profile

QuillAudits Web3 Security 🥷🛡️

Your official QuillAudits update stream, covering product launches, security insights, event announcements, reports, and key developments from across the organization.

Jul 08 • 4 min read

The Quill Sentinel June 2026


👋 Welcome to the June Edition

28 protocols. $75.9M lost. One laptop with seven backed-up signer keys did more damage than every bridge exploit and every logic bug combined. June isn't a story about new attack techniques. It's the same story, told with sharper details: attackers don't need a zero-day when an operator leaves master keys sitting in one place.

This month we also opened a new front. QuillAudits now audits on Canton Network, the $9 trillion-a-month institutional settlement layer. Our research desk went looking for the attack surfaces nobody scopes into a standard audit, neobank infrastructure, a four-year-old bug in Zcash's shielded pool, the security gaps hiding inside tokenized RWAs. And Hack Watch breaks down exactly how one compromised laptop became the year's second-biggest loss after April.

Let's get into it.

QuillAudits Now Supports Canton Network

Canton settles $9 trillion a month. Goldman Sachs, JPMorgan, DTCC, and 780+ validators are already live on it. Daml won't even compile a contract that doesn't declare who can see it and who can act on it, so front-running and reentrancy aren't mitigated here. They're structurally absent.

What isn't absent: workflow and authorization logic bugs, the one layer Canton's architecture doesn't cover on its own. That's the gap we now audit for.

The next $9 trillion doesn't run on Solidity. We're ready for it.

Read the full announcement here.

From the Quill Research Desk

June's research kept landing on the same conclusion: the audit boundary stops at the smart contract, but the money keeps moving through everything around it.

The Neobank Stack: 11 Attack Surfaces Card-Issuing Crypto Fintechs Ignore Crypto neobanks run six layers deep, user app, KYC, ledger, card issuing, custody, settlement. A smart contract audit only touches the last one. Infini lost $49.5M not to a zero-day but to an ex-developer who kept admin keys 100 days after leaving. The rest, BIN sponsor risk, deepfaked KYC, proxies with no timelock, never make it into scope. An audit isn't a safety certificate. It's page one.

Zcash Orchard Bug and Formal Verification Two missing lines of code let the same shielded Zcash note get spent infinitely for four years, without a trace. The bug lived in a Halo2 circuit gadget where a private witness was never anchored to the input, invisible to manual review, untouchable by fuzzing. An AI-assisted audit caught it in six hours, then missed it three out of four times elsewhere. Formal verification is the only tool that fails loudly when a proof can't close.

A Founder's Guide to Tokenizing Money Market Funds and Private Credit Tokenized RWAs went from $6B to $32B in sixteen months, and almost none of it runs on plain ERC-20. The instruments aren't new. What's new is a security stack most teams haven't priced in: custody, identity registries, oracles, redemption logic that's only tested when nothing's on fire. The bond isn't the risk. The wrapper is.

The Security Gaps Killing Tokenized Money Market Funds and Private Credit Part two shows where that wrapper breaks. ERC-3643 agent wallets are rarely time-locked, so one compromised key can silently rewrite who's eligible to hold the token. Storage-slot collisions in upgradeable fund contracts can redirect fees or compliance checks with zero suspicious transactions. Add rounding-direction attacks on yield and cross-chain signature replay, and you get bugs a standard audit never looks for.

Hack Watch

28 protocols hacked. $75.9M drained. One month. Pull out a single incident and June looks almost ordinary, a DPRK-linked operator found seven Gnosis Safe keys on one compromised laptop and turned them into 47% of everything the month lost. The rest was the usual mix: forged proofs, predictable mechanics, one MEV bot outplayed by its own bait. The lesson hasn't moved. Attackers don't need sophistication. They need one key with too much authority and too little protection.

Humanity Protocol, $36M

Seven Gnosis Safe signer keys, three of six on Ethereum and three of five on BSC, were all backed up to one director's laptop. A single phishing email handed an attacker enough signatures to cross both multisig thresholds at once. ProxyAdmin was seized on both chains, the Ethereum bridge drained for 141M H, and the BSC token upgraded to mint over 122 billion H against a real supply of roughly 141 million. Neither ProxyAdmin carried a timelock. The contracts were fine. The keys were not.

Taiko Bridge, $1.7M

The RSA key that signed every SGX enclave Taiko's rollup ever trusted sat exposed in a public GitHub repo, on a hotfix branch nobody scanned. An attacker pulled it, forged a matching enclave, and registered it as a legitimate prover with Intel's actual hardware never touched. The forged attestation flipped a bridge message to retriable, and the retry path executed it without checking the proof a second time. No cryptography broke. A secret did.

Private key concentration, not bridges, was June's most expensive problem. One signer key did more damage than every bridge exploit and every protocol logic bug combined. Bridges stayed the second costliest category for the second month running, eight incidents, $21.8M, the same cross-chain proof failures that defined May, just spread across twice as many bridges. Protocol logic bugs remained the most frequent class by count, thirteen incidents, but the cheapest per hit.

June proved nation-states don't need new techniques. They need one unprotected key with too much authority, and June handed them exactly that. Read the full June hack report, and track the live incident log on QuillMonitor.

QuillAudits Stats

A quick look at our June audit activity and how we helped secure the Web3 ecosystem.

June's losses didn't require sophistication. They required one laptop with seven backed-up keys, and an operator who knew exactly what to do with them. The same unprotected keys, the same forged bridge proofs, the same logic bugs that have appeared in every monthly report. $923.5M lost so far. The baseline isn't improving.

We'll see you in July. Stay paranoid. Audit everything.


Wanna partner up w/ us or want to get your project audited?

Have a great day,

Team QuillAudits

HOME
OUR AUDITS
BLOGS
SECURITY REPORTS
EVENTS

Unsubscribe

Update your profile

QuillAudits Office 104/105 Level 1, Emaar Square, Building 4 Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, 416654


Copyright (C) 2026 QuillAudits. All rights reserved.


Your official QuillAudits update stream, covering product launches, security insights, event announcements, reports, and key developments from across the organization.


Read next ...