INSIGHTS
Expert analysis of the latest vulnerabilities, security news, threat intelligence, and the evolving attack surface.
El Salvador's CNAD has materially strengthened its supervisory posture. Applications that passed in 2023 would be returned today. Here is what the DASP licence requires across entity structure, AML/CFT, cybersecurity documentation, and ongoing obligations, and where most applicants fall short.
Read More →MiCA has been fully applicable since December 2024. The grandfathering period ended July 2026. Firms without authorisation are now in breach. Here is what CASP authorisation requires, what the cybersecurity obligations are under MiCA and DORA, and where most applications fall short.
Read More →DORA has been in force since January 2025, applying to over 22,000 financial entities, including crypto-asset service providers. Here is what the five pillars require, who must comply, what the penalties are, and where most organisations fall short on documented evidence.
Read More →VARA issued substantive rulebook updates in June 2025. Threat-led penetration testing is now mandatory. AML/CFT risk assessments are quarterly. The FATF Travel Rule is a hard requirement. Here is what VASPs must demonstrate, and where most programmes fall short.
Read More →Reports indicate a multisig owner key was compromised, owners replaced, and EURR/USDR minted on Ethereum. Nominal mint ~$10.4M, realised loss reported at $2.8M+. Root cause pending official confirmation.
Read More →Polymarket investigated a Polygon incident affecting its UMA CTF Adapter admin wallet. Early reporting points to an internal operations private key compromise, with ~5,000 POL outflows every ~30 seconds and losses reported between ~$520K and ~$700K.
Read More →
Discover the most common smart contract vulnerabilities in 2025, from reentrancy to oracle manipulation. Learn how teams can mitigate risks and harden their smart contract security posture with proven practices.
Read More →
Web3’s permissionless nature enables innovation, but also opens the door to complex security threats. We explore how on-chain forensics and investigation techniques trace rug pulls, MEV exploits, and actors lurking on the darknet.
Read More →
How North Korea’s Lazarus Group pulled off the $1.5B Bybit attack, and what it means for the future of Web3 security.
Read More →On April 18, 2026, a forged LayerZero packet released 116,500 rsETH from Kelp’s Ethereum adapter, no corresponding burn on the source chain. Postmortem vs on-chain evidence.
Read More →LayerZero Labs’ official report reveals the attack started on March 6 with social engineering and session-key harvesting, eventually producing a forged attestation that drained $292M.
Read More →The contract checked permissions against one address, then debited funds from a different one, bypassing the entire RFQ trust model in a single transaction on Ethereum.
Read More →Butter Bridge v3.1 appears to have been exploited via a message retry validation flaw, enabling an attacker to mint ~1 quadrillion MAPO and extract liquidity. Early analysis, root cause pending.
Read More →On May 15, 2026, THORChain suffered a multi-chain exploit across at least nine chains, with TRM Labs reporting $11M+ drained. Breaking analysis, official postmortem still pending.
Read More →Reports cite 103.6 tBTC, 1,625 ETH, and ~147,000 USDC drained after the bridge accepted a forged import payload without validating equivalent source-side value.
Read More →An attacker minted 1,000 unbacked eBTC on Monad after gaining privileged access, nominal value $76.7M, realized loss ~$816K. Liquidity depth was the only thing limiting the damage.
Read More →