Beosin: 36 Major Security Incidents in May Resulting in Over $76 Million in Losses

Author: Beosin

According to monitoring data from the Beosin Alert platform, in May 2026, the total losses from various security incidents amounted to approximately $76.15 million. A total of "36" major hacking incidents occurred, primarily due to contract vulnerabilities and private key leaks. Among these, 17 security incidents were caused by contract/network vulnerabilities, and 10 involved losses due to private key leaks. The code security and operational security of the DeFi ecosystem face severe challenges.

Top 10 Loss-making Protocols in May

The cross-chain bridge connecting the Verus L1 chain and Ethereum, the Verus-Ethereum Bridge, suffered the largest loss of $11.58 million due to a contract vulnerability. Echo Protocol was attacked due to a private key leak, allowing the attacker to mint 1000 eBTC (with a nominal value of approximately $76.7 million). However, due to liquidity constraints, the actual profit was about $5.13 million.

Types of Attacked Projects and Losses by Chain

The targets of attacks encompassed various types such as cross-chain bridges, decentralized exchanges, lending protocols, prediction markets, stablecoins, and ordinary users. Among these, cross-chain bridges suffered the highest total losses, reaching $27.995 million. Projects related to DeFi were attacked the most frequently, with a total of 14 incidents.

In May, the chain with the highest loss amount was Ethereum, with losses exceeding $48.76 million. Security incidents involving some cross-chain bridges and most DeFi protocols still primarily occurred on Ethereum. This was followed by BNB Chain, Monad, and TON. Additionally, security incidents occurred on Monero and Bitcoin, indicating a multi-chain trend in on-chain attacks.

Analysis of Major Security Incidents

1. Verus: Cross-chain Message Verification Flaw

The operation of the Verus-Ethereum Bridge involves a submitter providing proof data to indicate that a notary-confirmed eligible output exists on the Verus chain. The bridge contract verifies this and releases assets on Ethereum. The vulnerability lies in the fact that the bridge contract on the Ethereum side verifies the proof from the Verus chain but does not check whether the data corresponds to a valid original output. This allows an attacker to construct a fraudulent output that passes verification, enabling them to extract funds far exceeding their deposit.

The vulnerable code section:

The vulnerability in this incident is of the same type as those that caused the $320 million loss for Wormhole and the $190 million loss for Nomad in 2022, where the bridge verifies the message itself but not the underlying asset value.

2. Trusted Volumes: Signature Parameter Flaw

In this attack, the perpetrator exploited a design flaw in the signature process of TrustedVolumes' Request for Quote (RFQ) mechanism. By customizing signature data during the actual transfer, they set the transferor as TrustedVolumes' Resolver contract, which successfully passed verification, allowing them to transfer assets out of the Resolver contract for profit.

The vulnerable code section:

The authorization check referenced `varg4`, while the execution of the fund transfer referenced other parameters. The lack of validation led to a mismatch between the authorized signer domain and the actual debit address.

Therefore, the attacker only needed to sign an order with a registered signer address, where `maker = Exploit` (passing signature verification), and other signature parameters (token, amount) could be set to arbitrary values, such as a fake 1:1 order, allowing it to pass the reasonable price check of the price oracle, and subsequently drain assets from the protocol contract:

3. Private Key Leak Incidents, exemplified by StablR

Multiple private key leak incidents occurred in May, resulting in total losses exceeding $25 million. Among them, StablR, as a compliant stablecoin issuer, became a typical lesson in security governance for the stablecoin and DeFi sectors.

StablR launched two compliant stablecoin products: EURR and USDR. The multi-signature wallet controlling EURR minting was `0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc`; the multi-signature wallet controlling USDR minting was `0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3`.

Since transactions from these two multi-signature wallets required only 1 signature, the attacker, by controlling the owner address `0xC73fD562de86d7860EE636C20813Bcb2cF4D550d`, added the address `0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1` to the aforementioned two multi-signature wallets, thereby gaining control over the project's minting authority:

Such incidents are not about code vulnerabilities but rather operational security issues for the project team: failure to securely store private keys for privileged addresses, not using high-threshold multi-signatures for high-value/high-risk operations, lacking timelocks for large minting operations, and the absence of rapid emergency response mechanisms.

Web3 Security Threat Trends

The deepest trend in Web3 security in 2026 is the systemic expansion of the attack surface. Vulnerabilities are emerging simultaneously in code, infrastructure, interoperability, and human processes. Relying solely on a few security audits or tools cannot cover areas like operational security, employee endpoints, cloud infrastructure, and software supply chains. This imposes higher requirements on the continuous operational security of Web3 projects.

Furthermore, attacks targeting old/abandoned contracts are frequent, as vulnerabilities or authorizations within them are easily exploited. Contract developers or operators should re-examine the security of past contracts. For abandoned contracts, funds remaining in them should be processed or transferred promptly, and users should be contacted to revoke unnecessary authorizations. Users should also regularly use blockchain explorers or authorization revocation tools to check and cancel unused contract authorizations.