BlockThreat - Week 4, 2026
Makina | HypuurFi | SwapNet | Aperture | Cosmos | SagaEVM | USMS
Greetings!
More than $28M was stolen this week across eight incidents. From arbitrary call vulnerabilities to infinite mint bugs, it was a particularly rough week. Let’s break down a few of the most notable hacks.
HypuurFi, SwapNet, and Aperture Finance were hit by arbitrary external call exploits, draining users of roughly $17 million in a single day. Notably, the last two had no source code and were exploited shortly after deployment. We’ve long observed that attackers are becoming increasingly sophisticated with onchain vulnerability scanners. Now, we see they not only can detect bugs in raw EVM code but also wait patiently for the most opportune moment to strike exactly as I discussed in my recent DSS talk on watering hole contracts.
If you are not familiar with this attack vector, below is a snippet from the vulnerable HypuurFi contract:
function swapAndDeposit(
address swapRouter, // arbitrary call address
bytes calldata swapData, // malicious input
address vault,
address tokenIn,
uint256 amountIn,
address tokenOut,
address receiver
) public payable {
// Execute swap (tokens come to gateway)
if (!_isNativeToken(tokenIn)) {
IERC20(tokenIn).safeTransferFrom(msg.sender, address(this), amountIn);
IERC20(tokenIn).safeIncreaseAllowance(swapRouter, amountIn);
}
// VULNERABILITY: v----- Tainted user input ----v
(bool success,) = swapRouter.call{value: msg.value}(swapData);
require(success, "Swap failed");
// Deposit swapped tokens
uint256 balance = IERC20(tokenOut).balanceOf(address(this));
_deposit(vault, tokenOut, balance, receiver);
}The easiest way for developers to catch this bug class is to consider all user input malicious and never pass it along without any constraints to call() or equivalent.
It’s hard to blame users for this hack as they were using DeFi protocols exactly as we encourage them including infinite allowances without any mechanism to revoke them. Perhaps it should be up to wallets to step up and help users clean up these long-lasting approvals just like our password managers frequently remind us to change compromised or weak passwords. In the meantime, bookmark http://revoke.cash and try to visit it on a quarterly/monthly basis.
There’s some hope that the attackers behind these incidents will eventually slip up and face swift justice. It happens to all of them sooner or later. In the meantime, check out this week’s sponsor and the good guys behind Anchain.ai, who are working hard to track down bad actors and help make our ecosystem a bit safer for us all.
AI-native Crypto Intelligence Data
AnChain.AI Data delivers institution grade cryptocurrency data API and MCP for AML, fraud compliance, growth analytics and beyond.
$200 Promo Code (By 2/28): AINATIVECRYPTODATA
Cosmos ecosystem is know for some of the nastiest blockchain-level bugs including infinite minting, reentrancy, and others. This week, SagaEVM became the victim to one such critical vulnerability. Attackers exploited an infinite-mint bug to generate assets out of thin air, stealing over $7M. Although the chain was halted, the attackers had already bridged out the available liquidity.
In other news, son of a company owner tasked with managing US Marshal Service’s seized crypto assets (including from Bitfinex hack) managed to steal $40M. ZachXBT was able to pin down the perp after he leaked his wallets on Telegram.
Let’s dive into the news!
News
- ‘Bad actor’ Circle slammed for letting stolen $3M USDC sit unfrozen. Funds stolen in the SwapNet hack sat in attacker’s wallet for more than 8 hours.
- CertiK eyes IPO at $2 billion valuation as it targets ‘first public web3 cybersecurity’ listing. The IPO brought many shenanigans the company pulled in the past.
- Ethereum Foundation forms post-quantum security team, adds $1 million research prize.
- Max severity Ni8mare flaw impacts nearly 60,000 n8n instances.
- Starknet’s Paradex Rollback Raises Hard Questions After Pricing Glitch Triggers Liquidations.
- Starknet chain halted. Incident Report – January 5, 2026.
- The Bitrace 2026 Crypto Crime Report.
- Anchain Digital Asset Risk Annual Report 2025. The rise of AI-Driven Crypto Fraud.
Crime
- ZachXBT Uncovers Crypto Theft Network Linked to US Government Seizure Funds by TRM. More than $40M stolen from assets seized by US Marshals Service including funds recovered from the Bitfinex hack.
- Crypto sleuth links $500M in Iranian USDT to stolen Bybit funds. tanuki42 was able to confirm that $500M USDT moving through Nobitex were indeed North Korean.
- The Central Bank of Iran has acquired US dollar stablecoins worth at least half a billion dollars by Dr. Tom Robinson (Elliptic).
- Criminal ring nabbed for alleged laundering of 150 bln won of cryptocurrency.
- Illicit Crypto Economy Surges as Nation-States Join in the Fray.
- Former Olympian Snowboarder Ryan Wedding Arrested in Major Transnational Criminal Case Spanning Drugs, Violence, and Crypto Laundering by TRM.
