Deep Dive: Oracle Infrastructure in Lending Protocols

Castle Labs dissects the oracle architectures powering Aave, Morpho, Euler, and Fluid, contrasting Chainlink’s dominance with the rise of oracle-agnostic designs. The report details critical safety mechanisms—like Aave’s CAPO and Fluid’s TWAP cross-checks—and warns that as protocols diversify providers to avoid single points of failure, the responsibility for verifying data quality increasingly shifts to users and market curators. (Castle Labs)

Supply Chain Defense: Catching Malicious Package Releases with Transparency Logs

Trail of Bits details their work hardening rekor-monitor to help developers catch unauthorized package releases in the Sigstore ecosystem. Funded by OpenSSF, the upgrades—including Rekor v2 support and TUF key fetching—allow maintainers to operationalize transparency logs, turning abstract tamper-evidence into actionable alerts. The focus is on detecting unauthorized and suspicious changes earlier, turning integrity signals into actionable alerts developers can operationalize—especially as dependency compromise keeps scaling. (Trail of Bits)

State of DeFi Security 2025: Emerging Threats & Competitive Defense

Peter Kacherginsky (BlockThreat) outlines a shifting threat landscape where private key thefts have dropped, but "patient attackers" now compromise contracts months in advance, waiting for high-value targets. He warns against the "Lindy Effect" fallacy for legacy code and proposes a "competitive incident response" market: incentivizing defensive MEV bots and researchers to intercept hacks and identify root causes in real-time, moving beyond simple bug bounties to active, profit-driven defense. (DeFi Security Summit on YouTube)

Master Smart Contract Proxies in a Weekend (Curated Resource Thread)

Dimitar Dimitrov shares a compact learning path for mastering upgradeable smart contract proxies: start with yAudit’s comprehensive proxies research, then dive into RareSkills articles on UUPS, Transparent proxies, EIP‑1967 storage slots, Beacon proxies, Diamond proxies, and EIP‑1167 minimal proxies. The thread closes with a link to RareSkills’ free “Book of Proxy Patterns and Delegatecall,” positioned as a complete, no-login-required handbook for implementing and auditing proxy-based upgradeability.

Hexagate Joins Chainalysis to Push “Prevention” for Web3 Foundations

Chainalysis Team outlines a product expansion aimed at stopping hacks and governance/operational failures earlier, positioning Hexagate as a security layer for blockchain foundations and ecosystem builders. The announcement emphasizes continuous monitoring and proactive prevention as baseline infrastructure. (Chainalysis)

Certora's New Jito-Solana Validator

Fiorella Scantamburlo and Seth Hallem describe Certora’s move from “just” verifying protocols to operating infrastructure: a Jito-Solana validator under the Solana Foundation Delegation Program. The post frames validator operations as security work—hardening decentralization, resilience, and reliability via monitoring, operational readiness, and adversarial thinking applied at the infrastructure layer. (Certora)

A few notable hacks from Rekt and other sources…

😞 Yearn Finance's Fourth Exploit: Legacy iEarn Vault Drained

Security firms report a fourth exploit hitting Yearn Finance in weeks, this time targeting a deprecated v1 "iearn" contract. Attackers used a flash loan to manipulate token prices within the legacy vault, draining assets and converting them before exit. The incident—following a separate $9M yETH infinite mint hack in late November—highlights the persistent liability of outdated, unupgraded contracts even as core v2/v3 products remain secure. (The Defiant) (banteg on Github)

Aevo/Ribbon Hack : Oracle Precision + Access Control = $2.7M Drain

Halborn breaks down how an oracle precision change (18 vs 8 decimals) combined with an access-control weakness in a proxy-based oracle stack let attackers set expiry prices for newly created assets. The exploit minted outsized payouts from vaults until protocol limits were effectively bypassed. The takeaway: upgrades must be tested against legacy assets and privilege boundaries. (Halborn)

Root Cause Analysis of the May '25 Cetus $223M Exploit

MoveJay traces the Cetus CLMM exploit on Sui to a faulty checked_shlw overflow condition that allowed an unsafe << 64 shift to corrupt fixed-point math. That mismatch undercharged deposits while crediting massive liquidity, enabling repeated pool drains. The piece also documents containment (pauses and validator action), partial bridge-out, and recovery mechanics—treating it as a shared-library ecosystem failure. (Cyfrin)

