In the first half of 2026, the web3 industry recorded roughly around ~200 hack and exploit incidents, with hack-only losses of approximately $900M. Counting only the larger, well-documented events, the figure is closer to roughly around ~130. Including social-engineering and phishing theft, the all-in total rises to about $1.1B. The precise number depends on the reporting threshold, so the trackers differ, but the range is broadly consistent across them.

The single largest theft of the period was not a protocol hack at all. In January, one holder lost more than $282M in bitcoin and litecoin to a hardware-wallet social-engineering scam, with the proceeds laundered into Monero. It sits outside the protocol figures above and is counted only in the all-in total.

Among protocol incidents, two dominate the dollar total. Drift Protocol in early April and KelpDAO later that month account for approximately $577M between them, roughly 60% of all protocol hack and exploit losses for the period. Neither was a code bug. Drift followed a sustained social-engineering operation against multisig signers, and KelpDAO followed a compromise of bridge verification infrastructure.

2026 in numbers

2026, month by month Crypto hack losses and incident count by month.

April was the worst month by a wide margin at about $647M, almost all of it from Drift and KelpDAO. May saw the most incidents of any month, around 40, for a fraction of the loss. The gap between the month with the most money lost and the month with the most incidents is the year in miniature.

The biggest losses of 2026 Top protocol incidents by reported loss. Operational and infrastructure compromises in ember, smart-contract and economic exploits in teal.

Ranked by size, the year is top-heavy. The two April incidents stand apart, and the next tier, in the low tens of millions, mixes operational compromises with a smaller number of smart-contract and economic exploits such as Truebit and Rhea Finance.

The split between volume and value

The more important pattern is the relationship between how often a failure type occurs and how much it costs. In the first quarter of 2026, 28 of 44 recorded incidents were smart-contract exploits, the kind that audits target, yet those incidents produced under a fifth of the quarter’s losses. Phishing, social engineering, and access-control failures, including stolen keys and compromised cloud infrastructure, were the minority of incidents but roughly three-quarters of the dollars lost. The same direction holds across the year to date, with compromised wallets and keys overtaking code vulnerabilities as the dominant source of losses by value.

The split between volume and value Operational and infrastructure compromise against smart-contract code, by share of incidents and share of dollars lost. Shares are approximate, drawn from published first-quarter and year-to-date root-cause breakdowns.

The long tail explains the gap. Most incidents are small code exploits in the tens or low hundreds of thousands of dollars, and there are many of them. They raise the incident count without moving the dollar total. The losses that matter financially are concentrated in a small number of operational and infrastructure failures, where a single compromised key, signer, or verifier can release tens or hundreds of millions in one transaction.

This has a direct consequence for where defensive effort goes. The smart-contract layer is the part the industry audits, fuzzes, formally verifies, and runs bug bounties against, and that work remains necessary, because code bugs are the most common incident type. It is no longer where most of the money is lost. The dollar risk has moved up the stack to keys, signers, devices, cloud infrastructure, and domains, and that layer is rarely subjected to the same scrutiny. Audits alone do not address it. One of the year’s larger infrastructure losses, Resolv, occurred at a protocol that had passed more than a dozen audits, because the failure was an off-chain signing key in a cloud account rather than a contract flaw.

The practical reading is that frequency and value call for different responses. Code bugs should continue to be managed through audits, bounties, and monitoring, because they are persistent and common. The catastrophic losses require treating the operational layer as security-critical in its own right.

Inside the operational compromises

The operational and infrastructure losses for the half-year total approximately $700M. The roughly around ~20 largest of them, examined here, carry the great majority of that figure, and they fall into five categories. Smaller key-compromise incidents run through the long tail and add to the count, but little to the total. Realised losses are used throughout, with paper figures noted where they differ.

Where the money went Realised loss by failure class across the operational-compromise incidents.

Where the incidents were The same operational-compromise incidents by count. Admin-key compromise was the most frequent and the least costly.

Within the operational category, the same inversion repeats at smaller scale. Admin-key compromise was the most frequent failure, eight of the roughly twenty, and the least costly, because available liquidity capped what a single over-privileged key could extract. The largest losses concentrated in social engineering of signers and infrastructure compromise. April alone accounts for approximately $575M of the operational total, almost all of it Drift and KelpDAO.

Admin-key compromise

Eight incidents involved a single privileged key or role with broad authority and no compensating control such as a timelock or a genuine multi-party threshold. Wasabi Protocol’s deployer account held the sole administrative role and was used to grant a malicious helper contract the access needed to upgrade its vaults. StakeDAO’s deployer key repointed a cross-chain peer and forged a token mint moments later. StablR operated a 1-of-3 minting multisig, which presents the appearance of a threshold while functioning as a single key. Realised losses in this category were limited by available liquidity rather than by the access controls, and most drained in a single transaction.

Social engineering of signers

One incident, Drift Protocol, produced the single largest protocol loss of the half-year at approximately $285M. Threat actors attributed to North Korea spent roughly six months establishing a trusted relationship as a trading counterparty before persuading Security Council signers to pre-sign transactions through Solana durable nonces. A 2-of-5 threshold with no timelock meant two compromised approvals were sufficient to transfer control. The contracts themselves were not exploited.

Employee and developer device compromise

Two incidents originated from compromised endpoints. Step Finance lost approximately $27M after attackers compromised executive devices and used them to reach treasury and fee wallets. Humanity Protocol operated a multisig of 3-of-6 on Ethereum and 3-of-5 on BSC, but enough owner keys were backed up to a single employee laptop that one compromised machine met the signing threshold on both chains at once. Throughout the period, poisoned VS Code and npm packages targeted developer machines as a delivery mechanism for the same class of credential and key theft.

Cloud and infrastructure key compromise

Four incidents, the most costly category in aggregate, involved keys or verification infrastructure held off-chain. Resolv held a privileged signing key in AWS KMS, and an attacker who reached that environment, by way of a contractor’s retained credential from an earlier project, altered the signing-key policy and minted approximately $25M of unbacked stablecoin against a deposit worth a fraction of that amount. KelpDAO relied on a single off-chain verifier, which was induced to attest a forged message and released approximately $290M. Two further incidents are included with caveats. THORChain is more accurately characterised as a flaw in a threshold-signature implementation, and Gravity Bridge remains a suspected key compromise pending a post-mortem.

Domain and DNS hijack

Five incidents involved control of a project’s domain or DNS rather than its keys or contracts. CoW Protocol lost its .fi domain through registrar impersonation, and a phishing clone served from the hijacked domain caused approximately $1.2M in user losses over roughly four and a half hours. By contrast, OpenEden, Curvance, and HypurrFi faced comparable attempts and prevented user losses by detecting the unauthorised change early. The differentiating factor across this category was registrar hardening and DNS monitoring rather than budget.

Outlook

On the current trajectory, a further nine-figure loss originating outside the contract is a realistic expectation for the second half of 2026. The incentive is established, the access remains comparatively soft, and recent activity shows attackers favouring social engineering and infrastructure compromise over attacks on well-audited contract code. North Korean threat actors are credited with between 55 and 76% of all crypto hack losses so far in 2026, depending on the period measured, almost entirely on the basis of the two April incidents. The volume of small code exploits is unlikely to fall, but it is the operational layer that determines whether a year produces another $577M concentration. Organisations that bring that layer under the same scrutiny as their contracts will be best positioned to stay out of the next set of post-mortems.

What security leads should do

The defences for every category above are established and inexpensive relative to the losses they prevent. The recurring gap is ownership. This layer is seldom assigned to the security function, so it is seldom audited. The following actions, in priority order, close the most exposure for the least effort.

1. Inventory privileged access. Enumerate every key, role, signer, device, cloud identity, and domain that can move funds or change code, and map each to a named owner and a specific device. Several of the incidents above were possible because no current inventory existed.

2. Enforce real thresholds and timelocks. Require a 3-of-n minimum on any function that can mint, upgrade, or transfer ownership, with signers that are genuinely independent. Place a timelock in front of upgrade and treasury functions so a malicious transaction is observable before it executes.

3. Verify signer independence. Confirm that no single laptop, browser profile, or key backup can produce more than one signature on a high-value multisig. A threshold scheme provides no protection once its keys share a device.

4. Treat endpoints as key custody. Deploy EDR on every machine that touches a key, prohibit key material on workstations, and require hardware signing so a key never exists in a form an endpoint can leak. Extend supply-chain controls to developer tooling and dependencies.

5. Harden cloud and verification infrastructure. Where a signing key must reside in a cloud KMS, secure the controlling identity more strictly than the chain it protects, with least-privilege roles, hardware-backed access, and alerting on every privileged call. Avoid single-verifier designs for any off-chain verification.

6. Lock and monitor domains. Apply registry-lock and registrar two-factor authentication, and monitor DNS and TLS certificates with alerting on any unauthorised change. Early detection was the only difference between the contained domain incidents and the costly one.

7. Rehearse the post-compromise case. Exercise key-rotation and incident runbooks against the scenario in which the signing threshold has already been crossed, not only the single-key-leak case.

8. Match the audit budget to the value at risk. Smart-contract audits remain necessary for the high volume of code bugs, but they do not cover the layer that lost most of the money this year. Give keys, signers, devices, cloud identities, and domains a review cadence and budget comparable to contract audits.

— Adrian

Subscribe now

Sources and method

Totals cover hack and exploit incidents from 1 January to 11 June 2026, reconciled across several incident trackers whose figures differ by threshold and by whether scams and phishing are included. Hack-only losses are approximately $900M, or about $1.1B including social-engineering and phishing theft. Incident counts range from roughly around ~130 for major events to roughly around ~200 once the long tail is included, and June is partial, through the 11th.

