Hacks

Yuga Labs used its GrailsOTC trading desk to pull 68 blue-chip NFTs valued at more than $500,000 out of vulnerable Flooring Protocol pools before attackers could drain them.

A dormant launchpad contract from 2021 was emptied this week through a quiet ownership transfer and a one-wei fee reset — the latest in a string of BNB Chain drains that turn admin keys into the attack surface.

On-chain traces show the DPRK-linked attacker behind April's $292 million bridge exploit has pushed the unfrozen ~$220 million through THORChain, Wasabi, Tornado Cash, and Umbra, leaving roughly $1.7 million still sitting in the original wallet.

A security startup says it disclosed a fund-draining vulnerability to the cross-chain protocol weeks before a $10.7M exploit hit a near-identical flaw. Now it plans to publish exploit code for more.

Co-founder Martin Köppelmann said the company will make all users whole after attackers exploited the smart-contract module that governs Gnosis Pay card accounts. No loss figure has been disclosed.

Alephium's Wormhole-fork TokenBridge was drained on Ethereum and BNB Chain in roughly seven minutes after an off-chain backend flaw let fraudulent messages slip past its four-guardian network, the team said in a public correction.

The smart contract security firm distanced itself from Manuel Aráoz's warning that AI coding agents have made DeFi impossible to defend, calling the threat real but manageable.

A compromised private key let an attacker forge a cross-chain message on Arbitrum, triggering cascading warnings across Curve Finance and Beefy Finance.

Estimates of losses range from $2.8 million to $10 million.

Detailed May 18 post-mortem traces a six-week breach to DPRK group TraderTraitor and locks in a new 3-of-3 DVN protocol default. Kelp says LayerZero approved the configuration and has migrated rsETH bridging to Chainlink.