Total 2025 hack events: 199

The total amount of money lost by blockchain hackers is about

$2,917,042,055

Crypto Regulation Shifted from Enforcement to Frameworks (2025 Recap)

Governments spent 2025 moving from ad‑hoc enforcement toward upfront rulebooks—bringing more clarity, but also new compliance obligations across jurisdictions. The piece frames MiCA and US stablecoin legislation as part of a broader trend: operational regimes, licensing processes, and guidance arriving “for real,” shaping how crypto firms plan 2026 market entry and controls. (Elliptic)

Herd Raises $1.8M to Build a "Co-terminal" for Human-Agent Onchain Work

Herd a very cool explorer of all things crypto by founders Andrew Hong and Edward Bramanti (ex-Dune). Herd is a "collaborative terminal" designed to expose the full range of smart contract composability often hidden by simplified frontends. By combining natural language search with agentic workflows, the platform aims to let users and AI agents discover, understand, and execute complex cross-protocol flows—like combining Virtuals, Boost, and Uniswap hooks—that currently require custom coding. (Herd)

ScamSweeper: Detecting Web3 Scam Accounts via Transaction Graph Evolution

Xiaoqi Li et al. propose ScamSweeper, focusing on how scam behavior evolves over time in Ethereum transaction graphs. The method combines temporal sampling (structure-aware random walks), directed subgraph encoding, and a variational Transformer to classify scam accounts. The paper claims substantial gains over prior detectors and emphasizes the need to model power-law, time-dependent transaction structure rather than static snapshots. (arXiv)

Ethical Risk Analysis of L2 Rollups: Centralization as Feature, Not Bug
Georgy Ishmaev et al. apply an "Ethical Risk Analysis" framework to 129 L2 projects, revealing that centralization risks are systematic, not accidental. The study finds 86% of rollups allow instant upgrades without exit windows and 50% have controls that can freeze user withdrawals. By correlating architecture with incident data (2022–2025), the paper argues that current governance models ethically fail users by enforcing dependency without autonomy, and proposes specific mitigation strategies for proposer liveness and forced inclusion. (arXiv)

Deep Dive: Oracle Infrastructure in Lending Protocols

Castle Labs dissects the oracle architectures powering Aave, Morpho, Euler, and Fluid, contrasting Chainlink’s dominance with the rise of oracle-agnostic designs. The report details critical safety mechanisms—like Aave’s CAPO and Fluid’s TWAP cross-checks—and warns that as protocols diversify providers to avoid single points of failure, the responsibility for verifying data quality increasingly shifts to users and market curators. (Castle Labs)

Supply Chain Defense: Catching Malicious Package Releases with Transparency Logs

Trail of Bits details their work hardening rekor-monitor to help developers catch unauthorized package releases in the Sigstore ecosystem. Funded by OpenSSF, the upgrades—including Rekor v2 support and TUF key fetching—allow maintainers to operationalize transparency logs, turning abstract tamper-evidence into actionable alerts. The focus is on detecting unauthorized and suspicious changes earlier, turning integrity signals into actionable alerts developers can operationalize—especially as dependency compromise keeps scaling. (Trail of Bits)

State of DeFi Security 2025: Emerging Threats & Competitive Defense

Peter Kacherginsky (BlockThreat) outlines a shifting threat landscape where private key thefts have dropped, but "patient attackers" now compromise contracts months in advance, waiting for high-value targets. He warns against the "Lindy Effect" fallacy for legacy code and proposes a "competitive incident response" market: incentivizing defensive MEV bots and researchers to intercept hacks and identify root causes in real-time, moving beyond simple bug bounties to active, profit-driven defense. (DeFi Security Summit on YouTube)

Master Smart Contract Proxies in a Weekend (Curated Resource Thread)

Dimitar Dimitrov shares a compact learning path for mastering upgradeable smart contract proxies: start with yAudit’s comprehensive proxies research, then dive into RareSkills articles on UUPS, Transparent proxies, EIP‑1967 storage slots, Beacon proxies, Diamond proxies, and EIP‑1167 minimal proxies. The thread closes with a link to RareSkills’ free “Book of Proxy Patterns and Delegatecall,” positioned as a complete, no-login-required handbook for implementing and auditing proxy-based upgradeability.