Incident data and root-cause breakdowns are drawn from project disclosures and from PeckShield, CertiK, DefiLlama, Hacken, TRM Labs, SlowMist, SEAL, Chainalysis, Blockaid, and the LayerZero post-mortem with Mandiant and CrowdStrike, alongside reporting from Rekt, The Block, CoinDesk, and Cointelegraph.

Three incidents this week, and the through line runs through everything an audit tends to leave out. A compromised employee laptop cleared multisig thresholds on two chains. An AI auditor surfaced a four-year-old soundness gap in a shielded circuit, while a single wallet bought its way to controlling a DAO and minted itself a payout.

In today’s issue.

• How one employee laptop held enough keys to take Humanity Protocol’s bridges on both Ethereum and BSC.

• Why Opus 4.8 surfaced a Zcash Orchard forgery bug that survived four years of expert human review.

• A one-transaction DAO takeover that drained a Balancer pool, plus the fake Sentry alerts aimed at your coding agent.

Need to Know

Two of this week's three headline events were losses, one through compromised keys and one through a governance takeover. Humanity's signers were nominally spread across a multisig, yet they sat close enough together that one compromised device could act for all of them, and a thinly held DAO changed hands the moment an attacker bought a majority of its own vote. The third event was the opposite of a loss, an AI auditor catching a forgery bug that years of human review had missed, the same week attackers were aiming forged alerts at AI coding agents. If your threshold is above one but your keys ride on the same laptop, what is that threshold actually protecting you from? — Adrian

The Big One. Humanity Protocol’s $36M Laptop

The news. On 8 June, an attacker took ownership of the ProxyAdmin behind Humanity Protocol’s Hyperlane bridge on Ethereum, upgraded the bridge to a malicious implementation, and moved roughly 141.2 million H in a single transaction. The same operator repeated the takeover on BSC and deployed a contract with an unlimited mint function, pushing the combined impact past $36M across both chains. Every action used legitimately authorised keys.

What broke and how. On Ethereum, three of the six Gnosis Safe owner keys controlling the bridge’s ProxyAdmin were compromised. That was enough to transfer ProxyAdmin ownership to a wallet the attacker controlled, swap in a malicious bridge implementation, and drain the bridge in one move. On BSC, three of five Safe owner keys went the same way, and the attacker minted just over 200 million fresh H in two tranches straight to their own address. A third, smaller leg took around 6 million H from an admin hot wallet, for a total impact the team puts near 447 million H.

The single point underneath all of it was an employee laptop. Founder Terence Kwok said the device was compromisedand held enough active private keys to cross the signing threshold on both chains at the same time. The attacker later left an on-chain note saying they had braced to social-engineer several developers across time zones, only to find the keys sitting together on one machine. The multisig existed on paper, but in practice it behaved like a single signer.

Why it kept happening. This is the same failure that ran through 2026’s headline losses. Kelp DAO, Resolv, and the Gravity Bridge drain elsewhere in this issue were written off in the press as bridge bugs, when the keys and the signers were the real failure each time. A threshold scheme only buys you safety when the signers are genuinely independent. Once the keys share a laptop, a cloud sync, or one human’s browser session, the n-of-m is theatre. ZachXBT first read Humanity as a possibly staged exit for an active market maker ahead of the 25 June unlock, then walked that back after tracing the laundering, concluding the suspicious market-making and the key compromise were unrelated.

What to check now.

• Map every signer on your highest-value multisig to a physical device and a named human, and confirm no single laptop or browser profile can produce more than one signature.

• Treat any ProxyAdmin or upgrade-authority key as a higher tier than ordinary signers, and put a timelock in front of upgrades so a quiet implementation swap cannot settle in one block.

• Pull the full list of addresses that can mint, upgrade, or migrate, and ask who would notice within minutes if one of them fired tonight.

• Rehearse the key-rotation runbook against the case where the threshold is already crossed, not the case where one key leaks.

The operator move.

Go count how many of your signing keys could be sitting on the same machine right now. If that number is higher than your threshold minus one, your multisig collapses to one device under a single compromise, and the rest is decoration. Fix signer independence before you add another signer.

— Adrian

Chain Reaction. Zcash’s Four-Year Orchard Forgery Bug

The news. On 29 May, independent researcher Taylor Hornby surfaced a soundness bug in Zcash’s Orchard shielded pool during an audit Shielded Labs had engaged him for back in April, working with a custom auditing framework built on Claude Opus 4.8. The flaw lived in the elliptic-curve multiplication gadget in the halo2 circuit, an under-constrained check that let a prover feed false values the network would still accept as a valid proof. In a local test the exploit minted unlimited counterfeit ZEC. No funds were lost on mainnet.

What broke and how. Orchard has been live since May 2022, which means the gap sat in production for roughly four years and through multiple rounds of expert human review. The bug allowed forging or double-spending value inside the shielded pool, and because Orchard hides amounts and participants, an exploit would have left no on-chain fingerprint. Shielded Labs has said it cannot prove cryptographically that nobody used it, only that turnstile accounting shows no unauthorised supply while the flaw was live.

The response was quick. A soft fork through Zebra 4.5.3 disabled Orchard at block 3,363,426 on 2 June, and the NU6.2 hard fork re-enabled it with a corrected circuit a day later. ZEC still fell around 30% on the disclosure, and Shielded Labs is now floating a turnstile upgrade so anyone can verify the ZEC supply independently.

Why it kept happening. Under-constrained circuits are the most common finding class in zero-knowledge audits by a wide margin. Four years and several paid audits looked at this circuit and missed a single missing constraint, and what changed since was the cost of a thorough pass over a cryptographic component once a capable model could be aimed at exactly that layer. The same capability is already being turned the other way, with attackers crafting forged alerts to push coding agents into running malicious commands. AI now sits on both sides of the audit, and most teams have a plan for neither.

What to check now.

• If you run ZK circuits, prioritise constraint completeness in your arithmetic gadgets, and treat an under-constrained element as the default suspicion rather than the edge case.

• Ask whether your supply or value invariants are externally verifiable, or whether your own privacy guarantees would hide an inflation bug from you as well.

• Add a frontier-model audit pass to your pre-deployment process for the highest-risk components, and assume an attacker is running the same pass against your deployed code.

The operator move.

Take the component you have audited the most, the one you trust, and run a fresh model over it this week with a single instruction to forge or inflate value. The code that has survived the most review is the code most worth pointing new tools at. Budget a day for it before someone else budgets a day for you.

— Adrian

Around the Forums

Zcash ships its second-ever security-driven upgrade. The Orchard fix went out as a coordinated two-phase response from the Zcash Foundation and Electric Coin Company, a soft fork to freeze Orchard followed within a day by the NU6.2 hard fork to re-enable it on a corrected circuit. The technical detail is in Chain Reaction above. What matters at the governance layer is that a fully shielded network managed an emergency upgrade fast enough to patch before any provable exploitation. It is now proposing a standing turnstile mechanism so that supply verification stops depending on trusting the core team’s word.

A legacy Aragon config hands over a DAO in one transaction. The Token of Power takeover, covered below, ran on an older Aragon setup that allowed proposal creation, voting, and execution in a single transaction with no timelock. Any DAO still on a legacy MiniMeToken framework with a small float should read this as the precedent it is. The configuration permitted a single wallet to propose, pass, and execute a mint in one transaction, and the attacker did exactly that.

What Else Happened

• Source-destination value binding gap on Gravity Bridge. The Cosmos-to-Ethereum bridge lost $5.4M on 30 May after an attacker minted worthless tokens on Osmosis, poisoned the denom-to-ERC20 registry with a fabricated denom string mapping fake balances to real custody contracts, and withdrew the real assets. The official post-mortem is still pending, and early press framed it as a suspected key compromise.

• Governance takeover on Token of Power. An attacker bought 8,192 of TOP’s 16,384 total supply, crossed the 50% voting threshold, and pushed a single proposal that minted billions of new TOP with no timelock and no mint cap, swapping them against the TOP/WETH Balancer V1 pool for 944.2 WETH worth about $1.58M. The Balancer pool was only the exit route.

• Indirect prompt injection via forged Sentry alerts. Attackers abused public Sentry DSNs to plant fake error events designed to push a human or AI coding agent into running a typosquatted npx package that exfiltrates environment secrets to advisory-tracker[.]com. Sentry has published a security advisory and IOCs are public.

• Autonomous L2 bug discovery on Spark. The V12 agent found and built a working PoC for a cross-tree root overwrite in deposit-tree creation on Lightspark’s Bitcoin L2, where four non-unique fields let two deposits collide on the same root node. The bug was responsibly disclosed and fixed.

On the Clock

One item with a clock on it this week. If your team runs coding agents or auto-remediation against alert and log streams, treat the forged-Sentry campaign above as live. Assume any machine that may have run the fake diagnostic has leaked its environment, rotate every credential reachable from it, and stop letting agents execute commands lifted from alert bodies without an out-of-band check. The rest of this week’s incidents are post-mortem reading, not emergencies.

Long Reads

• Humanity Protocol’s incident breakdown on the three breach vectors, worth reading alongside ZachXBT’s threadwalking from a staged-exit hypothesis to a key-compromise conclusion, for a clean example of how laundering analysis separates the two.

• Rekt on the Gravity Bridge drain for how a bridge gets emptied by feeding it a registry entry it never validated.

• The Zcash disclosure from Zooko Wilcox and Shielded Labs for the clearest account of the constraint gap, the emergency forks, and the turnstile-upgrade proposal.

• V12 on the Spark L2 bug for a concrete look at an agent finding a non-obvious tree-integrity flaw end to end, and Noema Labs’ AutoCertora release if you want to point the same class of tooling at your own Solidity.

• Rekt’s supply-chain trilogy, stack-nobody-checked, paranoid-by-default, and poisoned-pipeline, if the forged-Sentry item has you reviewing how much your pipeline trusts by default.

