Polychain/Variant-backed neo-brokerage Cascade lost 1.34M USDC from pre-launch First Wave deposits on July 16; funds were bridged Arbitrum→Solana→Ethereum and swapped into unfreezable DAI.
An attacker with an authorized oracle-signer key and a registered PriceUpKeep forwarder booked twenty round-trip BTC/USD trades, draining ~28% of Ostium's OLP vault; trading paused.
EMURGO, one of Cardano's five Pentad governance entities, stepped down on July 8 to lead recovery for its SecondFi wallet, drained of 16M ADA (~$2.4M) via an Ed25519 signer flaw.
Bonzo Lend drained of ~$9.05M on July 11 after a Supra oracle verifier accepted a zeroed BLS signature. Attacker inflated SAUCE price 12 orders of magnitude, bridged $5.25M via LayerZero.
BonkDAO confirmed a ~$20M treasury drain on July 6, 2026 after malicious proposal BIP-76 'Sowellian BonkDAO' passed on its own governance platform. Upbit and Kraken paused BONK.
A flash-loaned donation to Summer.fi's Ark inflated FleetCommander.totalAssets() and let an attacker redeem $70.9M from a $64.8M deposit. Lazy Summer vaults paused; funds are moving to Tornado Cash.
Security firm Hexens disclosed a stale-cache type-confusion in the Aptos Move VM in late February. Aptos patched within days; no funds lost. Coverage went public on July 4.
An attacker skipped Hinkal's zk verification with a 'Proofless Deposit', drained ~$820K in USDC on Ethereum, and laundered 410 ETH via Tornado Cash plus 44.7 ETH bridged to Bitcoin over THORChain.
A flash-loan-assisted exchange-rate manipulation between GOOGLx and wGOOGLx on Edel's xStock lending market inflated collateral 78×, opening ~$403K of bad debt routed through Tornado Cash.
Researchers flagged a June 25 Tornado Cash governance proposal that swaps the DAO treasury address for a lookalike — ~$23M in TORN and relayer balances at risk.
A poisoned JS dependency on Polymarket's frontend drained ~$3.1M in PUSD from 11+ wallets on June 25, swapped into ~1,893 ETH. Contracts untouched; refunds promised.
SecondFi disclosed a key-generation bug in its web wallet on June 23, draining ~16M ADA from 178 users; SlowMist puts total exposure at up to 129M ADA.
Taiko's chain state verification was compromised on June 22; proposers stopped producing blocks, the ERC20 Vault on Ethereum was drained for an estimated $1.7M, and all bridges are flagged unsafe.
Attacker farmed approvals from Ethereum's largest sandwich bot using 66 fake WETH/USDC/USDT tokens, then swept ~1,474 WETH, 2.87M USDC and 2M USDT in a single sweep tx.
Attacker forged IBC transfers against Namada's shielded pool, swept liquid assets cross-chain and left staked holdings behind. A stale indexer kept showing balances while live RPC reported zero.
Forged-packet attack on Secret's ICS-20 contract minted unbacked wrapped tokens, then redeemed them via the legitimate Axelar IBC channel. Caught June 17 when an escrow accounting check failed.
On June 14, an attacker exploited a numRealTxs vs decoded_slots gap in Aztec Connect's immutable rollup contract and drained 909 ETH, 270,513 DAI and 167.89 wstETH.
An attacker minted a counterfeit LP token, called withdraw on Raydium's deprecated AMM V3 program, and drained 150,177 RAY, 5,603 SOL and 893,700 USDC from 5 Serum-era pools.
An attacker bought >50% of a 16,384-supply MiniMeToken, used a no-timelock Aragon Voting app to mint 10B TOP in a single tx, and swapped them for 944.2 WETH from a Balancer V1 pool.
Coordinated Ethereum + BSC attack on Humanity Protocol's Hyperlane bridge: 141.2M H drained, 200M minted on BSC, ~$36M stolen. Team blames a compromised employee laptop; H down ~86%.
Yuga's blockchain lead 0xQuit and researcher Coffee pulled 29 BAYC, 2 CryptoPunks and 37 other blue-chips out of Flooring before an attacker could redeem them through the fpToken bug.
Gnosis co-founder Martin Köppelmann confirms an active exploit on Gnosis Pay tied to Zodiac Delay Modifier v1.1.0 and Roles Modifier v2; Gnosis pledges to cover all user losses.
Cosmos-Ethereum Gravity Bridge lost ~$5.4M on May 30. Peckshield and on-chain analyst Specter call it a signing key compromise. Team halted validators; attacker holds ~2,102 ETH.
Bybit's primary ETH cold wallet lost about 401,000 ETH on Feb 21, 2025 via a Safe{Wallet} UI manipulation. Arkham and the FBI attribute the attack to Lazarus.