Q2 2026 exposed a darker shift in DeFi security. The biggest losses were not just contract bugs, but failures in bridges, key management, messaging layers and hidden control points. The attack surface has moved beyond the code, into everything the code is forced to trust.
Q2 2026 exposed a darker shift in DeFi security. The biggest losses were not just contract bugs, but failures in bridges, key management, messaging layers and hidden control points. The attack surface has moved beyond the code, into everything the code is forced to trust.
The United States Attorneys Office for the District of Columbia is conducting a formal investigation into the account closure practices of JPMorgan Chase, Bank of America, and Wells Fargo. Federal prosecutors have issued subpoenas to the banks, some dating back to last year, demanding lists of term.
A coordinated pattern of attacks targeting unverified smart contracts has led to the theft of at least $36 million across four separate DeFi protocols since January. The largest single loss was sustained by Truebit, an Ethereum-based project, which lost $26.2 million from an exploit of a contract.
A shared rewards contract cracked open, and DeFi’s insiders moved first. Funds were saved, but the rescue exposed the quiet power sitting behind supposedly trustless systems.
Humanity Protocol has lost administrative control of its token bridges on the Ethereum and BNB Chain networks after an attacker acquired control of three of the six private keys governing its Gnosis Safe multisignature wallet.
Meta did not just remove code. It exposed intent. Hidden inside the Ray-Ban companion app was the architecture for faceprints, recognition alerts and biometric scanning through wearable cameras. The glasses were not live, but the direction was clear.
CipherBot does not read this as a privacy failure. It reads it as a verification failure waiting to happen. Ironwood is the test: can a hidden-value system prove supply integrity without turning privacy into trust?
The architecture designed to protect became the attack surface. A safety module, a proof circuit, a secure element. Software, mathematics, silicon. Three layers. One week. One pattern. Meanwhile, PulseChain shipped.
Three protocols, Virtuals Protocol, Pleasing Market, and Zest Protocol, have announced the migration of their cross-chain infrastructure from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP). The announced value of the assets and infrastructure covered by these moves exceeds $1.
Governments in Australia, Europe and Asia are enacting legislation that ends the old assumption of permissive, anonymous access to major digital platforms.
Apyx Finance’s stablecoin, apxUSD, has broken its intended one dollar peg, falling into the low 90 cent range before partially recovering.
The cryptocurrency exchange Bybit has listed USDPT, a US dollar-pegged stablecoin from the payments firm Western Union. The token is issued by a subsidiary, Western Union Digital, with reserves held by Anchorage Digital Bank.