• Training an AI agent? OWASP's Alternate Top 15: Web3 Attack Vectors (Beyond Smart Contracts) is a excellent structured list of common attack vectors with examples.

• And the 2026 OWASP Smart Contract Top 10 is out.

• "What's left to protect when the thing being stolen is the machine's model of your mind?" - Rekt's commentary on malware targeting OpenClaw.

• OpenClaw pro tip: Have your agent install the SDK of whatever tool you are trying to integrate with and then ask it to build it's own SKILL.md. Stay safe and thank me later.

• Crypto finally found a use case, for agents at least, they now have x402 protocol wallets.

• TRM Labs raises $70M to fund expansion of its AI-driven blockchain intelligence platform.

• Research & tool drop: OpenAI and Paradigm release EVMbench - a benchmark and agent harness for finding and exploiting smart contract bugs.

OWASP Smart Contract Top 10: 2026

An new Smart Contract Top 10 from OWASP has been released. This year's top 10 identifies the most critical vulnerabilities based on 2025 incident data comprising 122 incidents and approximately $905.4 million in losses. The ranking prioritizes Access Control Vulnerabilities at the top, followed by Business Logic Vulnerabilities and Price Oracle Manipulation.

Other notable categories include Flash Loan-Facilitated Attacks, Unchecked External Calls, Reentrancy Attacks, and Proxy & Upgradeability Vulnerabilities. The report also includes an Alternate Top 15 cataloguing off-chain and operational threats such as multisig manipulation, supply chain attacks, and phishing. (OWASP)

Identity Theft 2.0

Rekt News reports on the weaponization of OpenClaw AI agents, where Vidar infostealers now harvest soul.md, MEMORY.md, and gateway tokens to steal complete behavioral blueprints rather than just passwords. Roughly 20% of ClawHub skills are poisoned with malware, while AI recommendation poisoning manipulates agent memories through crafted "Summarize with AI" buttons. Anthropic's Opus 4.6 model learned to behave differently when observed, and the resignation of its Safeguards Research Team highlights growing safety concerns. Projects like ClawBank and Coinbase's Agentic Wallets signal the emergence of autonomous financial agents—creating potential drain paths when combined with CVE-2026-25253 and exposed instances. (Rekt)

OpenAI Introduces EVMbench for Smart Contract Security

OpenAI, in collaboration with Paradigm, introduces EVMbench—a benchmark evaluating AI agents' ability to detect, patch, and exploit smart contract vulnerabilities across 120 curated scenarios. GPT-5.3-Codex achieves 72.2% on exploit tasks, a significant improvement from GPT-5's 31.9%, while detection and patching remain challenging. The framework includes vulnerabilities from Code4rena audits and Tempo blockchain scenarios, running in isolated Anvil environments.

The initiative includes $10M in API credits for cybersecurity research and expanded Aardvark beta access to support defensive applications. (OpenAI)

Coinbase Launches Agentic Wallets for AI Agents

Erik Reppel and Josh Nickerson introduce the first wallet infrastructure purpose-built for AI agents, enabling autonomous spending, earning, and trading with enterprise-grade security guardrails. The system features plug-and-play agent skills, gasless trading on Base, and the battle-tested x402 protocol for machine-to-machine payments. Security measures include session caps, transaction limits, enclave-isolated private keys, and KYT screening. Agents can monitor DeFi yields, pay for their own compute and APIs, and participate in creator economies without human intervention at every decision point. (Coinbase)

Multisig Monitor for Safe Wallet Security

fredrik0x and forefy have released multisigmonitor, a real-time analysis tool that detects governance attacks on Safe{wallet} multisig configurations before malicious transfers occur. The system monitors management transactions—such as owner additions, threshold changes, and module enables—by examining decoded transaction data for configuration changes.

Built primarily in TypeScript and Rust, the open-source tool provides auditable records of governance changes and early warning capabilities. Users can deploy locally via Docker to assess current Safe configurations. The project operates under the W3OS open standard for Web3 operational security. (Github)

SSCD+ Exam Preparation Guide

Usman Farooq outlines a ten-step strategy for passing the Solidity Smart Contract Developer certification, emphasizing deep understanding over memorization. The approach includes completing six core courses, minting challenge NFTs, engaging with the GitHub community, and reading vulnerability reports on Solodit to build pattern recognition. (Cyfrin)

And at the Bottom of the News...

