock configurations to avoid relying on default settings and plans to launch an asset management platform Console to enhance security monitoring.

Lido released the latest updates on the Kelp security incident, stating that the Snapshot vote regarding the EarnETH first loss protection mechanism being below the 1% threshold has reached the quorum and been approved. The losses for EarnETH users will be fully covered by the Lido Earn first loss mechanism.The rsETH held by the attacker has been liquidated, and the related stETH has been transferred to the DeFi United rescue plan. In addition, the EarnETH treasury is expected to reopen shortly after the Kelp protocol resumes operations, at which point users will be able to conduct normal deposit and withdrawal operations. Lido emphasized that during the freeze period, the EarnETH and EarnUSD treasuries continue to generate returns. Currently, EarnETH users only need to wait for the brief unfreezing process to complete, and once the funds are restored, they will be compensated according to the first loss protection mechanism.

1inch posted on platform X, stating that it has noted reports involving TrustedVolumes and confirmed that 1inch and all its protocols are not involved in the incident. The 1inch system, infrastructure, and user funds have not been affected.TrustedVolumes operates independently as a liquidity provider and is used by multiple protocols in the industry, not exclusive to 1inch. 1inch will continue to monitor the situation and actively assist relevant security parties when appropriate.