BlockThreat - Week 20, 2026

More than $29M was stolen across 13 incidents, but the dollar figure is not the most alarming part. The real concern is the growing complexity and variety of the compromises. This week’s incidents ranged from advanced cryptographic flaws and broken signature verifications in bridges to subtle logic errors across not only EVM chains, but also TON, Adshares, and other ecosystems.

Attacker capabilities keep improving while the economic incentives for ethical hacking continue to shrink. That combination is pushing both the impact and frequency of incidents in the wrong direction.

Thank you to everyone who supported BlockThreat in the Ethereum Security QF Round! All funds raised will go directly toward providing free BlockThreat subscriptions to students, new security researchers, and small public goods projects that may not otherwise have access. Your generous contributions will help keep high quality threat intelligence sustainable and accessible to the people who need it most. More details soon.

ThorChain Bridge Hack

One of the major losses this week did not come from yet another smart contract exploit, but from an advanced cryptographic attack against ThorChain ($11M). The leading theory is a weakness in its GG20 based TSS implementation, where a cryptographic flaw allowed a malicious participant to extract enough ECDSA key share material to reconstruct a vault key. This class of vulnerability was not exactly unknown. Fireblocks previously documented GG18/GG20 Paillier key extraction issues and so did Verichains’ TSSHOCK research which explicitly called out risks in BNB Chain's tss-lib which was adopted by ThorChain and others.

What makes this incident even more concerning is the disclosure context around it. ThorChain had six prior incidents in the past five years with more than $16M in losses. Clearly this is a complex codebase and complex systems inevitably have vulnerabilities. But instead of expanding incentives to attract more serious review for roughly $100M in protected assets, ThorChain replaced its bug bounty program with unpaid responsible disclosure:

That decision looks especially dangerous as ThorChain received significant publicity last month as a preferred gateway for moving stolen assets by DPRK threat actors. It was almost inevitable that someone would take a closer look at the protocol. Unfortunately, it was also entirely predictable that someone finding a high impact vulnerability would compare the non existent reward from responsible disclosure against the reward from exploitation and choose the latter.

Adshares Bridge Hack

The Adshares protocol suffered a $628K hack last week due to a signature verification exploit. An attacker submitted multiple bridge calls referencing non-existent transaction IDs on the Adshares chain which were accepted without any verification. Not a complicated exploit, but just as effective.

Like other protocols compromised this week, Adshares had no active bug bounty program, only a planned $100K shared grant intended to cover developer tooling, infrastructure, end-user apps, integrations, and a bug bounty program.

Instead of a formal bug bounty program it opted for the usual post-hack negotiations:

Verus Bridge Hack

The Verus bridge exploit brought Nomad style attacks back in style. The bridge correctly verified state roots, Merkle proofs, etc. but never checked that the source-chain amounts. The attacker submitted a specially crafted transaction committing with empty totals, then claimed $11.58M on the Ethereum side. Kudos to the Blockaid for figuring out the root cause and an amazing presentation:

Verus doesn't have a hint of an active bug bounty program. While we are waiting for the usual "whitehat" offer (it's been hours), an anonymous EOA posted an on-chain message venting the frustration felt across the security research community:

Three bridges, three hacks, all in one week. The lesson is that we now live in an age of advanced security operators uncovering increasingly complex vulnerabilities in increasingly unusual places. The ecosystem is still struggling to adapt and build stronger defenses, but this is precisely the wrong time to ignore one of the few controls that work: paid bug bounty programs.

This is the exact incentive failure I wrote about days prior to the exploit in The Breaking Point of Ethical Security Research. Once again, theses hacks were not hard to predict. The technical bug may have lived in cryptography or signature verification logic, but the deeper root cause was a broken incentive structure that produced predictable outcomes. Every project has bugs and always will. The question is whether you make it rational for researchers to report them before attackers exploit them.

This week’s edition features the latest batch of supply chain attacks, malware campaigns, and 0days that you need to patch immediately. It also includes writeups and postmortems for all 13 incidents tracked this week along with the usual bountiful selection of security research and tooling for bug bounty hunters, onchain sleuths, defenders, and AI cowboys. Keep reading and maybe you too will spot the next multimillion dollar hack hiding in the wealth of research, observations, and easy to miss small incidents before it is too late.

Let’s dive into the news!