The Operator’s Read

Point the Agents at Your Oldest Code

Two bugs got found the same way this week, and the way they were found is the actual story. An AI auditor went back through Zcash’s Orchard circuit and surfaced a missing constraint that had been sitting in a shielded pool since 2022. Days earlier, a separate autonomous tool pulled CVE-2026-23479 out of Redis, an authenticated route to running OS commands that shipped in 7.2.0 and survived more than two years across every stable branch. Both were old, both lived in reviewed and trusted code, and both stayed hidden until a machine read the right layer with enough patience.

I said last week that the contract layer is getting harder to break, and I meant it. Audits got sharper, and the obvious bug classes mostly get caught before they ship now. These two finds are what the next turn of that screw looks like. The bugs that remain are the non-obvious ones, the constraint that reads correct until you model what it forgets to forbid, the use-after-free that only fires when a blocked client gets evicted mid-command. A tireless reader with a strong model in front of it is built for exactly that shape of bug.

The Orchard one sits differently from a normal disclosure, for the reason I gave earlier in this issue. The Redis flaw is the familiar shape instead, a CVE with a patch and a version table.

Both sides of this are producing results. From where I sit, the offensive half is the part the celebration keeps skipping. The same capability that read Orchard and Redis is available to anyone who wants to read your code with intent, and the distance between how quickly a defender finds one of these and how quickly an attacker does has not closed. The tool is neutral. The outcome turns on who reaches for it first and what they aim it at.

That changes the economics of old code in a way most teams have not priced. For years the safe assumption was that the more eyes a component had passed, the less likely it was hiding something. That assumption is now backwards at the margin. The most-audited contract in your system is the most attractive place for a surviving bug, because everyone downstream treats it as settled and stops looking. A model does not care that the code is famous or that three firms signed off, it just reads what is in front of it.

The point I keep being surprised I have to repeat is that none of this means trusting the output blindly. These finds landed because professionals built scoped agents, aimed them at a specific layer, and then did the work of confirming a real exploit. The model proposes, and a human who knows the domain still has to prove it and avoid getting played by a confident wrong answer. Used that way, in skilled hands, it is the sharpest reviewer you can put on code you have already paid to have checked.

The single audit pass is the tactical version, and it is sitting in the operator move above. The strategic version is treating your legacy surface as a backlog with a clock on it. Rank your oldest, highest-value, most-trusted components by what an attacker gains if one of them turns out to hold a surviving flaw, and start working down that list with the new tooling before the list gets worked from the other side. The code you wrote in 2022 and stopped thinking about is the code most worth rereading in 2026.

My bet for the back half of this year is a nine-figure loss traced to a years-old bug that an attacker found with an agent before the defender did. The capability is here, the incentive is plain, and trusted-and-forgotten code is everywhere. The teams that get ahead of it will be the ones who put their oldest code back on the audit table instead of leaving it filed under solved.

— Adrian

P.S. The worst outcome here is the box-ticking one, where “we run an AI audit” becomes the new “we got audited” and carries just as little weight. The value lives in a competent person deciding what to point the model at and refusing to trust the first green tick.

Closing Tab.

Watch whether Humanity’s recovery plan actually re-secures the BSC ProxyAdmin the attacker still controls, or whether next week opens with a fresh mint from the same address.

Adrian Hetman Burn Notice Operational intelligence for Web3, every week.

Give a gift subscription

The contract layer has got harder to break, so the value has moved up. It sits in the authorisation layer now, the keys and modules and bridge signers and peer configs that decide who is allowed to move funds. That layer is the number one problem in Web3 security right now, expensive out of all proportion to how often it actually gets hit. And it draws almost none of the review the contracts do.

Look at May and you could almost miss it. Around $68M lost across the month, down roughly 90 percent from April, one of the quieter stretches of the year. The headline looks like progress until you read the breakdown.

Code bugs still did the most damage by raw dollars, somewhere around $45M of the total. So no, we have not solved smart contract security, and anyone telling you otherwise is selling something. But the severe, drain-the-protocol contract exploit is getting harder to pull off against live production code, and the monthly data has started to show it. Audits got sharper. The obvious bug classes mostly get caught now. That is the one part of this story that is actually going well.

Then look at the bridges. They were the single biggest category of loss in May, around $28.6M, more than 40 percent of everything stolen. The word bridge hides what these things actually are. A bridge is barely a smart contract. It is a set of signing keys deciding which withdrawals are real, with some Solidity wrapped around them for decoration. Almost every serious bridge loss this year came through the keys and the signers and the operational controls around them. Call it what it is. Opsec.

The incident counts get this wrong. Opsec failures are nowhere near the most common attacks. DeFiLlama logged 29 incidents in May and only seven were key compromises. But frequency is the wrong scoreboard. April makes the point with a sledgehammer. Two incidents that month, Drift and Kelp, took well over half a billion dollars between them. Both had audited, working contracts and lost the money one layer up, through a blind-signing failure and a subverted cross-chain verifier. Low frequency, total blast radius.

You do not have to go back to April. Last week alone produced a module signature flaw at Gnosis Pay, a stolen deployer key at StakeDAO that forged a multi-trillion token mint, a suspected signing-key compromise at Gravity Bridge, and a $3.2M drain of 86 Safe wallets through a third-party module. Not one of them needed a bug in the core contract, and each walked in through a module, a key, or a config.

You can read more about those issues below

None of this gets reviewed because none of it looks like attack surface. A module looks like plumbing, a deployer key like a leftover from launch, a peer config like a setting you touched once and forgot. An audit scopes the contract because the contract is the thing an audit knows how to price. The module added three sprints later to ship a feature, the key that was supposed to be temporary, the bridge signer quietly holding the authority to move everything, all of it arrives after the audit and outside it. That is the gap the whole industry is underpricing.

And the infrastructure and opsec layer is where recovery goes to die. Out of that $68M in May, only about $9.4M came back. A contract bug can sometimes be paused or patched or white-hatted before the funds are gone. A signing key that sends money to an attacker and then on through a mixer leaves nothing to claw back. Gone is gone. The failures that cost the most are the ones you almost never get to undo.

So if you run anything that holds value, do the one exercise an audit will never do for you. Write down every address, key, module, and config that can move your funds without touching the contracts you already paid to have reviewed. Then count them, name who holds each one, and ask when any of it last got looked at by someone whose job was to break it. The contract layer has earned its scrutiny. What sits above it has been running on trust and luck, and the bill keeps arriving in eight and nine figures.

How long is your list, and when did you last make it shorter?

— Adrian

Three of this week’s losses share a shape worth sitting with. The smart contracts behaved exactly as written and the money still left, because the authorisation wrapped around those contracts is where the real control lived. A signature checker in a Safe module, a deployer key that still held cross-chain config rights, and a bridge signing key carried this week’s drains between them.

In today’s issue.

• Gnosis Pay’s Zodiac Delay module accepted a queued transfer with no real signature behind it.

• A stolen StakeDAO deployer key repointed a LayerZero peer and forged a 5.4 trillion token mint.

• Gravity Bridge lost millions through its signing layer rather than its contract code.

Need to Know

The week’s headline failures did not touch a single line of vulnerable contract logic. They landed one layer up, in the modules, keys, and peer configurations that decide who is allowed to move funds. That layer rarely gets the review attention the core contracts do, even though it now carries most of the loss. If your last audit stopped at the contract boundary, what reviewed the authorisation wrapped around it? —Adrian

The Big One. Gnosis Pay’s Delay Module Approved a Signature It Should Have Rejected

The news. On 1 June an attacker drained funds from Gnosis Pay accounts without ever touching a private key. Each Gnosis Pay account is a Safe smart account wrapped in two Zodiac modules, a Roles module that authorises card spending and a Delay module that holds outgoing transfers for a roughly three minute cooldown. The break sat in how that Delay module checked the signature authorising a queued transfer.

What broke and how. The Delay module’s signature checker reads the signing bytes from the tail end of the calldata, after the normal module-call arguments. You can append arbitrary trailing bytes to ABI calldata for free, so a normal call ignores them while the module reads them as a signature. An attacker crafted those bytes as an EIP-1271 contract signature, set the vouching address to the Safe’s trusted signer, and pointed at a blob they controlled. The contract-signature path then handed validation to that signer and accepted a response carrying the magic value 0x1626ba7e while ignoring the staticcall success flag, so a contract that reverts but returns the right four bytes passed as a valid signer. The malicious transfer enqueued, the cooldown ran, and because executeNextTx can be called by anyone the Safe paid out. Zodiac’s own notice scoped the flaw to Roles Modifier v2 and Delay Modifier v1.1.0 where a Safe with a vulnerable fallback handler sits as a member, and confirmed Safe’s core contracts are unaffected.

Why it kept happening. This is the second Safe-module drain in eight days. Last week roughly $3.2M left 86 Safe wallets across Ethereum and Base through a third-party module called SquidRouterModule, where weak identity validation let an attacker run arbitrary calldata with no wallet signature, flagged by Blockaid and unrelated to Gnosis Pay’s code. Modules are how Safe gets extended, and they run with the Safe’s full authority while rarely getting the review the assets they guard receive. A team adds a module to ship a feature like card payments or routing, and that module becomes a second front door with full spending power behind it.

What to check now.

• Inventory every module enabled on every Safe that holds value, including ones added for one feature and never removed.

• For any module that verifies signatures, confirm the EIP-1271 path checks the staticcall success flag, not only the returned selector.

• Confirm signature material is read from a fixed, declared location and never from trailing calldata an attacker can append.

• Treat executeNextTx-style “anyone can finalise” functions as fully public, and make sure the only real gate is the enqueue authorisation.

• Review third-party modules with the same rigour as your core contracts, because they inherit the same authority.

A Safe with five modules has five contracts that can move its money, and most reviews still budget time for one. The module list is the first thing worth pulling on any account that matters, ahead of the balances and ahead of the signers.

