DEV Community

Cover image for Extropy Security Bytes: w1 & w2, 2026
Extropy.IO profile image Erick Fernandez
Erick Fernandez for Extropy.IO

Posted on

Extropy Security Bytes: w1 & w2, 2026

#cybersecurity #ethereum #blockchain #cryptocurrency

Welcome back to Extropy Security Bytes, where we discuss the latest incidents shaping the Web3 landscape.

Throughout 2025, we dissected the industry’s most critical incidents together. Now, as we present our first roundup of 2026, the new year has already delivered a wave of critical headlines. Attackers take no breaks — and neither can we.

Truebit: The $26 Million Zombie Code

“When legacy math meets modern liquidity, the result is always catastrophe.”

On January 8, the Truebit Protocol suffered the first major exploit of 2026, losing roughly $26 million (8,535 ETH) to a vulnerability that should have stayed in the past. The attack wasn’t a complex new vector; it was a classic integer overflow in a legacy smart contract that had seemingly been forgotten. The attacker exploited this unmaintained code to mint millions of TRU tokens at near-zero cost, bypassing supply caps effortlessly because the contract pre-dated modern Solidity’s native overflow checks.

Once the infinite mint was complete, the attacker dumped the tokens back into the protocol, draining all available liquidity and causing the TRU token price to collapse by nearly 100% in 24 hours. The impact was total: a project’s market cap evaporated overnight because a single legacy file was left live and unmonitored. While the team scrambled to coordinate with law enforcement, the on-chain damage was already irreversible.

In a pattern that is becoming standard operating procedure, the attacker immediately funneled the 8,535 ETH into Tornado Cash, obliterating the trail before any freeze could be attempted. Security firms have since linked the wallet to a previous exploit of the Sparkle Protocol, suggesting this was the work of a sophisticated, repeat offender who specifically hunts for abandoned, “zombie” contracts that teams have neglected to deprecate.

Lessons Learned

  • Legacy is Liability: Old contracts do not age like wine; they age like milk. If a contract is live, it must be monitored or deprecated.
  • Overflows are Still Real: Just because modern Solidity (0.8.0+) handles overflows doesn’t mean your legacy stack does.
  • The “Zombie” Risk: Nearly 80% of projects hit by such exploits never recover their full value. Abandoned code is a loaded gun waiting for a trigger.

Aave: The Governance Civil War

“When freedom from regulators becomes a license to fight over who owns the treasury.”

Aave spent four years fighting the SEC to prove decentralized finance could work. On December 16, 2025, they won that battle, only to immediately start a civil war over the spoils. The conflict centered on a $10 million annual feestream from the Aave frontend that was flowing to Aave Labs (Stani Kulechov’s company) instead of the DAO treasury. When former CTO Ernesto Boado proposed that the DAO should legally own all brand assets to correct this, the response was a textbook case of governance capture.

On December 21, Aave Labs escalated Boado’s proposal to a Snapshot vote without his consent, triggering a voting period that ran directly through Christmas. This “Grinch” move forced the community to mobilize during the holidays, causing the AAVE token to drop 25% as markets priced in the chaos. The proposal’s own author urged users to abstain, delegitimizing the entire process. The vote ultimately failed with 55% opposing and 41% abstaining, but the damage to trust was profound.

Now, the protocol enters “Phase 2” of negotiations. Stani Kulechov has offered revenue sharing, while delegate leader Marc Zeller is demanding full asset ownership transfer with enforceable “guardrails” for stewardship. The protocol itself works perfectly — holding $35 billion in TVL — but the governance layer is fractured. When a founder can force a vote without the author’s consent to protect a revenue stream, “decentralization” becomes a polite fiction, and the governance token becomes a proxy for political risk.

Lessons Learned

  • Governance is an Attack Vector: Internal power struggles can damage token value as effectively as a hack.
  • Timing Matters: Forcing votes during holidays destroys legitimacy and trust; it signals an attempt to bypass scrutiny.
  • Ownership vs. Stewardship: DAOs must clearly define who owns the brand versus who runs the website before the revenue becomes significant.

TMXTribe: The 36-Hour Bleed

“Was this incompetence so profound it became indistinguishable from malice?”

Between January 5 and January 7, TMXTribe (a GMX fork on Arbitrum) watched $1.4 million drain from their protocol over a continuous 36-hour window. The exploit was mechanically simple: a loop that minted LP tokens, swapped them for the internal stablecoin (USDG), and unstaked, repeated ad infinitum. Because the contracts were unverified, the exact flaw remains opaque to the public, but the result was a systematic drainage of the treasury.

What makes this incident damning is the team’s behavior. While the protocol bled, the team was active on-chain, deploying new contracts and executing upgrades throughout the attack window. Yet, despite being present and capable of signing transactions, they never triggered an emergency pause. They sent an on-chain bounty message to the attacker asking for a return of funds, but failed to take the one technical action that would have stopped the theft.

The attacker ignored the bounty, bridged the funds to Ethereum via Across Protocol, and washed them through Tornado Cash. Meanwhile, the team remained silent on Twitter for days, leaving users to watch the drain in real-time. When a team is competent enough to upgrade contracts during a hack but “forgets” to hit the pause button, the line between negligence and complicity blurs.

