Security updates you should know from May: what got hit, and what's hiding in your dependencies. TLDR; • $59.52M lost across 29 web3 incidents (vs April's ~$635M) • The Mini Shai-Hulud npm worm hit 1,000 package versions Full breakdown 👇

Whitepaper Reading @ethconf 2026: Morpho Midnight Thank you to @zeebradoom (@BigBrainVC) for the pizza and @0xCryptoSam (@recvcx) for the space! And of course @Morpho for an incredible paper! The conversations were deep and very insightful so thank you everyone that attended! The room was packed with experts, with members from @anza_xyz , @paxoslabs, @Quantstamp, @polychain, just to name a few. Some unique insights/questions discussed through the evening included: 1. What are the reasons for seemingly arbitrary numbers, like the 15 minute overdue position linear liquidation incentive factor growth, the max 50 bps annualized settlement fee, or the 1% continuous fee cap? 2. Why use "units" rather than ERC20 tokens? Our discussion thought that it may be to capture value through the settlement fee (forcing all trading to happen through Midnight), and to reduce on-chain computation overhead of using ERC standards. 3. Why are there just 2 optional gate contracts? We thought that it was just that one gate was to specify the restrictions on credit positions and one gate for debt positions. 4. What does footnote 5 mean? We discussed what it meant that Morpho Blue only realized bad debt after collateral was "fully seized" and the expectation for liquidators to act promptly. We discussed how frontrunning may still be an issue. 5. We discucsed the possibility to tokenize positions to create secondary markets, and the possibility for Midnight to internalize these products. 6. Is there the possibility for two identical markets to launch 2 different markets (thereby fragmenting liquidity)? We concluded that it was probably up to the Router to match markets that were structurally identical. 7. Are seperate "markets" created based on fee structure, duration, and collateral? We believed this may cause liquidity fragmentation issues. 8. What is the difference between Midnight and peer to peer lending? We thought the ability for Midnight to do "batch" liquidations rather than pair wise liquidations was a huge efficiency unlock. We also talked about how the fact that both lenders and borrows can act first and "bid" was a huge unlock, as previous lending protocols depended on either a borrower or lender to always act first. 9. Does a hand picked liquidator introduce new risk if the liquidator doesn't act? Yes, but institutional liquidators may be paid to help manage markets, which reduces the risk of this occuring. 10. Is it possible to sell your position to a particular individual? Through gates, it may be possible to control who you sell/buy your position to without only selling to the best market price. Thank you for attending, and reach out if you would like to attend the next ny whitepaper reading circle! Link to whitepaper: morpho.org/whitepapers/midni… Link to summary: docs.google.com/document/d/1…

And that's a wrap on @ethconf 💙 Thank you to everyone who came out for our rooftop mixer w/ our friends over at @CommonDefenseAI! We hope you made some new friends, caught up with familiar faces, and enjoyed the NYC skyline 🗽

Safest rooftop in NYC tonight. We’re taking over the Chelsea skyline with our friends over at @CommonDefenseAI. If you’re in NYC for @ethconf, come find us: luma.com/sohhvo10

gm @ethconf 🗽 We're hosting a rooftop mixer along with our frens at @CommonDefenseAI tonight! > snacks and drinks > beautiful views > gud vibes RSVP below 👇 luma.com/sohhvo10

Parthenon won the @CantonNetwork track at Proof of Talk in Paris. We’re building the institutional fixed-rate credit marketplace: fixed rates locked at origination, real legal recourse, so institutions can finally lend on-chain. Thank you @proofoftalk. Just the start. 🔥

We're on the ground at @ethconf! If you'd like to chat about smart contract audits, reach out to @0xrubes & @jonnymevs, or stop by our Rooftop Mixer tomorrow night 👇 luma.com/sohhvo10

gm @ethconf 🗽 NYC we are inside you rn

We'll be joining @Giveth for this one! Rabib Islam @rabizzzy, Senior Research Engineer at Quantstamp, will hop on to chat all things Ethereum security and the round 🫶 See you there 👇

Ethereum security is an ecosystem effort 🛡️ Tomorrow we'll hear from @wintermute_t, @Quantstamp, @sigp_io , @Certora, and @chain_security on why they supported the round and where Ethereum security funding should go next. 👇 x.com/i/spaces/1YxNrrvEqYNxw…

It's finally happening! SEAL Certifications are now open for business. 🎉

If you lead a Web3 business that holds any meaningful amount of funds onchain, you should seek out security expertise to help keep funds safe. Whether it’s smart contract code, private key management, or multisig configuration, it’s your users’ funds at stake. Secure them.