— Adrian

Chain Reaction. StakeDAO’s Deployer Key Repointed a Bridge and Minted 5.4 Trillion Tokens

The news. On 27 May someone holding StakeDAO’s deployer key on Arbitrum used it to call setPeer on the project’s LayerZero v2 OFT contract, repointing the token’s trusted cross-chain peer to a contract they controlled on Ethereum. About 25 seconds later that contract sent a forged LayerZero message back to Arbitrum and the legitimate vsdCRV token minted 5,446,744,073,709 units to the attacker. Nothing in the contract was bugged, and the token minted what an authorised peer instructed it to.

What broke and how. The OFT standard trusts a configured peer on each chain to authorise cross-chain mints, and setPeeris an owner-level function. Whoever holds that key can name a new trusted source and then have it order mints with no ceiling. Blockaid and BlockSec’s Phalcon team both traced the incident to a compromised deployer private key rather than a logic flaw. The only thing that bounded the loss was liquidity. vsdCRV pools were tens of thousands of dollars deep, so the attacker converted part of the supply to about 43.78 ETH, roughly $91,000, before the price collapsed, against a paper value of hundreds of billions. StakeDAO closed the vsdCRV bridge, secured the Ethereum side, and said no mainnet funds were lost.

Why it kept happening. This is the same shape as a run of 2026 incidents where a single key with peer-config or admin rights on an OFT or bridge quietly equals total mint authority. The realised loss looked small only because the token was illiquid, and the same key on a liquid token is an open mint with no brake. A deployer key that retains setPeer after launch is a production signing key, and it almost never gets handled like one.

What to check now.

• List every address that can call setPeer, setTrustedRemote, or equivalent peer-config functions on your OFT and bridge contracts.

• Move those rights behind a multisig with a timelock, or renounce them once configuration is stable.

• Hold any deployer key that retains post-launch authority in an HSM or KMS, never a hot wallet.

• Alert on peer and trusted-remote changes the moment they land on chain, not after the mint clears.

• For low-liquidity tokens, remember the mint ceiling is set by the market and not by your contract.

The thing you keep noticing in this space is that a loss only looks contained because the market was too thin to cash out, which is luck wearing the costume of a control.

— Adrian

Around the Forums

Radiant Capital’s DAO has voted to begin a gradual wind-down after failing to recover from its October 2024 exploit, secure new financing, or rebuild usage. The roughly $50M loss put the protocol into a tail it could not climb out of, and the council is now choosing an orderly close over a slow bleed. The precedent worth noting is that an exploit’s real cost gets paid in the quarters of lost trust that follow, not the dollars that left on the day.

THORChain’s third incident update left the root cause of its recent vault exploit openly contested, with the team saying the future of the cryptographic systems securing the vaults is still under discussion. Watching a protocol debate its signing scheme in public is rare and the candour is useful. The open question for any threshold-signature operator reading along is whether they would even know which of their validators to distrust. Formal council votes were otherwise light this week.

What Else Happened

• Bridge signing-key compromise at Gravity Bridge. The Ethereum-to-Cosmos bridge lost about $5.4M on 30 May through its authorisation layer rather than a contract bug and halted its validators to investigate, a design that leans on a full validator set instead of a small multisig and still failed at the signing layer. Candidate for a dedicated treatment next issue.

• Unprotected admin key on DxSale. The 2021 BNB Chain liquidity locker was drained of roughly $7.3M across about 1,400 LP positions through an admin key a security firm had flagged as risky back in 2023.

• Mint-and-dump via a compromised key at Tessera DAO. An attacker minted 99 million TSR on BNB Chainroughly 19 hours before the public alert, swapped it for about $2.5M, collapsed the token by 99 percent, and routed the proceeds through a mixer, the same compromised-key-then-mint shape as the StakeDAO drain above.

• Laundering closes the door on KelpDAO recovery. The attacker behind April’s roughly $293M KelpDAO exploit has now moved nearly all of the stolen funds, leaving little realistic path to recovery.

• Open-source supply chain stayed under pressure. A compromised maintainer account pushed malicious code into AntV npm packages including a charting library with over a million weekly downloads, while CrowdStrike, Google, and the Shadowserver Foundation dismantled the Glassworm botnet that had poisoned more than 300 GitHub repositories aimed at open-source developers. Any crypto front-end or tooling team pulls from these registries.

On the Clock

Two items carry real urgency this week. If you run any Safe with a Zodiac Roles or Delay module enabled, check it against Zodiac’s security notice and complete the remediation before assuming you are clear, since most identifiable accounts are already resolved and the stragglers are now the targets. And any build that pulls the affected AntV packages should pin and audit those dependencies now rather than after the next install.

Long Reads

• THORChain’s own exploit report alongside TRM Labs on the multi-chain drain lays out what is known and what is still contested, including the live question of whether the threshold-signature stack itself was the weak point.

• rekt.news on the DxSale drain is worth it for the detail that the fatal admin key was flagged for a $500 fee years before it cost millions.

• BlockSec’s weekly Web3 security roundup breaks down the DxSale and SquidRouter incidents with root-cause notes, and its companion May monthly brief frames where the month’s losses actually landed.

• Elliptic on crypto governance argues for a governance model the author thinks already works, useful framing for any DAO operator rethinking council design after a week like this.

The Operator’s Read

The Audit Stops Where the Money Starts

The thing you keep noticing, watching how these systems get built and broken, is how much review effort still stops at the contract boundary. The Solidity gets read line by line. The module added later to ship a feature, the key that was meant to be temporary, the peer configuration that points trust at another chain, those get a glance and a shrug. They get treated as plumbing, when in practice they are the locks on the doors.

From where I sit the uncomfortable pattern of 2026 is that the contract layer has quietly got good. Audits are sharper, the obvious reentrancy and overflow classes mostly get caught, and the money has responded by moving up a level. Modules, deployer keys, bridge signers, peer configs. The authorisation surface. It is less glamorous to review and it carries almost none of the formal scrutiny, which is exactly why the value sits there now.

There is a tell in how thin the StakeDAO loss looked. Five point four trillion tokens minted, ninety one thousand dollars out, and a lot of relieved commentary about a contained incident. What contained that loss was thin liquidity and nothing the protocol actually controlled. The same key on a liquid token mints a nine figure hole. Calling it a near miss reads the lesson backwards.

So the question worth carrying into your own stack is the one the audit never asked. Has anyone reviewed the full list of things that can move your funds without ever touching the contracts you paid to have checked? How long is that list, who holds each entry, and when did you last make it shorter?

— Adrian

Adrian Hetman Burn Notice Operational intelligence for Web3, every week.

Two admin-style compromises this week, neither caused by a contract bug. Echo Protocol on Monad got mint-attacked for $76.7M on paper because its admin key carried no timelock and signed whatever the holder told it to sign. The SquidRouterModule, a third-party Gnosis Safe module, drained 86 Safes for around $3M in roughly two hours. In both incidents the contracts ran exactly as written, with the layer around them taking the entire loss.

In today’s issue.

• Echo Protocol’s $76.7M paper mint on Monad, held to ~$816K actual loss only by shallow chain liquidity

• 86 Gnosis Safes drained for ~$3M via a third-party SquidRouterModule on Ethereum and Base

• KelpDAO rsETH recovery closes; LayerZero post-mortem traces the breach to a March 6 developer compromise

Need to Know

Two of this week’s biggest losses came from configurations around the contract, not from the contract code itself, and the pattern is now consistent enough across 2026 to call the layer above the contract the load-bearing one. Echo Protocol on Monad ran the third headline DeFi incident of the year where a privileged action executed before any monitor could fire, and the SquidRouterModule drains turned 86 Safes into an unaudited co-signer arrangement that nobody on the affected operations teams could fully describe. LayerZero’s full forensic post-mortem on KelpDAO, also published this week, pushed the start date of that incident back to early March and pointed at the same upstream attack surface that Socket’s TrapDoor disclosure describes in technical detail.

The question every security lead should be carrying this week is which contracts in their own stack would behave exactly as designed if the key signing them, or the module attached to them, had been compromised six weeks ago.

—Adrian

The Big One. Echo Protocol’s $76M Paper Mint on Monad

The news. On May 18, 2026, an attacker used a compromised admin key on Echo Protocol’s Monad deployment to mint 1,000 unauthorised eBTC tokens with a paper value of approximately $76.7M. Actual extracted value was ~$816Kbecause Monad’s lending markets did not have the depth to convert the minted supply into real on-chain proceeds. Echo regained control of the admin key the same day and burnt the remaining 955 eBTC the attacker had not yet moved.

What broke and how. The eBTC contract worked exactly as written. The root cause was operational rather than technical. The admin role was secured by a single signature with no timelock, no minting supply cap, and no rate limit. The attacker granted their own wallet minting privileges, deposited 45 eBTC into Curvance as collateral, borrowed 11.29 WBTC (~$867,700), bridged the WBTC to Ethereum, swapped to ETH, and routed approximately 385 ETH through Tornado Cash. Curvance, on the receiving side, did not run a supply sanity check against the freshly minted collateral.

Why it kept happening. This is the third headline DeFi incident of 2026 with the same architectural choice at the centre, a privileged action that executes the moment the key signs it, with no window for monitors to fire or for signers to rotate. Drift’s $285M loss was a 2-of-5 multisig with zero timelock. KelpDAO’s $292M loss was a 1-of-1 DVN, structurally equivalent to a 1-of-1 multisig. Echo’s eBTC contract continued the pattern, with a single key holding mint authority. The only reason Echo did not match Drift and KelpDAO on headline loss is that Monad did not have the liquidity to absorb the trade.

What to check now.

• Inventory every privileged contract action in your stack and confirm whether each one can be executed by a single signature with no timelock between sign and effect.

