Greetings!

More than $60M was stolen this week across six incidents. Smart contract exploitation has returned with a vengeance. Attack vectors such as price oracle and reward manipulation, function parameter validation flaws, and others netted attackers millions of dollars. Let’s examine some of the most notable compromises.

As in the past, one of the largest hacks involved private key theft—but this one had a twist. Dexx, a trading terminal for memecoins on Solana, stores private keys for its users. Private key storage is inherently risky, and when the platform was hacked, thousands of user wallets were drained, resulting in losses of at least $21M.

Now, onto smart contract hacks. A long-standing debate continues over which smart contract platform is safer. The massive $25.5M Thala compromise on the Aptos chain underscores a critical observation: compiler-level features won’t protect against rushed patches that disrupt LP pricing updates.

Price oracle issues impacted three projects this week, with Polter Finance hit the hardest. A classic price oracle manipulation of an LP pool led to a $7M theft on the Fantom chain. Meanwhile, ZK Finance took price oracle exploitation to a new level by hardcoding WBTC to $58K during a post-election rally. Oops.

Detailed information about these incidents, along with insights into DeltaPrime, vETH, and other compromises, can be found in the premium section below.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!