Beosin: 36 Major Security Incidents in May, Total Loss Exceeding $76 Million
TechFlow Selected TechFlow Selected
Beosin: 36 Major Security Incidents in May, Total Loss Exceeding $76 Million
The deepest trend in Web3 security in 2026 is the systemic expansion of the attack surface.
Navigating Web3 tides with focused insightsAuthor: Beosin
According to monitoring data from the Beosin Alert platform, security incidents in May 2026 resulted in total losses of approximately $76.15 million, with a total of 36 major hacking incidents. The primary causes were smart contract vulnerabilities and private key leaks. Of these, 17 incidents stemmed from contract or network vulnerabilities, while 10 resulted from private key leaks—highlighting severe challenges to both code and operational security across the DeFi ecosystem.
Top 10 Protocols by Losses in May
The Verus-Ethereum Bridge—a cross-chain bridge connecting the Verus L1 chain and Ethereum—suffered the largest loss due to a contract vulnerability, amounting to $11.58 million. Echo Protocol was compromised via a private key leak, enabling attackers to mint 1,000 eBTC tokens (with a nominal value of ~$76.7 million). However, due to liquidity constraints, the attackers’ actual realized profit was approximately $5.13 million.
Attacked Project Types and Loss Distribution Across Chains
Targets included cross-chain bridges, decentralized exchanges (DEXs), lending protocols, prediction markets, stablecoins, and ordinary users. Cross-chain bridges incurred the highest losses—$27.995 million—while DeFi-related projects suffered the most attacks, totaling 14 incidents.
Ethereum recorded the highest losses in May—over $48.76 million—with many cross-chain bridge and DeFi protocol incidents still predominantly occurring on Ethereum. BNB Chain, Monad, and TON followed, while Monero and Bitcoin also experienced security incidents—demonstrating a multi-chain attack landscape.
Analysis of Key Security Incidents
1. Verus: Flawed Cross-Chain Message Verification
The Verus-Ethereum Bridge operates by having submitters provide proof data indicating the existence of a notarized, valid output on the Verus chain; upon successful verification by the bridge contract, assets are released on Ethereum. The vulnerability lies in the Ethereum-side bridge contract, which verifies the proof received from Verus but fails to validate whether the referenced output is genuinely valid. This allowed attackers to construct fraudulent outputs that passed verification, thereby withdrawing funds far exceeding their deposits.
Vulnerable code segment:
This vulnerability belongs to the same class as those responsible for the $320 million Wormhole exploit and the $190 million Nomad breach in 2022—both cases involved bridge contracts verifying message authenticity without validating the underlying asset value.
2. Trusted Volumes: Signature Parameter Flaw
Attackers exploited a flaw in TrustedVolumes’ Request-for-Quote (RFQ) signing mechanism: during actual fund transfers, they customized signature data to set the sender address as TrustedVolumes’ Resolver contract—which then passed validation, allowing them to withdraw assets from the Resolver contract.
Vulnerable code segment:
The authorization check references varg4, whereas fund transfer execution relies on other parameters—resulting in a mismatch between the authorized signer’s domain and the actual debited address due to missing validation.
Attackers thus only needed to sign an order using a registered signer address, setting maker = Exploit (which passes signature verification), while arbitrarily configuring other signature parameters (e.g., token type and amount)—such as a fake 1:1 order—to pass price oracle reasonableness checks, subsequently withdrawing assets directly from the protocol’s contracts:
3. Private Key Leak Incident: StablR Case Study
Multiple private key leak incidents occurred in May, collectively causing over $25 million in losses. As a compliant stablecoin issuer, StablR serves as a representative case study illustrating critical security governance failures within the stablecoin and broader DeFi sectors.
StablR launched two regulated stablecoin products: EURR and USDR. The multisig wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc; the multisig wallet controlling USDR minting is 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3.
Since both multisig wallets required only one signature to initiate transactions, attackers gained control of owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d and added address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to both multisig wallets—effectively seizing full minting authority:
This incident did not stem from code-level vulnerabilities but rather from operational security failures: failure to safeguard privileged addresses’ private keys; insufficient threshold requirements for high-value/high-risk operations; absence of timelocks for large-scale minting; and lack of rapid incident response mechanisms.
Web3 Security Threat Trends
The most profound Web3 security trend emerging in 2026 is the systemic expansion of the attack surface. Vulnerabilities now simultaneously appear across code, infrastructure, user interactions, and human processes—rendering traditional approaches like periodic audits or isolated tooling inadequate for addressing operational security, employee endpoints, cloud infrastructure, and software supply chains. This places heightened demands on Web3 projects’ continuous operational security practices.
Additionally, attacks targeting legacy or deprecated contracts are increasingly frequent, often exploiting authorization flaws easily weaponized by attackers. Contract developers and operators should re-audit previously deployed contracts’ security posture; deprecated contracts must be promptly decommissioned or have residual funds safely migrated, and unnecessary user authorizations should be revoked. Users, too, should regularly audit and revoke unused contract permissions via blockchain explorers or dedicated deauthorization tools.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@Beosin_com