Lessons Learned

  • Unverified Contracts are Red Flags: TMXTribe ran unverified code. You cannot audit what you cannot see, and you cannot trust a team that hides their logic.
  • The 36-Hour Test: If a protocol cannot stop a slow drain in 36 hours, it effectively has no security operations center (SOC).
  • Pause Functionality is Mandatory: A kill switch is the most basic defense; failing to use it while actively online is inexcusable.

Ledger: The Supply Chain Leak

“Your keys are safe, but your home address isn’t.”

On January 5, Ledger confirmed a data breach impacting its customers — not through their hardware, but through their payment processor, Global-e. While Ledger’s devices remain secure and user funds are untouched, the personal data of customers — including names, shipping addresses, and contact information — was compromised. This breach exposes users to a threat that cryptography cannot solve: the physical “wrench attack.”

The breach occurred when Global-e identified “unusual activity” that exposed customer databases. Attackers now possess a list of individuals who own crypto hardware wallets, along with their physical locations. This creates a high-fidelity target list for phishing campaigns (fake Ledger letters, emails) and potentially home invasions. It is a bitter irony for a company that previously faced backlash for charging for security features; now, their “free” supply chain partners have cost users their privacy.

Lessons Learned

  • Vendor Risk is Your Risk: You can have the best hardware security in the world, but if your payment processor leaks the customer list, your users are in danger.
  • Expect Phishing: Victims should expect sophisticated phishing attempts using the stolen data to establish false trust.
  • Physical OpSec: Delivering hardware wallets to your home address creates a permanent record connecting your identity to crypto ownership. Use drop boxes or aliases where possible.

MetaMask: The “Party Hat” Phishing Campaign

“The drainer doesn’t need your seed phrase; it just needs your permission.”

A sophisticated phishing campaign flagged by ZachXBT has drained over $107,000 from hundreds of wallets by exploiting the holiday lull. Users received professionally designed emails from “MetaLiveChain” claiming a “Mandatory 2026 Upgrade” was required to keep their wallets active. The emails used legitimate marketing templates (complete with unsubscribe links from real vendors) and featured a disarming “party hat” version of the MetaMask fox logo to bypass user suspicion.

Instead of asking for a seed phrase — which most users now know to protect — the phishing site prompted users to sign a contract approval. This granted the attacker permission to move unlimited tokens from the victim’s wallet. By keeping individual thefts small (typically under $2,000), the attacker avoided triggering major alerts while scaling the theft across hundreds of victims. It serves as a reminder that a signature can be just as lethal as a leaked key.

Lessons Learned

  • Approvals are Dangerous: You can lose your funds without ever sharing your seed phrase. Never sign a transaction from an email link.
  • Small Drains Add Up: Attackers are moving towards “low and slow” thefts to stay under the radar of major security firms.
  • Verify the Sender: MetaMask will never email you about a “mandatory upgrade.” Any email claiming otherwise is a scam.

Futureswap: The Unverified Black Box

“If the code is closed, the exit is open.”

Security firm BlockSec Phalcon detected a quiet drain on the Futureswap protocol on Arbitrum, resulting in an estimated loss of $395,000. The attack appears to be caused by an accounting error in the stableBalance calculation during position updates, allowing the attacker to withdraw more USDC than they were entitled to.

However, confirming the root cause is impossible because the contracts are unverified. Closed-source contracts prevent security researchers from analyzing the flaw or helping the team patch it. As of now, the team has not responded to inquiries, and users are left in the dark about whether their remaining funds are safe. This incident reinforces the golden rule of DeFi: if the code isn’t verified on the block explorer, you aren’t using a decentralized protocol — you’re trusting a black box.

Lessons Learned

  • Verify or Don’t Trust: Unverified contracts are a massive security risk. They hide bugs from whitehats and hide exploits from users.
  • Silence is Telling: A lack of communication during an exploit typically signals a lack of capability to respond.

GlassWorm: The macOS Developer Trap

“The malware isn’t targeting your wallet; it’s targeting your codebase.”

A fourth wave of the GlassWorm malware campaign has been detected, specifically targeting macOS developers through malicious VSCode and OpenVSX extensions. Unlike previous waves that targeted Windows, this iteration uses AppleScript and LaunchAgents to establish persistence on Mac systems. The malware hides inside seemingly useful developer tools (like studio-velte-distributor) and executes an AES-encrypted payload after a 15-minute delay to evade sandbox analysis.

The malware’s goal is total credential theft. It scrapes GitHub, NPM, and OpenVSX credentials, giving attackers access to the victim’s code repositories and supply chain. More alarmingly, it contains code designed to replace legitimate hardware wallet apps (like Ledger Live and Trezor Suite) with trojanized versions. While this specific feature appears to be misconfigured in the current version (deploying empty files), the intent is clear: attackers are trying to compromise the developer’s entire environment, from their code to their cold storage.

Lessons Learned

  • Audit Your Extensions: VSCode extensions run with high privileges. Only install extensions from verified publishers with established reputations.
  • The Supply Chain is the Target: Attackers want your GitHub credentials to inject malware into your projects, infecting your users downstream.
  • Delayed Execution: Modern malware waits before striking. A clean scan immediately after download does not guarantee safety.

About Extropy

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

Top comments (0)