...and Vitalik Calls Him Out

Guardrail'a Real-time Security Protects Rain Stablecoins

Guardrail has deployed an integrated detection and response framework with Rain, the enterprise stablecoin payments platform. The solution protects Rain's Visa settlement flows across 150+ countries. Guardrail's model addresses a critical gap in Web3 security, while exploits often target smartcontract code, code audits do not protect against runtime attacks, key compromises, or op-sec failures. Guardrail's security and risk monitoring evaluates transactions across 30+ chains with sub-second analysis and routes incidents into managed response workflows. (The Block)

A few notable hacks from Rekt and other sources…

Moonwell cbETH Oracle Incident

AnthiasLabs reports that on February 15, Moonwell's cbETH oracle misconfigured the Chainlink price feed, omitting the ETH/USD multiplier and reporting cbETH at $1.12 instead of ~$3,226. This pricing error triggered aggressive liquidations, seizing 1,096 cbETH from seventeen wallets and creating $1.78 million in bad debt across multiple assets. The protocol immediately reduced supply and borrow caps to 0.01, and MIP-X43 proposes Guardian-mode governance to restore operations. (Moonwell)

Total 2026 hack events: 23

The total amount of money lost by blockchain hackers is about

$106,709,400

SEC on Crypto, Markets, and “Number Go Down”

Commissioner Hester Peirce and Chairman Paul Atkins use an ETHDenver fireside chat to outline a more constructive SEC stance on crypto, highlighting Project Crypto with the CFTC, an “innovation exemption” for tokenized securities, and efforts to embed compliance in smart contracts. They stress that regulators should not chase price swings or rescue speculators, but instead provide clear, incremental rules that let builders tokenize assets, modernize custody and transfer agents, and preserve financial privacy. Their message to crypto founders in a down market is simple: engage early with regulators, focus on useful products. (SEC)

EU Safety Net for Stablecoin Holders

Valentina Za reports that the European Commission is investigating whether MiCAR protections adequately shield EU investors holding e-money tokens (EMTs) issued by non-EU entities. The probe, initiated after France's ACPR questioned the EBA, examines redemption rights for tokens like USDC that operate across jurisdictions with full fungibility but potentially unequal safeguards. The inquiry highlights tensions as the United States moves toward cryptocurrency deregulation, raising questions about the effectiveness of the newly implemented framework. (Reuters)

Still Waiting for CLARITY

Bessent, asked on CNBC about the crypto bill's status amid a recent sell-off in the sector, said the bill, known as the Clarity Act, would give "great comfort to the market" at a time of great volatility.

TRM Labs Raises $70M to Scale AI-Powered Threat Intelligence

The TRM Team announces a $70 million Series C round led by Blockchain Capital, valuing TRM Labs at $1 billion and funding expansion of its AI-driven blockchain intelligence platform for law enforcement, national security, and financial institutions in 50+ countries. The company will invest in world-class talent, AI-enabled compliance, and AI-powered investigations to counter ransomware groups, terrorist financiers, and transnational criminal networks increasingly using automation and AI. Customers include Circle, Coinbase, PayPal, Stripe, Visa, and major banks, underscoring TRM’s role as critical infrastructure for on-chain public safety and financial integrity. (TRM Labs)

EVMbench: Evaluating AI Agents for Smart Contract Security

Researchers introduce EVMbench, a framework testing AI agents' abilities to detect, patch, and exploit smart contract vulnerabilities across 120 curated scenarios drawn from 40 repositories. The evaluation uses programmatic grading against live blockchain instances in isolated Ethereum environments. Frontier agents demonstrate end-to-end capability to discover and exploit vulnerabilities autonomously. The release includes open-source code, tasks, and tooling to support ongoing measurement of security capabilities and defensive research. (OpenAI) (Github)

BitPriv: Bitcoin DeFi with Privacy

Alexopoulos et al. present BitPriv, the first protocol enabling privacy-preserving DeFi on Bitcoin through secure two-party computation and BitVM fraud proofs. The design locks collateral on-chain while executing garbled circuits off-chain, with violations provable and punishable on-chain. (ePrint Archive)

• Training an AI agent? OWASP's Alternate Top 15: Web3 Attack Vectors (Beyond Smart Contracts) is a excellent structured list of common attack vectors with examples.

