Login
Sign Up
In May 2026, the Web3 ecosystem faced a severe security downturn with 36 major incidents generating approximately $76.15 million in total losses. Data compiled by Woofun AI indicates that contract vulnerabilities and private key leaks were the primary drivers, accounting for 17 and 10 incidents respectively. This surge in attacks underscores the fragility of code security and operational safety within the decentralized finance sector, challenging the resilience of established protocols.
The Verus-Etherum Bridge, connecting the Verus L1 chain to Ethereum, suffered the single largest breach with losses reaching $11.58 million due to a critical contract vulnerability. In a separate high-profile case involving the Echo Protocol, attackers exploited a private key leak to mint 1,000 eBTCs valued at roughly $76.7 million on paper.
However, liquidity constraints limited the actual realized profit for the attackers to approximately $5.13 million, highlighting the disparity between theoretical exploit value and market execution capabilities.
Attack vectors targeted a diverse range of entities including cross-chain bridges, decentralized exchanges, lending protocols, prediction markets, stablecoins, and individual users. Cross-chain bridges emerged as the most lucrative target, absorbing $27.995 million in losses, while DeFi-related projects were the most frequently attacked with 14 incidents. Ethereum remained the primary battlefield, incurring over $48.76 million in losses, followed by BNB Chain, Monad, TON, Monero, and Bitcoin, demonstrating that security threats are now pervasive across multiple blockchain networks.
The technical failure in the Verus-Etherum Bridge stemmed from a design flaw where the Ethereum-side contract verified data from the Verus chain without validating whether that data represented a legitimate original output. This allowed attackers to fabricate fake outputs that passed verification, enabling withdrawals far exceeding their initial deposits. Woofun AI notes that this vulnerability mirrors the logic errors responsible for the $320 million Wormhole and $190 million Nomad breaches in 2022, where bridge components verified message integrity but failed to validate associated fund values.
Further analysis reveals that attackers manipulated the TrustedVolumes Request for Quote process by customizing signature data to set the transfer origin as the Resolver contract. The authorization check referenced the varg4 parameter while the actual fund transfer utilized different parameters, creating a mismatch between the authorized signer's domain and the payment address. By setting the 'maker' parameter to 'Exploit', attackers bypassed signature verification and withdrew assets using arbitrary token and amount values, effectively draining protocol funds through fake 1:1 ratio orders.
Operational security failures also contributed significantly to the $25 million in losses from private key leaks. StablR, an issuer of compliant stablecoins EURR and USDR, exemplified these governance challenges when attackers compromised the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d. By adding a malicious address to the multi-signature wallets controlling 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc and 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3, attackers gained full control over coin issuance despite the multi-sig structure, as only a single signature was required to initiate transactions.
These incidents highlight a systematic expansion of the attack surface in 2026, extending beyond code into infrastructure, interaction processes, and human operations. Woofun AI analysis suggests that reliance on isolated security audits is insufficient against threats targeting employee practices, cloud infrastructure, and software supply chains. The frequency of attacks on outdated or abandoned contracts further necessitates a re-evaluation of existing security postures, urging developers to manage remaining funds and revoke unnecessary user authorizations to mitigate future risks.