• For any minting function, add a per-block or per-day supply cap that cannot be bypassed by the same key that holds mint authority.

• For any protocol that accepts another protocol’s tokens as collateral, add a supply-sanity check that compares delta-supply against an expected band before allowing borrows against freshly minted units.

• Move admin keys for any minting or vault contract off any machine that also handles email, code, or web browsing.

• Audit the lending markets that accept your tokens as collateral, since their missing sanity checks become your protocol’s tail risk in any minting-key compromise.

Echo’s contract did exactly what it was written to do, and the configuration around it carried the entire loss, which is the same story playing out across 2026’s admin-key incidents. A single admin key with no timelock and no rate limit is what we were calling a single point of failure on multisigs five years ago. The right question for your team this week is whether anything irreversible in your stack can be executed by a single signature before a monitor would have time to fire.

— Adrian

Chain Reaction. 86 Safes Drained Through a Module Each One Had Installed

The news. On May 25, 2026, Blockaid disclosed an ongoing exploit targeting the SquidRouterModule, a third-party Gnosis Safe module deployed on Ethereum and Base. Eighty-six Safes were drained for approximately $3M to $3.2M in roughly two hours, with all stolen tokens swapped into DAI through attacker-controlled Uniswap V3 pools and consolidated into a single wallet holding ~3.07M DAI. New Market Trading, whose per-user Safe accounts were among the victims, accounted $3.78M in user-side drains per QuillAudits’ analysis, with the same vulnerable contract and attacker EOA as the broader 86-Safe drain.

What broke and how. Per Blockaid, the attacker exploited the module’s executeSameChainActions() function to impersonate authorised delegates and execute swaps from victim Safes without owner signatures. The 86 affected Safes had all previously installed the SquidRouterModule with elevated privileges, and the module functioned as a pre-authorised co-signer with broad scope. Squid moved quickly to clarify that the vulnerable contract was not developed, deployed, or operated by the core Squid team despite the name on Basescan, calling it a third-party module that “independently integrated with protocols like Squid.” Squid’s own users and integrators were not affected.

Why it kept happening. Safe modules are a pre-authorised execution path. The Safe contract enforces ownership and threshold rules on the owners, but once a module is installed those rules do not apply to it, so an installed module functions as an additional co-signer with whatever scope the module’s own code defines. Those Safes trusted that the module’s executeSameChainActions() enforced the authorisation discipline the module operator implied, and that trust assumption did not hold. The same failure class shows up across 2026’s largest incidents under different names, where trust gets delegated to an off-contract layer and the contract has no way to verify the delegated layer behaved correctly.

What to check now.

• List every Safe-installed module across every multisig your organisation operates, including individual contributor Safes that hold protocol-side privileges.

• For each installed module, confirm whether it is a contract built and operated by your protocol, a contract from a vendor you have a direct relationship with, or a third-party integration whose code your team has not separately reviewed.

• Remove any module whose operator your team cannot name or whose code your team has not reviewed against your current threat model.

• For modules you keep, scope them as narrowly as the module supports, with per-token allowlists, per-chain restrictions, and per-counterparty allowlists.

• Audit the enableModule history of every production Safe, since any module installed during a personnel transition or during an active incident response is high priority for review.

A Safe module is a co-signer that does not ask the owners for permission. If your operations team cannot articulate, from memory and without reading the docs, what every installed module is authorised to do, the module list is your unaudited co-signer list. SquidRouterModule is the version of that question where the answer cost 86 Safes $3M in two hours.

— Adrian

Around the Forums

KelpDAO closes the operational rsETH recovery. KelpDAO transferred the final tranche of 20,373.72 rsETH into LayerZero’s lockbox contract on May 25, closing the operational portion of the recovery from the April 18 bridge exploit. Mints, redemptions, and rewards have been running normally since the May 14 reopening of withdrawals. The Aave side did not recover symmetrically. Aave’s TVL fell from $26.4B to below $14B in the weeks after the exploit and has hovered in the $13.9B to $15.1B band since, with no sign of returning to its pre-incident peak. The DeFi United multi-protocol coalition completing this recovery without a foundation, a regulator, or a centralised actor underwriting the process sets a precedent the industry will keep coming back to when the next bridge fails.

THORChain ADR-028 vote runs, criticism over keeping GG20. THORChain’s recovery proposal for the May 15 vault exploit opened to node-operator voting on May 22, with the protocol absorbing the loss through Protocol-Owned Liquidity, no new RUNE minted, and a 10% bounty offered to the attacker. The contested decision is the choice to keep GG20 in place, patched and upgraded, rather than accelerate the migration to DKLS that Silence Laboratories was already commissioned to deliver in late 2025. Pseudonymous analyst Bird argued that the initial exploit suggests the signing stack has a flaw in randomness generation or local signing isolation and that GG20 carries brittle assumptions that should not be left in production. Choosing to patch a primitive that has now been exploited in production is a defensible operational call only if the patch closes the actual class of flaw, and the technical details of the exploit have still not been publicly released as of the vote opening.

What Else Happened

• Polymarket internal-ops wallet, ~$600K POL, May 22. Six-year-old private key compromise in the rewards-payout backend wallet, confirmed by Polymarket developer Josh Stevens. User funds and market resolution untouched, and the affected wallet sat outside the UMA Conditional Tokens Framework adapter contracts. Drain rate was 5,000 POL every 30 seconds across 15 to 16 addresses.

• MAP Protocol Butter Bridge V3.1, ~$180K extracted, May 20. Cross-chain bridge contract bug. Per Blockaid, an abi.encodePacked collision across dynamic-bytes fields in the bridge’s retry verification path allowed a forged retry to pass the guard check. The attacker minted 1 quadrillion MAPO (4.8M× the ~208M legitimate supply), dumped roughly 1B fake MAPO into Uniswap, and extracted about $180K. MAP Protocol paused mainnet and announced migration to a new contract.

• Solv Protocol BRO reentrancy, May 3 (post-mortem published this week). ERC transfer callback minted BRO tokens before the calling function completed, allowing a recursive mint loop in the BitcoinReserveOffering contract. [rekt.news] Solv has since moved more than $700M in tokenised BTC infrastructure off LayerZerofollowing the KelpDAO fallout.

• WUSD.fi / GLOVE incentive abuse, ~$200K, May 25. Sybil attack on WUSD._englove. Each fresh msg.senderwrapping at least 100 WUSD while holding fewer than 2 GLOVE could mint up to 2 GLOVE via Glove.mintCreditlesswith no sybil resistance. The attacker used EIP-7702 helper contracts and a Morpho USDT flash loan to repeat wrap/unwrap cycles, harvest GLOVE, and dump it into Uniswap V3. [exvulsec on X]

• TrapDoor cross-registry supply chain, 34+ packages, May 22 onward. Socket disclosure on May 24 of malicious packages on npm, PyPI, and Crates.io targeting Aptos, Sui, and Solana developer environments. Payloads modify .cursorrules and CLAUDE.md files to weaponise AI coding assistants against the developer. [Socket]

• GitHub Actions supply chain compromise of actions-cool/issues-helper. All existing tags moved to a malicious imposter commit that steals CI/CD credentials from GitHub Actions workflows. [The Hacker News] Any crypto org using third-party GitHub Actions should pin to commit SHAs rather than tags and audit their last 30 days of workflow runs.

• Nx Console VS Code extension compromised, 2.2M installs. Version 18.95.0 executed a credential-stealing payload on workspace open. Affected users must update to 18.100.0 and rotate every credential the workspace could reach. [The Hacker News]

On the Clock

LayerZero applications running 1-of-1 DVN configurations need to re-pin to a multi-DVN setup before LayerZero Labs’ enforcement deadline catches them. The company has committed to refuse acting as the sole verifier on any channel going forward and has restructured its cloud infrastructure rather than patching it. THORChain v3.18.1 ships vault protections that node operators need in place before any v3.19 restart of trading. [Chain.Buzz]

For any developer in your organisation hit by the three supply-chain compromises covered in What Else Happened (TrapDoor, the Nx Console extension, or the actions-cool/issues-helper Action), treat every credential reachable from that workstation or workflow as compromised pending rotation. Detection times averaged minutes. Exposure windows of minutes have repeatedly been enough to reach deployer keys.

Long Reads

LayerZero Labs KelpDAO Incident Report (PDF). The most important reading of the week if you operate any system whose security depends on infrastructure run by another company. Prepared with Mandiant, CrowdStrike, and zeroShadow, with UNC4899/TraderTraitor attribution. The same DPRK group that hit Safe{Wallet} for $1.5B in February 2025. Worth reading alongside the Chainalysis companion analysis, which frames the exploit as a broken accounting invariant that lived outside the contract.

THORChain Exploit Report #1. The first official post-mortem from THORChain on the May 15 vault drain, including the response timeline and the rationale for the ADR-028 path. Useful both as a model of post-mortem communication and as direct input for any team currently running GG20 in production.

Socket on the TrapDoor crypto stealer supply chain attack. Primary technical breakdown of the cross-registry campaign, including encryption schemes, persistence mechanisms, and the full affected package list. Required reading for anyone running a CI pipeline that installs third-party packages.

The Operator’s Read

The Laptop Is the Attack Surface

Crypto security in 2026 still threat-models the contract and not much else. Audits get spent on contract code, bug bounties pay out on contract bugs, post-mortems start at the transaction hash. Several of the headline losses of recent years have come from somewhere upstream of that transaction hash, on a laptop nobody in security has touched.

From where I sit, that is the gap. Auditing a contract is the “easiest” job in the stack because the contract sits in public, runs deterministically, and gets reviewed by every researcher as long as the project runs a Bug Bounty Program and/or have an Audit Competition.

The developer’s MacBook runs whatever they npm installed on Tuesday, with whatever permissions they were granted in their first week of onboarding, behind whatever antivirus the IT vendor renewed in 2021. The asymmetry of attention is the entire story.