• And the 2026 OWASP Smart Contract Top 10 is out.

• "What's left to protect when the thing being stolen is the machine's model of your mind?" - Rekt's commentary on malware targeting OpenClaw.

• OpenClaw pro tip: Have your agent install the SDK of whatever tool you are trying to integrate with and then ask it to build it's own SKILL.md. Stay safe and thank me later.

• Crypto finally found a use case, for agents at least, they now have x402 protocol wallets.

• TRM Labs raises $70M to fund expansion of its AI-driven blockchain intelligence platform.

• Research & tool drop: OpenAI and Paradigm release EVMbench - a benchmark and agent harness for finding and exploiting smart contract bugs.

OWASP Smart Contract Top 10: 2026

An new Smart Contract Top 10 from OWASP has been released. This year's top 10 identifies the most critical vulnerabilities based on 2025 incident data comprising 122 incidents and approximately $905.4 million in losses. The ranking prioritizes Access Control Vulnerabilities at the top, followed by Business Logic Vulnerabilities and Price Oracle Manipulation.

Other notable categories include Flash Loan-Facilitated Attacks, Unchecked External Calls, Reentrancy Attacks, and Proxy & Upgradeability Vulnerabilities. The report also includes an Alternate Top 15 cataloguing off-chain and operational threats such as multisig manipulation, supply chain attacks, and phishing. (OWASP)

Identity Theft 2.0

Rekt News reports on the weaponization of OpenClaw AI agents, where Vidar infostealers now harvest soul.md, MEMORY.md, and gateway tokens to steal complete behavioral blueprints rather than just passwords. Roughly 20% of ClawHub skills are poisoned with malware, while AI recommendation poisoning manipulates agent memories through crafted "Summarize with AI" buttons. Anthropic's Opus 4.6 model learned to behave differently when observed, and the resignation of its Safeguards Research Team highlights growing safety concerns. Projects like ClawBank and Coinbase's Agentic Wallets signal the emergence of autonomous financial agents—creating potential drain paths when combined with CVE-2026-25253 and exposed instances. (Rekt)

OpenAI Introduces EVMbench for Smart Contract Security

OpenAI, in collaboration with Paradigm, introduces EVMbench—a benchmark evaluating AI agents' ability to detect, patch, and exploit smart contract vulnerabilities across 120 curated scenarios. GPT-5.3-Codex achieves 72.2% on exploit tasks, a significant improvement from GPT-5's 31.9%, while detection and patching remain challenging. The framework includes vulnerabilities from Code4rena audits and Tempo blockchain scenarios, running in isolated Anvil environments.

The initiative includes $10M in API credits for cybersecurity research and expanded Aardvark beta access to support defensive applications. (OpenAI)

Coinbase Launches Agentic Wallets for AI Agents

Erik Reppel and Josh Nickerson introduce the first wallet infrastructure purpose-built for AI agents, enabling autonomous spending, earning, and trading with enterprise-grade security guardrails. The system features plug-and-play agent skills, gasless trading on Base, and the battle-tested x402 protocol for machine-to-machine payments. Security measures include session caps, transaction limits, enclave-isolated private keys, and KYT screening. Agents can monitor DeFi yields, pay for their own compute and APIs, and participate in creator economies without human intervention at every decision point. (Coinbase)

Multisig Monitor for Safe Wallet Security

fredrik0x and forefy have released multisigmonitor, a real-time analysis tool that detects governance attacks on Safe{wallet} multisig configurations before malicious transfers occur. The system monitors management transactions—such as owner additions, threshold changes, and module enables—by examining decoded transaction data for configuration changes.

Built primarily in TypeScript and Rust, the open-source tool provides auditable records of governance changes and early warning capabilities. Users can deploy locally via Docker to assess current Safe configurations. The project operates under the W3OS open standard for Web3 operational security. (Github)

SSCD+ Exam Preparation Guide

Usman Farooq outlines a ten-step strategy for passing the Solidity Smart Contract Developer certification, emphasizing deep understanding over memorization. The approach includes completing six core courses, minting challenge NFTs, engaging with the GitHub community, and reading vulnerability reports on Solodit to build pattern recognition. (Cyfrin)

And at the Bottom of the News...