Hexagate Joins Chainalysis to Push “Prevention” for Web3 Foundations

Chainalysis Team outlines a product expansion aimed at stopping hacks and governance/operational failures earlier, positioning Hexagate as a security layer for blockchain foundations and ecosystem builders. The announcement emphasizes continuous monitoring and proactive prevention as baseline infrastructure. (Chainalysis)

Certora's New Jito-Solana Validator

Fiorella Scantamburlo and Seth Hallem describe Certora’s move from “just” verifying protocols to operating infrastructure: a Jito-Solana validator under the Solana Foundation Delegation Program. The post frames validator operations as security work—hardening decentralization, resilience, and reliability via monitoring, operational readiness, and adversarial thinking applied at the infrastructure layer. (Certora)

A few notable hacks from Rekt and other sources…

😞 Yearn Finance's Fourth Exploit: Legacy iEarn Vault Drained

Security firms report a fourth exploit hitting Yearn Finance in weeks, this time targeting a deprecated v1 "iearn" contract. Attackers used a flash loan to manipulate token prices within the legacy vault, draining assets and converting them before exit. The incident—following a separate $9M yETH infinite mint hack in late November—highlights the persistent liability of outdated, unupgraded contracts even as core v2/v3 products remain secure. (The Defiant) (banteg on Github)

Aevo/Ribbon Hack : Oracle Precision + Access Control = $2.7M Drain

Halborn breaks down how an oracle precision change (18 vs 8 decimals) combined with an access-control weakness in a proxy-based oracle stack let attackers set expiry prices for newly created assets. The exploit minted outsized payouts from vaults until protocol limits were effectively bypassed. The takeaway: upgrades must be tested against legacy assets and privilege boundaries. (Halborn)

Root Cause Analysis of the May '25 Cetus $223M Exploit

MoveJay traces the Cetus CLMM exploit on Sui to a faulty checked_shlw overflow condition that allowed an unsafe << 64 shift to corrupt fixed-point math. That mismatch undercharged deposits while crediting massive liquidity, enabling repeated pool drains. The piece also documents containment (pauses and validator action), partial bridge-out, and recovery mechanics—treating it as a shared-library ecosystem failure. (Cyfrin)

Total 2025 hack events: 199

The total amount of money lost by blockchain hackers is about

$2,917,042,055

Crypto Regulation Shifted from Enforcement to Frameworks (2025 Recap)

Governments spent 2025 moving from ad‑hoc enforcement toward upfront rulebooks—bringing more clarity, but also new compliance obligations across jurisdictions. The piece frames MiCA and US stablecoin legislation as part of a broader trend: operational regimes, licensing processes, and guidance arriving “for real,” shaping how crypto firms plan 2026 market entry and controls. (Elliptic)

Herd Raises $1.8M to Build a "Co-terminal" for Human-Agent Onchain Work

Herd a very cool explorer of all things crypto by founders Andrew Hong and Edward Bramanti (ex-Dune). Herd is a "collaborative terminal" designed to expose the full range of smart contract composability often hidden by simplified frontends. By combining natural language search with agentic workflows, the platform aims to let users and AI agents discover, understand, and execute complex cross-protocol flows—like combining Virtuals, Boost, and Uniswap hooks—that currently require custom coding. (Herd)

ScamSweeper: Detecting Web3 Scam Accounts via Transaction Graph Evolution

Xiaoqi Li et al. propose ScamSweeper, focusing on how scam behavior evolves over time in Ethereum transaction graphs. The method combines temporal sampling (structure-aware random walks), directed subgraph encoding, and a variational Transformer to classify scam accounts. The paper claims substantial gains over prior detectors and emphasizes the need to model power-law, time-dependent transaction structure rather than static snapshots. (arXiv)

Ethical Risk Analysis of L2 Rollups: Centralization as Feature, Not Bug
Georgy Ishmaev et al. apply an "Ethical Risk Analysis" framework to 129 L2 projects, revealing that centralization risks are systematic, not accidental. The study finds 86% of rollups allow instant upgrades without exit windows and 50% have controls that can freeze user withdrawals. By correlating architecture with incident data (2022–2025), the paper argues that current governance models ethically fail users by enforcing dependency without autonomy, and proposes specific mitigation strategies for proposer liveness and forced inclusion. (arXiv)