The 2026 receipts are not subtle. Socket disclosed 34+ malicious packages across npm, PyPI, and Crates.io in TrapDoor last week, with payloads that modify .cursorrules and CLAUDE.md files specifically to weaponise the AI coding assistant against the developer who installed them. The Nx Console VS Code extension shipped a credential-stealing payload to 2.2 million developers in version 18.95.0, executed the moment the workspace opened. The Shai-Hulud npm worm hit 314 packages in 22 minutes via one stolen token. The actions-cool/issues-helper GitHub Action moved every existing tag to a malicious commit that scraped CI/CD credentials from every workflow that pinned by tag rather than commit SHA. That is one week. Pick any week in 2026 and the list reads longer.

The shape of the attack has not changed. Get something on the developer’s machine, harvest credentials, pivot. Bybit’s $1.5B February 2025 heist started on a Safe{Wallet} developer’s laptop. LayerZero’s $292M KelpDAO breach this April started on a LayerZero developer’s laptop, with the attacker sitting in the company’s cloud infrastructure for forty-three days before pulling the trigger. Drift’s $285M loss in early 2026 was preceded by six months of social engineering aimed at developer contributors, including in person at industry conferences. Same group in many of these cases, same pattern, larger numbers each time.

When engaged in a crypto org’s threat model and the developer endpoint is not covered, then you should know what already the next post-mortem would look like.

The threat-modelling fix is unglamorous and not optional. Every developer laptop, every VS Code or Cursor install, every CI runner, every contributor environment is a production endpoint. Each one needs an entry in the threat model that lists what credentials it can reach, what services it can deploy to, what production assets sit one rotation behind its login password. If the answer to “what happens if this laptop is compromised right now” is anything other than “the blast radius is contained to this laptop,” the threat model has a hole and the laptop has too much trust. The action is to walk every contributor environment back to the principle of least privilege the rest of your security program already runs on. Most crypto orgs would be horrified at what a typical engineer can reach with one harvested credential, which is exactly why most crypto orgs need to do this exercise this quarter.

The detection fix is EDR, MDR, or XDR, and the difference between those three and the consumer antivirus your org is probably running is the difference between catching a pivot and reading about it eight weeks later in a Mandiant report. Consumer antivirus catches what attackers stopped using in 2015. EDR watches behaviour, so when the legitimate-looking package opens a reverse shell to an unusual IP three hours after install, something fires. MDR puts humans on the other end of those alerts so they get triaged at 3am instead of next Monday. XDR correlates across endpoints so the same compromised package landing on three contributor laptops shows up as one incident rather than three unread emails. A $50-per-seat EDR subscription is cheaper than every individual line item in the LayerZero post-mortem, and the security team you already employ will be much happier doing the threat-modelling work above if they know they have a chance of catching what slipped through.

The key-custody fix is the one I keep being surprised I have to repeat. Production signing keys belong in a hardware security module or a cloud KMS. AWS KMS, GCP Cloud KMS, Azure Key Vault, Fireblocks, any reputable HSM vendor. The cleartext key never leaves the boundary. The signing operation calls the boundary, the boundary signs, the result comes back. A .env file on a contributor’s MacBook is operational hope dressed up in a filename. The day that laptop is compromised, and statistically it will be, the keys in that .env file have to be treated as fully owned by the attacker from the moment the malware lands. If those keys can move funds or change configuration anywhere in production, the loss is whatever the attacker can move before you notice. Echo Protocol noticed within hours and still lost $816K against a $76.7M paper exposure, with the cap set by chain liquidity rather than by any control Echo had in place. The next protocol that runs the same configuration on a chain with deeper pools will not get the same lucky cap.

Put it bluntly. Crypto orgs in 2026 spend more on contract audits than on the laptops those audits are commissioned from, and the most valuable production credential in your organisation right now is sitting on someone’s MacBook, next to a Slack message from a recruiter on LinkedIn and a VS Code extension that updates itself overnight. The contract you spent six months auditing will keep doing exactly what it was written to do. Whether that ends well for your protocol depends on whether your threat model includes the path from “someone updated Cursor on Tuesday” to “the admin key signed an unauthorised mint on Friday.”

Closing Tab

The next admin-key compromise will land on a chain with deeper liquidity than Monad, or on a Safe{Wallet} with a module nobody on the operations team can name from memory, and the headline number and the actual loss will be the even higher number.

Adrian Hetman Burn Notice Operational intelligence for Web3, every week.

Four major exploits in nearly seven weeks. Drift on April 1 ($285M), KelpDAO on April 18 ($292M), THORChain on May 15 ($10.8M), Verus on May 17 ($11.6M). The attack class is concentrating, not rotating. Infrastructure that connects chains, manages cross-chain messaging, or holds reserve balances on both sides of a proof system is the target.

In today’s issue:

• Drift’s Security Council was pre-signed into surrendering $285M, and a planned signer rotation was the one chance to stop it

• KelpDAO’s 1-of-1 DVN, LayerZero’s apology, and the $71M governance recovery cleared by court and DAO

• THORChain, Verus, and five more: what broke, in two sentences each

Need to Know

April 2026 produced $630M in confirmed crypto hack losses, the highest monthly total since February 2025, with DPRK-attributed operations accounting for roughly 76% of all 2026 losses through April, approximately $577M of $759M total, per TRM Labs. [Cointelegraph] PeckShield tracked eight bridge exploits year-to-date through mid-May, totalling $328.6M, and across those eight incidents the failure classes are the same ones we have been writing about for years, repeating because the industry's average internal discipline has not kept pace with its TVL. [bitcoin.com] Not one of these failures required a novel technique or a zero-day. Every security lead should be sitting with one question today.

Which of these failure classes is currently open in our stack?

The Big One — The Drift Council Takeover

The news. On April 1, 2026, DPRK operators drained $285M from Drift Protocol using pre-signed durable nonce transactions that legitimate Security Council members had unknowingly authorised via blind signing. [TRM Labs] The execution was the last step. The preparation had been running for six months.

What broke and how. DPRK’s UNC4736 spent fall 2025 cultivating Drift contributors at crypto conferences, presenting as a quantitative trading firm. By December they had onboarded an Ecosystem Vault and deposited more than $1M to build credibility. [The Block] Two contributors were compromised through a malicious code repository and a fake wallet app. The attackers then collected pre-signatures from 2-of-5 council members on admin-transfer payloads disguised as routine updates. Classic blind signing. [Chainalysis]

On March 26–27, a legitimate council rotation invalidated the attacker’s first harvest. That was the escape window. [BlockSec] The rotation did not change Drift’s pre-existing zero-timelock configuration. Within 72 hours the attackers had re-established the 2-of-5 threshold. On April 1 at 16:05 UTC, the pre-signed transaction executed. Zero timelock meant the transfer was irreversible before any monitor could fire. The vault drain took approximately 12 minutes. [The Block]

What to check now.

The March 26 rotation was Drift’s best chance. It invalidated everything the attackers had harvested. A zero-timelock audit and a 48-hour signing freeze during handoff would have ended it. A signer rotation without a timelock review creates a new attack surface wearing familiar clothes.

— Adrian

Chain Reaction — KelpDAO’s 1-of-1 DVN

The news. On April 18, 2026, DPRK’s Lazarus Group drained 116,500 rsETH worth approximately $292M from KelpDAO’s LayerZero-powered bridge by poisoning the RPC nodes that LayerZero Labs’ sole DVN relied on. [LayerZero incident statement] An emergency pause 46 minutes later blocked follow-up attempts that would have released an additional ~$200M.

What broke and how. KelpDAO’s rsETH bridge ran a 1-of-1 DVN, meaning one entity was responsible for verifying every cross-chain message. The attackers identified that entity’s RPC nodes and replaced their binaries with malicious versions returning accurate data to every IP except the DVN itself. They simultaneously DDoS’d the external fallback, forcing it onto the compromised nodes. With every honest path gone, the DVN signed a release for rsETH that had never been deposited on the source chain. [LayerZero incident statement]

Why it kept happening. ~47% of active LayerZero OApps were running 1-of-1 DVN configurations at time of the exploit. [bitcoin.com] LayerZero’s own quickstart wired the sample config with a single required DVN. After three weeks of blaming Kelp’s configuration, LayerZero issued a public apology on May 9, admitting it “made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions.” [The Block]

The downstream impact. The exploit did not stop at the bridge. The attacker deposited the 116,500 unbacked rsETH as collateral on Aave and borrowed ~$190M in real ETH against it. [CoinDesk] Aave’s core WETH lending pool hit 100% utilisation — users who had deposited ETH could not withdraw. [Yahoo Finance] Aave froze rsETH markets across V3 and V4 and paused WETH borrowing on Ethereum, Arbitrum, Base, Mantle, and Linea. The panic spread beyond protocols directly holding rsETH: Aave lost $8.45B in deposits over 48 hours, pulling $13.21B out of DeFi TVL total. [CoinDesk] The DeFi United coalition, including Aave Labs, EtherFi, and Stani Kulechov personally, formed specifically to plug the collateral gap and prevent cascading liquidations.

What to check now.

47% of active OApps ran the same configuration that enabled this exploit. LayerZero’s quickstart normalised it. When infrastructure provider defaults create systemic risk, the post-mortem blame fight is the wrong place to discover that. The default is the product, and it was misconfigured at scale.

