Beosin: 36 major security incidents in May, with total losses exceeding $76 million

Written by: Beosin

According to data from the Beosin Alert platform, in May 2026, the total losses from various security incidents amounted to approximately $76.15 million, with a total of 36 major hacking events. The main causes were smart contract vulnerabilities and private key leaks. Among these, 17 security incidents were due to contract or network vulnerabilities, and 10 incidents resulted from private key leaks. The code security and operational security of the DeFi ecosystem face severe challenges.

Top 10 Protocols by Losses in May

The cross-chain bridge Verus-Ethereum Bridge, which connects the Verus L1 chain and Ethereum, was attacked due to a smart contract vulnerability, resulting in the largest loss of $11.58 million. Echo Protocol was attacked via private key leakage, allowing attackers to mint 1,000 eBTC (with a paper value of about $76.7 million), but due to liquidity limitations, the actual profit was approximately $5.13 million.

Types of Attacked Projects and Losses by Chain

The attacked targets include cross-chain bridges, decentralized exchanges, lending protocols, prediction markets, stablecoins, and ordinary users. Among these, cross-chain bridges suffered the highest losses, totaling up to $28M. Projects related to DeFi were attacked most frequently, with a total of 14 incidents.

The chain with the highest loss in May was Ethereum, with losses exceeding $48.76 million. Some cross-chain bridges and most DeFi protocols' security incidents still mainly occurred on Ethereum. Followed by BNB Chain, Monad, TON, and also incidents on Monero and Bitcoin, indicating a multi-chain attack trend.

Main Security Incident Analysis

1. Verus: Cross-Chain Message Verification Flaw

The Verus-Ethereum Bridge operates by having the submitter provide proof data indicating that a qualified output exists on the Verus chain, confirmed by notarization. After the bridge contract verifies this, assets are released on Ethereum. The vulnerability lies in the fact that while the Ethereum side bridge contract verifies the proof from the Verus chain, it does not verify whether the data is a valid original output, allowing attackers to craft fake outputs that pass verification and extract far more funds than their deposits.

Code section with the vulnerability:

This incident's vulnerability is similar to those that caused Wormhole's loss of $320 million and Nomad's loss of $190 million in 2022. Both involved bridges verifying the message itself but not validating the underlying fund value.

2. Trusted Volumes: Signature Parameter Flaw

The attacker exploited a flaw in the signature design during the TrustedVolumes RFQ (Request for Quote) process. During actual transfers, they used custom signature data, setting the transferor as the TrustedVolumes Resolver contract, which successfully passed verification. This allowed the attacker to transfer out assets from the Resolver contract and profit.

Code section with the vulnerability:

The authorization check references varg4, but the fund transfer execution references other parameters. The lack of validation causes a mismatch between the authorized signer domain and the actual deduction address.

Thus, the attacker only needs to sign an order with a registered signer address (maker = Exploit, verified by signature), with other signature parameters (tokens, amounts) set arbitrarily, such as a fake 1:1 order, which passes the price oracle's reasonable price check. Then, they can withdraw assets from the protocol contract:

3. Private Key Leak Events, exemplified by StablR

In May, multiple private key leak incidents occurred, totaling losses of over $25 million. StablR, as a compliant stablecoin issuer, became a typical lesson in security governance for stablecoins and DeFi.

StablR launched two compliant stablecoin products: EURR and USDR. The multi-signature wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc; the wallet controlling USDR minting is 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3.

Since transactions from these two multi-signature wallets only require one signature, an attacker who controls the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d can add address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to both wallets, gaining control over the project's minting permissions:

Such incidents are not due to code vulnerabilities but are operational security issues: poor management of privileged private keys, lack of high-threshold multi-signature for high-value or high-risk operations, absence of time locks for large minting operations, and lack of rapid emergency response mechanisms.

Web3 Security Threat Trends

The deepest trend in Web3 security in 2026 is the systemic expansion of attack surfaces. Vulnerabilities are appearing simultaneously in code, infrastructure, interaction processes, and human workflows. Relying solely on a few security audits or tools cannot cover operational security, employee endpoints, cloud infrastructure, or software supply chains. This raises higher requirements for the ongoing operational security of Web3 projects.

Additionally, attacks on outdated or deprecated contracts are frequent, often exploiting vulnerabilities or overly permissive authorizations. Contract developers and operators should re-examine the security of previous contracts, promptly handle or securely transfer funds from deprecated contracts, and revoke unnecessary permissions. Users should also regularly check and revoke permissions of unused contracts via blockchain explorers or authorization revocation tools.