👋 Welcome to the May Edition
May didn't produce April's Lazarus-tier headlines. What it produced was quieter and in many ways more damning: the same preventable failure classes across 28 protocols, on 13 chains, by attackers who didn't need to be sophisticated. Bridges bled through unpatched cryptographic libraries and poisoned registries. Keys leaked with no multisig in sight. $51.9M gone in 31 days, with zero nation-state involvement.
On the research side, we published five pieces mapping the growing gap between where protocols get attacked and where the industry is actually looking, from unified Web2/Web3 infrastructure monitoring to the entirely new threat surface introduced by on-chain AI agents.
We also achieved ISO/IEC 27001:2022 certification, the global standard for information security management. Every client engagement, your unreleased code, your architecture, your business logic, now operates under a formally audited, externally verified security framework. The firm you trust to secure your protocol is itself secured to the highest standard.
Here's the full May roundup.
From the Quill Research Desk
May's research kept landing on the same conclusion: the attack surface has moved well beyond the smart contract, and most security models haven't followed.
You're Monitoring Your Contracts. But Who's Watching Your Servers? Bybit, Kelp, Drift, all attacked through infrastructure layers no audit covers. We mapped the five-layer operational stack DeFi protocols actually run on and argued for a dedicated internal function watching both the Web2 and Web3 stacks together.
Security First: A Founder's Guide to Building Secure Crypto Protocols 2026 $635M stolen in April across mostly-audited protocols. We published the complete 8-layer security stack from threat modeling and formal verification to OPSEC, monitoring, and incident response. The missing layer is always where the attacker went.
Six Crypto Neobanks Raised $200M in 90 Days. None Have a CISO. An audit ends when the engagement does. We laid out what a CISO actually covers that no audit touches: access governance, incident response, integration security, and why MiCA and the GENIUS Act make this gap a regulatory problem now, not a growth-stage one.
What I Would Build if I Were Launching a Stablecoin in the Next 60 Days Stablecoins now settle tokenized equities and institutional assets, meaning a depeg propagates well outside DeFi. A sequenced 60-day security blueprint: collateral architecture, four-layer threat modeling, three-phase audits with formal verification, and a TVL-capped launch.
Auditing Software When the Software Has a Brain 250,000 on-chain AI agents managing roughly 30% of top DeFi pool TVL. Agents are probabilistic reasoners signing irreversible transactions, and every standard audit methodology was built for deterministic code. We mapped the new attack surfaces: prompt injection, malicious LLM routers, memory poisoning, and supply chain attacks on dynamically loaded skills.
Hack Watch
May 2026: 28 breaches, $51.9M stolen, 13 chains, 31 days. No nation-state operations this month. Just the same preventable failure classes, repeated across 28 protocols by attackers who didn't need to be sophisticated.
THORChain $10.7M Multi-chain, May 15, TSS Key Leakage. A malicious node spent two days in routine signing ceremonies. THORChain's GG20 fork was missing Paillier proof checks, leaking key share residues each round. After two days the attacker reconstructed the full vault key offline and drained 10 chains simultaneously. CVE-2023-33241 described this exact attack in 2023. The library had not been patched.
TrustedVolumes $5.87M Multi-chain, May 7, RFQ Authorization Failure. Three chained bugs in a custom RFQ proxy executed in one transaction: permissionless signer registration, replay protection writing to the wrong storage slot, and a caller-controlled inventory field passed directly to transferFrom. The attacker pointed it at TrustedVolumes' own custody address and drained WETH, USDT, WBTC, and USDC in one block.
Gravity Bridge $5.4M Cosmos/Ethereum, May 30, Denom Mapping Poisoning. The attacker minted four free Osmosis tokenfactory coins and embedded real ERC20 custody addresses inside fabricated denom strings passed to the permissionless deployERC20() function. Validators attested to what they saw. The denom-to-ERC20 registry was poisoned to point fake Cosmos balances at real custody assets. Attack principal cost: zero.
New Market Trading $3.78M Multi-chain, May 25, Confused Deputy via SquidRouterModule. The module's identity check verified a caller-supplied string, not msg.sender. Its permission check sourced the delegate address from the attacker's own payload. The attacker passed both checks, forced 88 Safes to swap their full balances through an attacker-controlled pool, and collected real assets from the other side. One missing require line. Three months exposed.
Verus Bridge $11.58M Ethereum, May 17, Proof Verification Bypass. The attacker hand-crafted a Verus CCE transaction with zero value locked. The assembly block in checkCCEValues() skipped totalAmounts entirely, never reading it. Notaries signed the block as valid. The payout hash matched. Bridge paid $11.58M.
TesseraDAO $2.4M BSC, Jun 2, Private Key Compromise. The attacker called setCoreAddress() to replace legitimate trader and withdrawer addresses, executed transferOwnership() to seize full control, minted 99M TSR from thin air, and used the protocol's own trade() function to convert them to $2.4M USDC. TSR dropped from $5.50 to $0.000255 in minutes.
Ekubo Protocol $1.4M Starknet, May 6, Blind Calldata Forwarding. Core's public pay() function forwarded raw calldata directly into a privileged callback meant to be core-only. The attacker packed a victim address and amount as hidden extra calldata bytes. Periphery executed transferFrom(victim, attacker, amount). Repeated 85 times in one transaction. No flash loan, no oracle manipulation.
Private key failures ran across the entire month. StablR ($2.8M), Polymarket ($700K), Echo Bridge ($821K), Alephium Bridge ($815K), Stake DAO ($91K), and Bankr ($170K) all lost funds to compromised keys with no multisig, no timelock, no friction between the key and the funds.
Bridges absorbed $28.2M, 54% of all May losses, across five incidents spanning denom poisoning, TSS key leakage, and proof verification bypass. Every layer of bridge security failed this month. Read the full May 2026 hack report and track the live incident log on QuillMonitor
QuillAudits Stats
A quick look at our May audit activity and how we helped secure the Web3 ecosystem.
May's losses didn't require sophistication. They required the industry to keep being careless, and it obliged. The same bridge verification gaps, the same unprotected keys, the same logic bugs that have appeared in every monthly report. $847.6M lost so far. The baseline isn't improving.
We'll see you in June. Stay paranoid. Audit everything.
Wanna partner up w/ us or want to get your project audited? |
|
|
Have a great day,
Team QuillAudits