BlockThreat - Week 17, 2026
Litecoin and the anatomy of a botched patch, multiple private key compromises, a surprise spike in oracle misconfiguration and signature validation exploits, latest in phishing and supply chain attacks, security research and tooling.
This is one of those bittersweet weeks where I'm overjoyed with pride and grieving over numerous mistakes in our ecosystem at the same time. For all of our sanity after last week's pillaging, let's start with the good news.
DeFi United
It's been genuinely inspiring to watch the ecosystem rally after the most damaging incident of 2026, the LayerZero/KelpDAO hack. Aave's Stani kicked it off with 5,000 ETH to the DeFi United initiative to help close the gap left by the rsETH depeg. Arbitrum, Consensys, Mantle, AAVE, EtherFi, and many others followed with thousands of ETH in donations and loans. But what's stayed with me most are the hundreds of $10 and $20 donations from regular folks across the ecosystem. People who just wanted to make history in community self-healing.
Ethereum Security QF Round
In the middle of all the hacks, Giveth and TheDAO went live with the Ethereum Security QF round to run a not so radical experiment: what if instead of spending millions on incident response and post-hack cleanup, we invested in the security ecosystem to prevent hacks from happening in the first place? More than 112 projects have collected a combined $38K at the time of writing, all supported by a massive 500 ETH matching pool:
https://qf.giveth.io/qf/ethereum-security
I'd highly encourage you to visit the Giveth project page and donate to a few projects. As a reminder, Quadratic Funding (QF) isn't the usual "donate what you can" model. The matching formula rewards the number of unique contributors, not the total dollars raised. Ten people giving $10 each pulls significantly more from the 500 ETH matching pool than one person giving $100.
There are numerous other projects that have helped advance the state of blockchain security. Here are just a few projects that you should explore:
The Red Guild is a premier ethical hacker collective that gifted the community projects like Damn Vulnerable DeFi, The Phishing Dojo, and many others.
SEAL911, SEAL Frameworks, SEAL Safe Harbor, SEAL Intel, SEAL Certifications are just some of the initiatives from the Security Alliance which is a true gift to the DeFi community.
Rekt is definitely my personal favorite. It has fantastic deep dives into the most dangerous exploits, authored documentaries, recently hosted a security summit, and many other initiatives to inform the community all with an unmistakable journalistic style.
ZachXBT is a master onchain investigator that I frequently mention in the newsletter. It's hard to count just how many bad guys he helped put behind bars while making our ecosystem safer.
tanuki42 a pseudonymous security researcher and a real DPRK slayer. Helped expose DPRK operatives like Nick L Franklin and many campaigns.
CypherTalk Podcast is a fantastic new podcast covering the blockchain security industry with highly organized and dedicated hosts.
Bitfinding is a fun crew that keeps on frontrunning attackers and helps recover stolen funds like $1M Intercepted from the Balancer Hack.
DeFiMon is another group that not only monitors onchain exploits, but actually steps in and recovers stolen funds such as $1.8 saved from the Foom Cash hack, $512K infinite approvals rescue from the SquidRouter incident, and many others.
Safe Multisig Hashes is pcaversaccio's project to fight back against Bybit-style attacks.
defihacklabs - Massive community dissecting past exploits with complete PoCs.
I could keep going until I've covered every single project and why it matters, but I'd rather you explore them yourself.
BlockThreat is also in the round. If you've benefited from reading BlockThreat and want to support its continued work, a $5 or $10 donation goes a long way. Your contributions will sponsor free annual subscriptions for students, independent researchers, and small projects who can't afford the paid tier.
https://qf.giveth.io/project/blockthreat
There are more things to celebrate, but unfortunately this week also had some dark moments. Almost $24M were stolen this week across 15 incidents with no signs of attackers slowing down after an already rough last week. In this edition we will the Litecoin infinite mint hack, multiple projects failing to verify signatures, and yet another costly "misconfiguration" by an AI-coded project on Base, and more.