- Guernsey Authorities Seize $11.4M Tied to ‘Cryptoqueen’ OneCoin Fraud.
- Cambodian scam rings facing disruption since kingpin’s arrest. However, it is only the matter of time until same groups reemerge.
- French crypto tax firm targeted in ShinyHunters extortion attempt. Waltio compromise along with the rogue tax agent makes France even more dangerous for any crypto owners.
- I hacked a Bitcoin exchange for $10 billion. Here’s what happened by Ilya Lichtenstein (@cipherstein).
- Caroline Ellison, former Alameda and FTX executive, released after 14 months.
Policy
- Russia Bans WhiteBIT, Deeming Crypto Exchange ‘Undesirable’ Over Ukraine Support.
- Nomad hack: Crypto advocacy groups slam FTC ‘kill switch’ proposal.
Phishing
- Contagious Interview: Tracking the VS Code Tasks Infection Vector by Abstract Security.
- How to Get Scammed (by DPRK Hackers) by OZ.
- Threat Actors Expand Abuse of Microsoft Visual Studio Code by Jamf.
Malware
- Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers.
- A spreading infection in the wild, of what seems to be a DPRK-related module, in Switzerland and Belgium by Moonlock Lab.
- DeadLock Ransomware: Smart Contracts for Malicious Purposes by Group IB.
- PyPI Package Impersonates SymPy to Deliver Cryptomining Malware by Kirill Boychenko (Socket).
- From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers by Ahmed Mohamed Ibrahim (Trendmicro).
- SlowMist flags Linux Snap Store attack targeting crypto seed phrases.
Media
- Don’t Get Rekt - Ep05 With @nicksdjohnson (ENS) Outages, DNS attacks, quiet points of failure.
- bountyhunt3rz - Episode 33 - philbugcatcher.
- Inside a Teenage Crime Empire (This is a Billion Dollar Theft Ring).
- Stephen Sims - AI and its Impact on Offensive Security Roles in 2026.
Research
- Uncovering a Critical LLVM Compiler Bug in Aave V3 on ZKsync by John Toman (Certora).
- Minting Fees Out of Thin Air in zkSync Lite by Ehsan.
- A >$10M protocol drain missed in an audit contest - vulnerability write-up by samuraii77.
- Getting Rounding Right in DeFi by Josselin Feist
- How to go from 0 to a paid Web3 auditor in 1 year by CD Security.
- A Security-Centric Analysis of Perpetual DEX Evolution and a Blueprint for Resilience by Tanuj Soni (Hacken).
- Move Smart Contract Audit Checklist by Arda Usman (Hacken).
- Uniswap v4 Architecture & Security Analysis: Hooks, Singleton, Flash Accounting by M3D (Zealynx).
- We discovered a new CPIMP variant which tricks @etherscan proxy detection by Defimon Alerts.
- New evm bytecode anti analysis technique dropped by LCFR. Turns out AI magic strings could be useful. What about an injected prompt?
- Zero to Lend by Rekt. A dive into previously undisclosed ZeroLend exploit.
- Bug Bounty Masterclass by Wiz.
- Leveraging VSCode internals to escape containers by matta (The Red Guild).
- Reconstructing EVM Bytecode Part 1 and Part 2 by Fade.
- Certora Formal Verification Resources by alexzoid.
- On the Coming Industrialisation of Exploit Generation with LLMs by Sean Heelan.
- Awesome AI Security by ottosulin.
- From Transactions to Exploits: Automated PoC Synthesis for Real-World DeFi Attacks.
- Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis.
- Zer0n: An AI-Assisted Vulnerability Discovery and Blockchain-Backed Integrity Framework.
- Towards Compositional Generalization in LLMs for Smart Contract Security: A Case Study on Reentrancy Vulnerabilities.
- Examining the Effectiveness of Transformer-Based Smart Contract Vulnerability Scan.
- AI Agent Smart Contract Exploit Generation.
- NATLM: Detecting Defects in NFT Smart Contracts Leveraging LLM.
- UEChecker: Detecting Unchecked External Call Vulnerabilities in DApps via Graph Analysis.
- A Risk-Stratified Benchmark Dataset for Bad Randomness (SWC-120) Vulnerabilities in Ethereum Smart Contracts.
- Enforcing Control Flow Integrity on DeFi Smart Contracts.
- Security Vulnerabilities in Ethereum Smart Contracts: A Systematic Analysis.
- USCSA: Evolution-Aware Security Analysis for Proxy-Based Upgradeable Smart Contracts.
- AI-Based Vulnerability Analysis of NFT Smart Contracts.
- What You Trust Is Insecure: Demystifying How Developers (Mis)Use Trusted Execution Environments in Practice.
- On the Effectiveness of Mempool-based Transaction Auditing.
Tools
- ENS community dataset on Google Cloud BigQuery.
