The deepest trend in Web3 security in 2026 is the systematic expansion of attack surfaces.

Written by: Beosin

According to monitoring data from the Beosin Alert platform, in May 2026, the total loss from various security incidents amounted to approximately 76.15 million USD, with 36 major hacking incidents occurring, primarily due to contract vulnerabilities and private key leaks. Among them, there were 17 security incidents due to contract/network vulnerabilities, and 10 incidents impacted by private key leaks, facing severe challenges regarding code security and operational security in the DeFi ecosystem.

Top 10 Losses in May

The cross-chain bridge Verus-Ethereum Bridge, connecting the Verus L1 chain and Ethereum, suffered the largest loss due to a contract vulnerability, totaling 11.58 million USD. The Echo Protocol was attacked through a private key leak, resulting in the minting of 1000 eBTC by the attacker (equivalent to approximately 76.7 million USD on paper), but due to liquidity constraints, the actual profit was about 5.13 million USD.

Types of Attacked Projects and Losses Across Chains

The attacked targets included various types such as cross-chain bridges, decentralized exchanges, lending protocols, prediction markets, stablecoins, and ordinary users, among which cross-chain bridges had the highest losses, reaching 27.995 million USD, while DeFi-related projects were attacked the most frequently, totaling 14 times.

The chain with the most significant losses in May was Ethereum, with losses exceeding 48.76 million USD. Some cross-chain bridges and the majority of DeFi protocol security incidents still primarily occurred on Ethereum. The next highest were BNB Chain, Monad, and TON, while Monero and Bitcoin also experienced security incidents, highlighting a multi-chain trend in on-chain attacks.

Analysis of Major Security Incidents

1. Verus: Cross-Chain Message Verification Flaw

The operation of the Verus-Ethereum Bridge is based on the submission of proof data by the sender, indicating that a qualified output confirmed by notarization exists on the Verus chain. Once the bridge contract verifies the data, it releases assets on Ethereum. The flaw lies in the fact that while the bridge contract on the Ethereum side verified the proof from the Verus chain, it did not check whether the data was a valid original output, allowing attackers to craft false outputs to pass verification and withdraw funds far exceeding their deposits.

Vulnerable code section:

This incident's vulnerability is of the same type as the one that caused a loss of 320 million USD for Wormhole and 190 million USD for Nomad in 2022, where the bridge verified the message itself but did not validate the underlying value of the funds.

2. Trusted Volumes: Signature Parameter Flaw

Attackers exploited a design flaw in the signature during the TrustedVolumes request-for-quote (RFQ) process, and in actual transfers, by customizing signature data, they set the transfer party as the Resolver contract of TrustedVolumes, successfully passing the verification and transferring assets out of the Resolver contract for profit.

Vulnerable code section:

The authorization check referenced varg4, while the execution of the fund transfer referenced other parameters, leading to a lack of verification causing a mismatch between the authorized signer domain and the actual deduction address.

Thus, the attacker only needs to sign an order with a registered signer address, where maker = Exploit (verified by signature), and other signature parameters (token, amount) can be set to arbitrary values, such as a 1:1 fake order, allowing it to pass a reasonable price check by the price oracle, and then siphoning off assets from the protocol contract:

3. Private Key Leak Incident Example: StablR

In May, multiple private key leak incidents occurred, totaling losses of over 25 million USD. Among them, StablR, as a compliant stablecoin issuer, became a typical lesson regarding security governance in the stablecoin and DeFi sectors.

StablR launched two compliant stablecoin products: EURR and USDR, where the multi-signature wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc; and the multi-signature wallet controlling USDR minting is 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3.

Since both of the aforementioned multi-signature wallets required only 1 signature to initiate a transaction, the attacker gained control over the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, thereby adding the address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to both multi-signature wallets, achieving control over the minting permissions of the project:

This type of incident does not stem from code vulnerabilities but rather from operational security issues of the project: failing to properly secure the private keys of privileged addresses, not adopting high-threshold multi-signatures for high-value/high-risk operations, lacking time locks for large minting operations, and lacking a swift emergency response mechanism.

Trends in Web3 Security Threats

The deepest trend in Web3 security in 2026 is the systematic expansion of attack surfaces. Vulnerabilities are emerging simultaneously across code, infrastructure, interactive operations, and human processes. Relying solely on multiple security audits or tools cannot cover operational security, employee endpoints, cloud infrastructure, software supply chain, and other areas. This places higher demands on the continuous operational security of Web3 projects.

Moreover, attacks targeting old/abandoned contracts are frequent, with vulnerabilities in those easily exploited by attackers. Contract developers or operators should re-examine the security of previous contracts, promptly handle or suitably transfer any residual funds in abandoned contracts, and contact users to revoke unnecessary authorizations. Users should also regularly use blockchain explorers or revocation tools to check and cancel authorization for contracts no longer in use.