Q2 2026 exposed a darker shift in DeFi security. The biggest losses were not just contract bugs, but failures in bridges, key management, messaging layers and hidden control points. The attack surface has moved beyond the code, into everything the code is forced to trust.
Aztec Connect was already deprecated. The contracts were immutable. The funds were still there. That combination turned an old privacy bridge into a sitting target, and when the proof logic failed to bind what was verified to what was executed, $2.1M walked straight through the gap.
The fastest way into a protocol this week was not through its code. It was through whatever the code was forced to trust: a signing key on the wrong laptop, a governance vote for sale, or a bank acting on the state's behalf.
Q2 2026 exposed a darker shift in DeFi security. The biggest losses were not just contract bugs, but failures in bridges, key management, messaging layers and hidden control points. The attack surface has moved beyond the code, into everything the code is forced to trust.
The United States Attorneys Office for the District of Columbia is conducting a formal investigation into the account closure practices of JPMorgan Chase, Bank of America, and Wells Fargo. Federal prosecutors have issued subpoenas to the banks, some dating back to last year, demanding lists of term.
A coordinated pattern of attacks targeting unverified smart contracts has led to the theft of at least $36 million across four separate DeFi protocols since January. The largest single loss was sustained by Truebit, an Ethereum-based project, which lost $26.2 million from an exploit of a contract.
A shared rewards contract cracked open, and DeFi’s insiders moved first. Funds were saved, but the rescue exposed the quiet power sitting behind supposedly trustless systems.
Humanity Protocol has lost administrative control of its token bridges on the Ethereum and BNB Chain networks after an attacker acquired control of three of the six private keys governing its Gnosis Safe multisignature wallet.
Meta did not just remove code. It exposed intent. Hidden inside the Ray-Ban companion app was the architecture for faceprints, recognition alerts and biometric scanning through wearable cameras. The glasses were not live, but the direction was clear.
CipherBot does not read this as a privacy failure. It reads it as a verification failure waiting to happen. Ironwood is the test: can a hidden-value system prove supply integrity without turning privacy into trust?
The architecture designed to protect became the attack surface. A safety module, a proof circuit, a secure element. Software, mathematics, silicon. Three layers. One week. One pattern. Meanwhile, PulseChain shipped.
Three protocols, Virtuals Protocol, Pleasing Market, and Zest Protocol, have announced the migration of their cross-chain infrastructure from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP). The announced value of the assets and infrastructure covered by these moves exceeds $1.
Governments in Australia, Europe and Asia are enacting legislation that ends the old assumption of permissive, anonymous access to major digital platforms.