- EVM Chronicle - EVM Storage Explorer. Introducing EVM Storage Chronicle: Rebuilding a Missing Piece of Ethereum Infrastructure.
- Fuzztools by nethoxa. Transaction fuzzer, Noir fuzzer, and Struct-aware fuzzing framework.
- Crossbow - World’s First AI Security Engineer. Finds and exploits vulnerabilities, performs SOC operations, forensics, and threat intelligence.
- An Introduction to Eloizer: A Static Analyzer for Solana programs by Inversive Labs.
Hacks
SynapLogic Compromise
Date: January 19, 2026
Attack Vector: Function Parameter Validation
Impact: $186,000
Chain: Base
References:
- https://x.com/CertiKAlert/status/2013440963851755610
- https://x.com/Phalcon_xyz/status/2013439544595562898
- https://x.com/SlowMist_Team/status/2013448818365473101
- https://x.com/hklst4r/status/2013440353844461979
Exploit:
Paradex Mithril Trading Bot Compromise
Date: January 20, 2026
Attack Vector: Stolen Private Keys
Chain: Ethereum
References:
Makina Gmak Compromise
Date: January 20, 2026
Attack Vector: Price Oracle Manipulation
Impact: $4,130,000
Chain: Ethereum
References:
- https://x.com/TenArmorAlert/status/2013460083078836342
- https://x.com/PeckShieldAlert/status/2013468943193645085
- https://x.com/CertiKAlert/status/2013473512116363734
- https://x.com/SlowMist_Team/status/2013506241776230897
- https://x.com/makinafi/status/2013502372505624608
- https://x.com/makinafi/status/2014079031423930710
Analysis:
- https://x.com/exvulsec/status/2013503874968232158
- https://x.com/Phalcon_xyz/status/2013502538239352970
- https://x.com/phalcon_xyz/status/2013506550493782222
- https://x.com/quillaudits_ai/status/2013527143662395622
- https://www.quillaudits.com/blog/hack-analysis/makina-4m-hack-explained
- https://www.certik.com/resources/blog/makina-incident-analysis
- https://rekt.news/makina-rekt
Recovery:
- https://x.com/PeckShieldAlert/status/2014517159226179901
- https://x.com/makinafi/status/2014349539847573565
Exploit:
SagaEVM Compromise
Date: January 21, 2026
Attack Vector: Infinite Minting
Impact: $7,000,000
Chain: Saga
References:
- https://x.com/kop0211/status/2013944298618990825
- https://x.com/cosmoslabs_io/status/2014428829423706156
- https://x.com/Sagaxyz__/status/2014426828207738920
- https://medium.com/sagaxyz/sagaevm-security-incident-investigation-update-29a1d2a6b0cd
Analysis:
- https://x.com/DefimonAlerts/status/2014005231311319154
- https://docs.google.com/document/d/1_kJDWMtXgm3bIZOxeHhb9TEOSfj84Ju4XVkeMPLom6o/edit?tab=t.0
- https://x.com/officer_secret/status/2014015959174963548
- https://x.com/hklst4r/status/2014016362054639943
- https://rekt.news/saga-rekt
Response:
Exploit:
- https://sagaevm.sagaexplorer.io/address/0x7D69E4376535cf8c1E367418919209f70358581E
- https://github.com/cometbft/cometbft/security/advisories/GHSA-c32p-wcqj-j677
AiPay Compromise
Date: January 23, 2026
Attack Vector: Price Oracle Manipulation
Impact: $30,100
Chain: BSC
References:
- https://x.com/TenArmorAlert/status/2014635710700019953
- https://x.com/nn0b0dyyy/status/2014664072713896359
Exploit:
HypuurFi Compromise
Date: January 25, 2026
Attack Vector: Arbitrary External Calls
Impact: $84,000
Chain: HyperEVM
References:
- https://x.com/defimonalerts/status/2015512978041549292
- https://x.com/androolloyd/status/2015436340117282949
Exploit:
Matcha Meta SwapNet Compromise
Date: January 25, 2026
Attack Vector: Arbitrary External Calls
Impact: $13,300,000
Chain: Base
Part of a series of attacks targeting whales with approvals to vulnerable contracts.
References:
- https://x.com/CertiKAlert/status/2015538759173919219
- https://x.com/matchametaxyz/status/2015542139791569260
- https://x.com/Phalcon_xyz/status/2015614087443697738
Exploit:
Aperture Finance Compromise
Date: January 25, 2026
Attack Vector: Arbitrary External Calls
Impact: $3,530,000
Chain: Base,Ethereum,Arbitrum,BSC
Part of a series of attacks targeting whales with approvals to vulnerable contracts.
References:
- https://x.com/ApertureFinance/status/2015565097884864850
- https://x.com/Phalcon_xyz/status/2015614087443697738
- https://x.com/blockaid_/status/2015490998248284463
- https://x.com/pashov/status/2015529126937977344
Exploit: