# Extropy Security Bytes: week 3, 2026
Welcome back to our weekly security bytes where we discuss the latest incidents shaping the web3 space.
This week we see incidents defined by structural vulnerabilities and high-speed "dark forest" responses. The grace period of the new year is officially over; the adversaries are moving faster than ever, and the lines between a "hack" and a "misclick" are beginning to blur.
# Makina Finance: The $4.13 Million Blindspot
On January 20, 2026, the institutional DeFi protocol Makina Finance bled approximately $4.13 million (1,299 ETH) in an oracle manipulation attack. Despite boasting six separate audits from top-tier firms including ChainSecurity and OtterSec, the protocol fell victim to a vulnerability that was explicitly documented in its own audit scope as "out of scope." The attack targeted the DUSD/USDC Curve pool, where the share price mechanism trusted spot prices without the protection of a Time-Weighted Average Price (TWAP) or any liquidity delay.
The technical execution was a textbook flash loan manipulation. The attacker borrowed $280 million in USDC from Morpho and Aave, using $170 million of it to hammer the Curve pool balances. This artificial skew tricked Makina’s updateTotalAum() function, which was permissionless and could be called mid-transaction into reporting an inflated share price for the DUSD token.
With the accounting "truth" now distorted, the attacker swapped their remaining capital for DUSD at the inflated rate and drained the pool. This highlights a critical failure in "composable" DeFi: the protocol's core logic was audited, but the specific integration with the Curve pool was deployed after the audits were finalized, introducing a spot-price dependency that none of the six audits were tasked to examine.
In a bizarre twist, the original hacker didn't even get to keep the loot. An MEV builder (0xa6c2) identified the exploit in the public mempool, decompiled the unverified contract, and front-ran the transaction by exactly one block. This "theft from the thief" resulted in the funds being split between two addresses, one of which is a Rocket Pool Node Distributor. Makina has since entered a surreal period of negotiation, sending polite on-chain messages offering a 10% whitehat bounty to the MEV bots. The incident raises a difficult question for the industry: when an anonymous builder becomes an "accidental custodian" of stolen funds, do they have a legal or ethical obligation to return them, or is this simply the new "Safe Harbor" of the dark forest?
Lessons Learned:
- "Out of Scope" is a Risk Warning: If an auditor excludes an attack vector like "oracle manipulation via spot prices," it is often because the design is fundamentally indefensible. "Out of scope" should be read as "Unacceptable Risk."
- The Integration Gap: Security is not a one-time event. Any new pool integration or strategy deployment requires a fresh delta-audit, as the most secure core can be compromised by a single faulty external price feed.
# ZeroLend: The Silent Insolvency
While the industry focuses on high-profile breaches, ZeroLend appears to have spent nearly a year operating under a veil of silent insolvency. On February 23, 2025, just eighteen days after a similar "fake collateral" attack on Ionic Money, ZeroLend’s LBTC market on Base was hit by a nearly identical playbook.
A single attacker used PT-LBTC (a Pendle Principal Token) as collateral to manipulate the protocol's lending parameters and extract roughly $371,000 in real assets. Despite the drainage being visible on-chain, ZeroLend never issued a post-mortem, choosing instead to reportedly blame "high utilization" and "UI issues" in their Discord to explain why withdrawals were frozen.
This silence allowed the protocol to continue collecting deposits from unsuspecting users long after the vault was effectively empty. The attacker's wallet (0x218C...7719) hit the protocol three times in 45 minutes, depositing illiquid derivatives to "borrow" liquid LBTC that was immediately bridged out via Across Protocol.
The team’s failure to acknowledge the hit resulted in a terminal decline: OKX delisted the ZERO token in June 2025, and the project's GitHub went cold by September. The lack of transparency turned a manageable exploit into a total collapse of community trust, as users spent months chasing moderators for "liquidity maintenance" updates that never materialized.
The most disturbing aspect of the ZeroLend "Zombie Market" is its ongoing automation. Even in January 2026, the protocol's deposit buttons remained active on the frontend, but any new liquidity was immediately siphoned by a Gnosis Safe multisig using Gelato automated triggers.
This address, which arrived months after the initial heist, has turned the broken pool into a personal ATM, extracting over $100k from new depositors who are essentially acting as exit liquidity for a parasite. By failing to pause the market or disclose the hack, ZeroLend created a permanent trap where the code continues to execute its logic faithfully, even when that logic only serves to distribute new deposits to an automated extractor.
Lessons Learned:
- Silence is an Operational Red Flag: In DeFi, "no news" is almost always bad news. If a protocol fails to provide a technical post-mortem for "maintenance" within 48 hours, users should assume insolvency.
- Broken Pools Feed Parasites: Unpatched exploits create permanent revenue streams for MEV bots. A protocol that refuses to "kill" a compromised pool is effectively an accomplice to the ongoing theft.
# YO Protocol: The $3.71 Million Misclick
Earlier this month, YO Protocol demonstrated that a single operational error can be just as devastating as an external exploit. During a routine rebalancing of the protocol’s stkGHO vault, an automated harvesting system initiated a swap of $3.71 million in stkGHO for USDC. However, due to "malformed output quote parameters," the transaction effectively disabled its own slippage protection.
The result was a catastrophic trade where 97% of the vault's value vanished, delivering only $112,036 in USDC back to the protocol. The swap technically "succeeded" because it did exactly what the broken parameters instructed: find liquidity at any cost.
The technical "anatomy" of the swap reveals a desperate journey through the darkest corners of the Ethereum ecosystem. The Odos aggregator, bound by the 17-million-unit slippage parameter, routed the position through 102 token transfers. The transaction touched Uniswap V4 hooks and Bancor converters that had not seen volume in months, with some hops taking an 88% fee.
Because the protocol's harvester was designed to claim small rewards, it lacked the rigorous "sanity checks" that YO applied to its primary trading desk. This allowed a massive institutional rotation to be executed with the guardrails of a micro-transaction, proving that the biggest risk in automated yield is often the automation itself.
The aftermath was a masterclass in private damage control. The team quietly backstopped the loss using multisig funds likely from their recent $10 million Series A, to make users whole before the Pendle yoUSD market resumed. They also issued a professional on-chain plea to the LPs who caught the windfall, asking for a 90% return.
While user balances remained intact, the 48-hour delay in the public post-mortem highlights a persistent transparency gap: YO Protocol was able to "paper over" an eight-figure mistake only because they had the venture capital to do so. For protocols without such deep pockets, this "misclick" would have been a day-zero event.
Lessons Learned:
- Automation Requires Human-Scale Guardrails: A system that claims rewards is not the same as a system that rotates millions. Protocols must implement tiered security checks based on transaction value, not just function type.
- The "Series A" Security Model: Relying on VC backstops to fix operational errors is not a security strategy; it is a temporary mask for systemic risk. Transparency should precede the fix, not follow it.
# The $282M "Value Wallet" Support Scam
The crypto industry just witnessed one of the largest social engineering heists in history. A single Trezor hardware wallet user was targeted and drained of a staggering $282 million, consisting of roughly $139M in BTC and $153M in LTC. The attack, dubbed the "Value Wallet" support scam, did not exploit a single technical weakness in the hardware. Instead, it weaponized corporate branding and manufactured urgency to trick the victim into a "manual firmware update" that ended in the disclosure of their 24-word recovery seed to a scammer impersonating Trezor support.
The scammers operated with industrialized polish, using AI-enhanced voice and text to mirror official support channels. They convinced the victim that their assets were at risk due to a fabricated "Value Wallet" security flaw, pressuring them to "verify" the wallet to prevent a permanent lock. Once the victim revealed their seed phrase, the attackers gained total control.
New forensics from CertiK show the attacker immediately fragmented the loot, bridging 686 BTC to Ethereum via THORChain and splitting the resulting 19,600 ETH across a network of roughly 40-ETH "smurf" wallets. This fragmentation is a "textbook" laundering playbook designed to reduce the profile of each transaction before hitting mixers.
The response highlighted a new "speed-over-paperwork" era in crypto security. The firm zeroShadow, working with BitcoinVN, managed to track the movement so quickly that they froze $700,000 within just 20 minutes of the theft all without needing a court order or months of legal delay. However, once the funds entered Tornado Cash in 400-ETH chunks, investigators noted that recovery chances dropped to "near zero." The incident serves as a grim reminder: hardware wallets protect your keys from malware, but they cannot protect your seed phrase from a "support agent" who sounds exactly like the brand you trust.
Lessons Learned:
- Trust Nothing, Verify Out-of-Band: No legitimate support team will ever ask for your 24 words. If an "official" message creates extreme urgency, it is a signal to slow down and verify through a completely different channel.
- The "Kill Switch" of Mixers: The industry's ability to freeze funds is a race against the mixer. Once assets hit a privacy protocol, the game of "real-time intelligence sharing" effectively ends.
# Saga: Chainlet Paused After $7M Exploit
Layer-1 protocol Saga was forced to pause its SagaEVM chainlet at block 6,593,800 this week following a $7 million exploit that caused its primary stablecoin, Saga Dollar ($D), to de-peg to $0.75. The Saga team confirmed that the incident involved a "coordinated sequence of contract deployments" and cross-chain activity, but notably, there was no consensus failure or validator compromise. Instead, the attacker utilized a helper contract to "abuse IBC mechanisms with custom messages," effectively bypassing the validation logic in the precompile bridge.
This "infinite mint" attack allowed the exploiter to generate $D tokens out of thin air without the required collateral, which they then bridged out and converted to Ether. The platform's Total Value Locked (TVL) collapsed by over 50% in 24 hours as users scrambled to exit the de-pegged ecosystem. Security researchers suspect that the bridge's precompile logic, the code that handles cross-chain transfers at a low level failed to properly sanitize custom payloads, allowing a malicious actor to "tell" the bridge they had deposited collateral that didn't exist.
While the broader Saga network remains structurally sound, the chainlet will remain paused until a full post-mortem and patch audit are completed. The team is currently working with exchanges and bridge operators to blacklist the attacker's wallet (0x2044...), but the damage to the stablecoin's peg and the protocol's TVL will take much longer to repair. This incident reinforces a hard truth for the Cosmos ecosystem: as chains become more customizable through IBC and "chainlets," the attack surface for complex, cross-chain logic errors expands exponentially.
Lessons Learned:
- Precompile Risks: Low-level bridge logic and precompiles are high-efficiency targets. These "shortcuts" in code often bypass the standard safety checks found in higher-level smart contracts.
- De-pegs as a Protocol Signal: A stablecoin de-peg is often the first visible symptom of a deep logic exploit. Monitoring peg health is as critical as monitoring transaction traces for early threat detection.
**********
Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits.
Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.
Website: security.extropy.io
Email: info@extropy.io
Sign in with Wallet
Connect another wallet