...and Vitalik Calls Him Out

Guardrail'a Real-time Security Protects Rain Stablecoins

Guardrail has deployed an integrated detection and response framework with Rain, the enterprise stablecoin payments platform. The solution protects Rain's Visa settlement flows across 150+ countries. Guardrail's model addresses a critical gap in Web3 security, while exploits often target smartcontract code, code audits do not protect against runtime attacks, key compromises, or op-sec failures. Guardrail's security and risk monitoring evaluates transactions across 30+ chains with sub-second analysis and routes incidents into managed response workflows. (The Block)

A few notable hacks from Rekt and other sources…

Moonwell cbETH Oracle Incident

AnthiasLabs reports that on February 15, Moonwell's cbETH oracle misconfigured the Chainlink price feed, omitting the ETH/USD multiplier and reporting cbETH at $1.12 instead of ~$3,226. This pricing error triggered aggressive liquidations, seizing 1,096 cbETH from seventeen wallets and creating $1.78 million in bad debt across multiple assets. The protocol immediately reduced supply and borrow caps to 0.01, and MIP-X43 proposes Guardian-mode governance to restore operations. (Moonwell)

Total 2026 hack events: 23

The total amount of money lost by blockchain hackers is about

$106,709,400

SEC on Crypto, Markets, and “Number Go Down”

Commissioner Hester Peirce and Chairman Paul Atkins use an ETHDenver fireside chat to outline a more constructive SEC stance on crypto, highlighting Project Crypto with the CFTC, an “innovation exemption” for tokenized securities, and efforts to embed compliance in smart contracts. They stress that regulators should not chase price swings or rescue speculators, but instead provide clear, incremental rules that let builders tokenize assets, modernize custody and transfer agents, and preserve financial privacy. Their message to crypto founders in a down market is simple: engage early with regulators, focus on useful products. (SEC)

EU Safety Net for Stablecoin Holders

Valentina Za reports that the European Commission is investigating whether MiCAR protections adequately shield EU investors holding e-money tokens (EMTs) issued by non-EU entities. The probe, initiated after France's ACPR questioned the EBA, examines redemption rights for tokens like USDC that operate across jurisdictions with full fungibility but potentially unequal safeguards. The inquiry highlights tensions as the United States moves toward cryptocurrency deregulation, raising questions about the effectiveness of the newly implemented framework. (Reuters)

Still Waiting for CLARITY

Bessent, asked on CNBC about the crypto bill's status amid a recent sell-off in the sector, said the bill, known as the Clarity Act, would give "great comfort to the market" at a time of great volatility.

TRM Labs Raises $70M to Scale AI-Powered Threat Intelligence

The TRM Team announces a $70 million Series C round led by Blockchain Capital, valuing TRM Labs at $1 billion and funding expansion of its AI-driven blockchain intelligence platform for law enforcement, national security, and financial institutions in 50+ countries. The company will invest in world-class talent, AI-enabled compliance, and AI-powered investigations to counter ransomware groups, terrorist financiers, and transnational criminal networks increasingly using automation and AI. Customers include Circle, Coinbase, PayPal, Stripe, Visa, and major banks, underscoring TRM’s role as critical infrastructure for on-chain public safety and financial integrity. (TRM Labs)

EVMbench: Evaluating AI Agents for Smart Contract Security

Researchers introduce EVMbench, a framework testing AI agents' abilities to detect, patch, and exploit smart contract vulnerabilities across 120 curated scenarios drawn from 40 repositories. The evaluation uses programmatic grading against live blockchain instances in isolated Ethereum environments. Frontier agents demonstrate end-to-end capability to discover and exploit vulnerabilities autonomously. The release includes open-source code, tasks, and tooling to support ongoing measurement of security capabilities and defensive research. (OpenAI) (Github)

BitPriv: Bitcoin DeFi with Privacy

Alexopoulos et al. present BitPriv, the first protocol enabling privacy-preserving DeFi on Bitcoin through secure two-party computation and BitVM fraud proofs. The design locks collateral on-chain while executing garbled circuits off-chain, with violations provable and punishable on-chain. (ePrint Archive)