— Adrian

Around the Forums

Arbitrum DAO, $71M frozen ETH cleared for recovery. The Arbitrum Security Council froze 30,765 ETH linked to the April 18 KelpDAO exploit through an emergency 9-of-12 multisig action. The Constitutional AIP passed with more than 90% delegate support. [Cointelegraph] SDNY Judge Margaret Garnett cleared the transfer on May 9, though families holding $877M in unpaid terrorism judgments against North Korea claim the recovered ETH should satisfy their claims, and that legal question remains unresolved. [The Defiant]

THORChain, ADR-028 recovery vote open. THORChain opened a node-operator vote on ADR-028: protocol-owned liquidity absorbs the $10.8M loss, the attacker’s bond is slashed, no RUNE is minted, and no user deposits are affected. [BanklessTimes]

What Else Happened

• THORChain, $10.8M, May 15. GG20 threshold-signature key extraction. A malicious validator participated in signing ceremonies for 48 hours, accumulating leaked key-share material until it could reconstruct the full Asgard vault private key offline. [TRM Labs] Same broad family as the Alpha-Rays attacks THORChain paid a $500K bounty to patch in 2021, but a novel instance the 2021 patch did not cover.

• Verus Ethereum bridge, $11.58M, May 17–18. Source-destination value binding gap. The bridge verified proofs and signatures but never checked whether the input amount matched the payout; the attacker spent ~$10 in VRSC fees to receive $11.58M. [CoinDesk / Halborn]

• TrustedVolumes (1inch Fusion resolver), $6.7M, May 7. Missing access control modifier. The signer whitelist function was declared public with no onlyOwner modifier; the attacker added themselves as an authorised signer and drained the resolver wallet’s unlimited approvals across 85 transactions. [Halborn]

• ZetaChain, $334K, April 26. Three chained access control defects. The gateway accepted arbitrary cross-chain calls from any sender and team wallets held unlimited gateway approvals; one CCTX with IsArbitraryCall = true drained wallets across four chains. [SolidityScan] ZetaChain admitted a prior report describing this behaviour was dismissed as “by design.”

• Giddy.co, $1.3M, April 23. Incomplete EIP-712 struct coverage. The signature covered only the swap data bytes, not token addresses or amount; the attacker replayed a valid signature with all four unsigned fields substituted. [Verichains]

• Adshares, ~$628K, May 15. Source-destination value binding gap. The bridge-minter signed token releases against transaction IDs that do not exist on the canonical Adshares chain; zero on-chain verification of the referenced transactions. [DefimonAlerts]

On the Clock

No toolchain upgrades with operational urgency this week. All failures were configuration, access control, signature scope, or economic logic, not toolchain.

Three things are operationally urgent regardless. If you run any LayerZero integration at 1-of-1 DVN, migration is not optional. If any Solana council signer can authorise durable-nonce transactions, disable it now. If any privileged wallet holds type(uint256).max approvals to any contract, revoke them before end of week.

Long Reads

Chainalysis: Inside the KelpDAO Bridge Exploit. The most technically detailed account of the RPC poisoning chain, DDoS failover mechanics, and DPRK laundering flows. Required for anyone building bridge infrastructure.

BlockSec: Drift Protocol Incident. The most granular on-chain timeline of the Drift attack. The section on the March 27 rotation and 72-hour re-harvest is essential for any protocol with a Security Council.

Verichains: When Signing Is Not Secure. The deepest analysis of the Giddy.co EIP-712 struct failure. Applies to every vault or swap contract using off-chain authorisation.

The Operator’s Read

People keep calling KelpDAO more sophisticated than past DPRK hacks. It was not. Harmony’s Horizon ran 2-of-4. Ronin was 5-of-9 on paper, but four keys sat with the same entity, making it effectively 2-of-9. KelpDAO ran 1-of-1. The numbers keep changing. The failure class does not.

Every few years someone ships a cross-chain system with a threshold that looks acceptable and a signing arrangement that collapses under scrutiny. We write post-mortems. We say never again. Then it happens again with a different name on the contract.

If you are running a multisig today, the real question is whether the keys are genuinely independent, not whether the number is above one. If two of your five signers share a Slack workspace and a deployment pipeline, your threshold is not what the contract says it is.

The triage problem nobody wants to admit

I understand why reports get dismissed. The volume is relentless and most AI-generated submissions are noise. But ZetaChain dismissed a report on the exact component that was later exploited because the behaviour looked “by design” in isolation.

Chained attacks do not announce themselves. The first bug looks like an edge case. The second like a known limitation. The third is the exploit. A triage process that evaluates each report in isolation will miss all three as a combination.

A managed triage service handles the volume. An internal developer catches what the triager cannot, because they see the report and the three other components it touches. You need both. Always evaluate by end impact on your protocol. If the funds at risk are yours, the report is in scope, regardless of where the entry point is.

Mitchell Amador’s five years of Immunefi data settles the continuous coverage question. 93.9% of programmes active for five or more years have surfaced a confirmed critical. Average is 2.7 per programme. The only variable is whether a whitehat or a blackhat gets there first.

The basics are the whole point

Giddy and TrustedVolumes had nothing to do with state-sponsored attackers. One was an EIP-712 signature covering half the fields it should. The other was a public function with no access control modifier. Day-one checks. Both shipped without them.

AI coding gets code out faster. It does not make that code more secure. Shipping speed is a competitive advantage until it is not, and when it stops being one you are writing a post-mortem.

Default configurations are a security decision

The zero-timelock on Drift and the 1-of-1 DVN on KelpDAO were not installed by attackers. Both were set by the protocols themselves, never revisited, and never put to a governance vote. Nobody attacked the code. The attackers read the configuration.

One entity to compromise. One RPC layer to poison. One fallback layer to knock offline. The cryptography was fine. The architecture made it irrelevant.

Ask the question LayerZero did not ask until after $292M was gone: is the default here the secure option, or just the easy one?

P.S.

Bridges were profitable targets before this year and will remain so. Where large sums of money pass through a potential single point of failure, people will always be looking for holes.

What matters is whether the fundamentals are in place before the bridge goes live. Clear validation logic. Genuine signing independence. A review process that actually asks whether the inputs and outputs are economically bound to each other. The foundation. Build it first.

Closing Tab

The contracts got audited. The configuration did not. That is where every exploit in this issue started. Check yours.

Adrian Hetman Burn Notice Operational intelligence for Web3, every week.

I’m writing this from the middle of it, not from the other side.

That feels important to say upfront. Most articles about burnout are written in the past tense. “Here’s what I went through, here’s how I got out.” This isn’t that. I’m still figuring it out. And maybe that’s exactly why I want to write it: because I know I’m not the only one sitting in this, and I think there’s something honest worth sharing even before the story has a clean ending.

How passion becomes weight

In 2016, I was a software engineer at BAE Systems, leading a small blockchain innovation team. The technology was fringe, and most people around me couldn’t understand why I cared so much about it. I cared because I couldn’t stop. That curiosity felt effortless. It wasn’t ambition, it was just following the pull.

That pull carried me further than I could have planned. From building smart contracts, to auditing them at CertiK, to joining Immunefi in 2021 as the fourth person on the triage team. Four years later, I’m Head of Triage, leading a team of eight, managing a service covering $190B in protected user funds. I’ve mediated disputes where the outcome determined whether millions of dollars went to the right place. I’ve hired people, developed them, watched them grow.

By any measure, the thing I chased because it fascinated me became a career. And then, as these things do, the career became a job.

I don’t say that with bitterness. I’m proud of the work. But there’s a particular exhaustion that comes when meaningful work accumulates weight over years. The stakes stop feeling abstract and start feeling very, very real. Security is relentless. The reports keep coming. The disputes are sometimes people’s livelihoods. You carry that home. And somewhere along the way, the spark that used to fire automatically started to require effort to find.

“Even meaningful work can become draining if you never take a break from it.”

The thing burnout steals that nobody names

We talk about burnout in terms of productivity. You can’t focus, you can’t start things, the inbox feels like a boulder. All of that is real.

But what burnout quietly takes is your sense of who you are when you’re not working. Nobody really warns you about this part.

When what you do and who you are have been the same thing for years, burnout doesn’t just leave you unproductive. It leaves you feeling hollow in a way that’s harder to explain. You look at the things that used to energize you and feel nothing. The curiosity that once pulled you forward now feels like a task you’re failing to perform. And then the anxious voice arrives. Was any of it real? Is this who I actually am, or just what I got good at?

I’ve sat with that question more than once lately. I don’t have a clean answer. But I’ve come to think that the question itself isn’t a crisis. It’s an invitation.

What distance taught me

The first time I understood this, it wasn’t because I read about it. It was because I started picking up a camera.

Not a digital one. An analog one. Film photography, which is slower, more deliberate, and completely unforgiving in the best possible way. You can’t undo a shot. You can’t scroll back. You have to be present, and then you have to wait. That waiting, I discovered, was doing something for me that nothing in my work could.

Then came mechanical watches. There’s a whole world in there. The history, the craft, the way a movement works like an impossibly small piece of engineering that someone thought about for years. I fell deep into it without planning to. Then cooking properly for my family on weekends, not a quick meal but the kind where you’re chopping things slowly, tasting as you go, fully in the room for a few hours while the notifications disappear. Repairing old consoles. And of course, writing this blog.

And journaling.

Journaling might be the one that’s changed me the most, even though it’s the hardest to explain to someone who hasn’t tried it. There’s nothing productive about it. You sit down, you open a notebook, and you write whatever is actually in your head. Not the polished version, not the version you’d say out loud, just the real mess of it. Today I feel... I don’t know what I feel. I’m tired in a way I can’t name. I keep thinking about... And then something happens. The thought that was a fog starts to have edges. You see patterns you hadn’t noticed. You realize what’s been draining you. Sometimes you realize what you actually want.

I’ve written before about journaling, and I keep coming back to it because it keeps coming back to me. It’s the one habit that costs nothing, asks nothing, and somehow returns more than almost anything else I do for myself. If you’re burned out and you haven’t tried it yet, I’d start there before anything else.

