Here’s a list of all crypto protocols hacked this year. It’s only May. Stake DAO WUSD fi/Glov Gnosis Users Fractal Protocol StablR Mure Polymarket MAP Protocol RetoSwap HermesVault Bankr Echo Bridge SEA Token Verus-Ethereum Bridge Adshares Thorchain DEX Transit Finance Aurellion SQ Protocol INK Finance Renegade TrustedVolumes Ekubo SmartCredit Sharwa Finance Bisq Wasabi Perps Aftermath Perps Sweat Foundation Syndicate Quant JUDAO Singularity Finance ZetaChain Scallop Lend Litecoin Purrlend Giddy Kipseli Volo Vault Thetanuts Finance Juicebox V3 Kelp Grinex Rhea Lend Zerion Wallet MONA Dango SubQuery Network Hyperbridge Aethir BSC TMM/USDT Drift Trade LML/USDT staking protocol GoonFi Cyrus Finance Resolv Neutrl dTRINITY dLEND Venus Core Pool Goose Finance Aave V3 Gondi V3 Molt EVM SolvBTC Curve LlamaLend FOOM Cash Wise Lending V2 Ploutos Money DGLD Blend Pools V2 IoTeX Veil Cash Moonwell Lending CrossCurve Step Finance Revert Lend Matcha Aperture LM Saga Makina Meteora DAMM V2 YO Protocol Truebit Polycule Fusion by IPOR TMX TRIBE PRXVT

A clean audit report is a snapshot, not a shield. It describes the code on the day we looked at it. The code you deploy three commits later, with the "small fix" nobody re-reviewed, is the code that gets drained. Freeze scope before you ship.

For developers coming from EVM or Solana, @ZenithFdn is the entry point to Canton. Deploy unmodified Solidity with Hardhat and MetaMask. Your contracts route natively through the Canton protocol and can atomically compose with Daml-native Canton apps. Canton’s EVM and SVM execution layer means you don’t need to learn a new language to get started. Bring your existing codebase and tooling. From there, your apps can tap into Canton’s privacy-preserving architecture, atomic cross-app settlement, and the full CIP-56 token ecosystem.

The weekend is about to begin. Saturday morning cappuccino for Saturday morning bug hunting.

Imagine spending $20K on an audit, the auditor slaps a report on your desk and calls it a day. You’re left wondering if your code is safer or if you just bought a very expensive PDF. Teams deserve better than this.

2/ We've worked with each provider to curate three security packages purpose-built for Ethereum subsidy program applicants. The tools have come a long way, and we're proud to bring some of the best of them into the program for Ethereum builders. Big thanks to @cyfrin, @NethermindSec, @DedgeSecurity, and @OlympixSecurity for being a part of this program 🤝

Every Defi protocol should have: 1. Circuit breakers for deposit and withdrawals, and possibly other internal operations as well 2. Timelocks for any change 3. Security councils that can shut down protocols immediately We don't need insurance, we need to do start doing the ffcking basics correctly. It's too early for this space to drive without any training wheels. I beg you, sacrifice a tiny bit of UX to gain a lot of peace of mind. The worst possible UX is losing your user's money.

As more and more admin keys are compromised to drain protocols, here's your check list if you are running one: 1) Learn as much as you can about your external dependencies. Once you learn about them, monitor their setup for upgrades 24/7. It's ridiculous to rely on an audit to tell you "hey, the doors to your house are locked, we checked it on 23rd of March". Today the external token that you may depend on could be L0 4/4 DVN; tomorrow, it may be 1/1 DVN. You should get an alert of a change and react to the news 2) As you should monitor your external dependencies, anyone relying on you should monitor you - for them, you are their external dependency. They should monitor every single MultiSig that you run, every single EOA that you set up - it's potentially their liability. Once an unsafe setup is detected, they may (and frankly should) refuse to use your protocol. So make sure you don't have these freaking EOAs that you set up just for operational efficiency 3) The first people spotting your weak points will be hackers. Then, external teams. Finally, your internal ops team. You need to reverse that order 4) Don't rely on AI slop for risk analysis. This current trend, where we see dozens of "risk-mgmt dashboards that I vibe-coded over the weekend" is frankly beyond scaring and outright irresponsible. You will get beautiful-sounding report, but you will never be sure if it is correct or bullshit or something in between The above you should do on top of code audits of your protocol and impeccable internal opsec, circuit-breaker infra, and whatnot. If you think that's frankly too much or too expensive - gtfo of DeFi And if you are overwhelmed with the complexity of the task - talk to @l2beat 💕