“Work is not just about doing more. It’s about doing what matters and leaving space for what makes you human.” — Cal Newport, Slow Productivity

None of what I listed above is productive. None of it scales. Nobody is waiting on a deliverable. And that, I eventually understood, was exactly the point. If your hobby becomes your job, you can’t let it stay your only hobby. I learned this the hard way. When blockchain was both what I did at work and what I thought about in my free time, I was mentally on the clock 24 hours a day. That isn’t sustainable, especially when you have a family you want to be fully present for, not a version of yourself that’s still half somewhere else.

The honest part. I’m still exploring.

Here’s where I have to be honest with you, because this post would ring false if I wrapped it up too neatly.

I haven’t figured this out. I’m still in the middle of discovering what gives me that spark right now, at this point in a career that looks very different from where it started. Some of the hobbies I listed above I’ve had for years. But some of what’s pulling at me lately is newer and less defined, and I’m not sure yet what to do with it.

I’ve been thinking about starting an Instagram account just for my watch photography. Nothing elaborate, just a place to share what I see when I look through the viewfinder at a dial, a case, the way light catches a rotor. I don’t know if I will. I don’t know if anyone would care, or if that’s even the point. But the thought keeps coming back, which I’ve learned to take seriously.

I’ve been thinking about doing something more with journaling. Not just keeping it to myself, but sharing more of the process, the prompts that help, the way it feels on the days when it clicks and the days when it doesn’t. Maybe that’s just more writing. Maybe it’s something different. I don’t know yet.

And I notice that I don’t know yet feels important to sit with, rather than resolve. Part of what burnout does is make you feel like you need to have the answer already. Like not knowing what your next passion is means you’ve lost something permanently. I don’t think that’s true. I think sometimes the honest position is that I’m curious about a few things, I’m not sure where they’ll go, and I’m giving myself permission to find out slowly.

Those small pulls are worth following. Not because they’ll become your next great passion overnight, but because they’re the thread back to yourself. Curiosity doesn’t need a destination. It just needs permission.

When something surfaces, and something usually does if you stop forcing it, start smaller than feels meaningful. One afternoon. One roll of film. One meal you haven’t tried before. One page in a notebook. The goal isn’t to build something or prove something. The goal is just to remember what it feels like to do something for no reason other than that you want to.

I started this blog for exactly that reason. Not with a plan, not with a content strategy, not even with a clear sense of who I was writing for. I just wanted to write. And that wanting, it turned out, was enough to start.

“How we spend our days is how we spend our lives.”

On rest, which is harder than it sounds

I’ve resisted rest my whole career. There was always more to do. Always someone pushing forward. Always a dispute that needed resolving, a hire that needed making. The guilt of stopping felt productive, like at least I was aware of what I wasn’t doing.

But I’ve learned, slowly and not easily, that this is a trap. You can’t recover while still running. You can’t find the spark when you’re running on empty. The ideas don’t come, the curiosity doesn’t fire, and the things you used to love stay flat, not because they’ve changed, but because you’re too depleted to receive them.

Real rest isn’t waiting for motivation while you do nothing. It’s giving yourself time that isn’t in service of anything else. A walk without headphones. A book with no agenda. Cooking something slowly. Sitting outside and doing nothing in particular. These aren’t wasted hours. They’re where the spark rebuilds itself, without your help, without your interference.

“The things you think about determine the quality of your mind. Your soul takes on the color of your thoughts.” — Marcus Aurelius, Meditations

This isn’t a solved problem

I said at the beginning that I’m writing this from the middle, not the other side. I mean it.

I’m still figuring out what the next version of this looks like, what the spark looks like now, at this point in a career that has grown in ways I couldn’t have predicted. I don’t have a tidy ending. I have analog photographs I’m happy with. A few watches I love. A journal I return to. A blog I keep showing up for. A family I want to be fully present for. And a slowly growing sense that the curiosity that got me here is still in there somewhere, just a little buried, waiting for some space.

If you’re in something similar, I don’t want to offer you a five-step plan. I want to offer you this: the burnout you’re feeling isn’t a verdict on who you are or how much you care. It’s a signal that you’ve been giving a lot, and you need to receive something back. The flatness isn’t permanent. The spark doesn’t disappear. It just needs you to stop demanding it perform on command.

Do things for yourself. Follow the small pull. Rest without guilt. Let the thing you love breathe at a distance for a while.

And if you need a reason to start, mine arrived before I was ready. Within the next week, my second child will be born. I want to be fully present for him from the very first day. Not a version of myself that’s half somewhere else, still processing a dispute or mentally triaging a report. Someone he can rely on. Someone my whole family can rely on. That’s not a small thing to want. And it’s been the clearest reminder I’ve had in a long time that the work of finding yourself again isn’t selfish. It’s necessary.

The way back isn’t always straight. But it’s there.

If you’re still in the early stages of recognizing what burnout actually is, I wrote about that first — and about the small steps that help — in Understanding Burnout and Finding Small Ways Forward. This post picks up where that one left off.

The hand moves before you’ve even registered the feeling.

You sit down with a coffee. Nobody needs anything. There’s a gap in the day, ten minutes, maybe twenty. And before boredom has a chance to arrive, you’ve already opened your phone. You’ve scrolled something. You’ve pre-empted the discomfort so efficiently that you never actually felt it.

Ted Chiang’s short fiction keeps returning to one question: what does it mean to be inside a moment that is already passing? In Exhalation, a being studies its own consciousness and arrives at a quiet conclusion about time and presence. The story doesn’t offer comfort exactly. It just insists on something: this moment, right now, is the only one that actually exists. The past is sealed. The future isn’t here yet. You are only ever somewhere.

I think about that sometimes when I reach for the phone.

Most of us haven’t been genuinely bored in years. Not because life is so full, but because we’ve built a nearly airtight system for avoiding the feeling. Every gap gets filled automatically. The commute. The queue at the shop. The thirty seconds between tasks. The two minutes while the coffee brews. We have eliminated the fallow time so completely that we’ve also eliminated everything it used to produce.

And what it produces, it turns out, isn’t nothing.

What You’re Actually Avoiding

The reason we avoid boredom isn’t laziness. It’s that the first few minutes of doing nothing feel genuinely wrong.

There’s a specific quality to it, a restlessness, a sense of should be doing something, an itch you can’t locate. Most people interpret this as evidence that boredom is bad and reach for relief. But the discomfort isn’t the boredom itself. It’s the transition. Sit through it, and something else becomes available.

I noticed this first through film photography. You take a shot. You can’t see it, can’t adjust it, can’t delete and reshoot. You just have to be where you are and wait for something worth shooting. The first few rolls I put through a camera, I was restless the whole time, scanning for the next frame rather than seeing what was in front of me. The camera didn’t slow me down. The inability to review the results did. It forced me to actually be somewhere rather than processing it.

The discomfort at the start is the price of admission. Most people don’t pay it because relief is always one tap away.

What the Mind Does When You Leave It Alone

The brain, when you stop directing it, does not go blank. It wanders. And wandering is not the same as wasting time.

It goes back to things you haven’t consciously thought about. The console you’ve been meaning to repair that’s been sitting in a box for eight months. The conversation with a friend you’ve been putting off because you haven’t had the right window. The thing your daughter said last Tuesday that you half-heard and then forgot about until now.

It also works on problems without your permission. You stop trying to figure something out and take a walk, and by the end of the walk you have the answer. Not because walking is magical. Because you stopped forcing it and the mind found its own route.

And it tells you things about your emotional state that the noise of constant stimulation buries. You sit still for ten minutes and realise you’re anxious about something you hadn’t consciously named. Or that you’re actually fine. Or that you’ve been tired for three weeks and covering it with distraction.

None of this is glamorous. It’s not a creativity breakthrough or a productivity win. It’s just contact with what’s actually going on in your own head, which is harder to access than it sounds when you’re filling every gap with something.

The Case for Doing Nothing

The Art of Laziness makes an argument that most self-improvement thinking is designed to argue you out of: that deliberate inaction is not a failure of discipline. That the insistence on filling every moment with effort and visible output is not productivity. It’s anxiety wearing productivity’s clothes.

The case isn’t that doing nothing leads to better results. It’s simpler and harder to accept than that. Doing nothing has value in itself. Not because of what it eventually produces. Because it’s the state in which you are most honestly present, without task and stimulus constantly telling you what to think and feel next.

I spent years in an environment where there was no fallow time. The work ran on urgency, on staying alert to everything, all the time. Boredom was the enemy, a gap in attention that could mean something missed. I was good at that. But vigilance has a cost, and one of them is that you gradually lose the thread of your own life, because you’re never quiet enough to hear it.

What I found, slowly, when I started leaving things unfilled, wasn’t insight or inspiration. It was just more signal from my own life. Small stuff. Noticing, mid-queue at the supermarket, that I hadn’t called my parents in a while. A walk without headphones where a half-formed problem resolved itself sideways, without effort. Sitting somewhere with nothing to read and realising I was actually tired, not restless, and had been for weeks.

That’s what boredom gives you. Not inspiration. Just contact with what was already there, waiting.

A Small and Uncomfortable Experiment

Pick one gap in your day that you currently fill automatically. The queue at the shop. The few minutes before a meeting starts. The walk from your desk to the kitchen. Leave it empty.

Don’t reach for the phone. Don’t put a podcast on. Don’t try to make the time useful. Just be where you are, with nothing to engage with, for however long the gap lasts.

The first few times it will feel like nothing is happening. That’s fine. The transition is uncomfortable and takes a few minutes to pass. Wait it out.

Do it for a week and notice what arrives. Not always something remarkable. Sometimes nothing at all. But sometimes something you’d been meaning to remember, something your body has been trying to tell you, something that only surfaces when you stop drowning it out.

Chiang’s narrator, near the end of Exhalation, addresses whoever might one day find the story: you are alive right now, in a moment that exists and will not come back. That isn’t a weight to carry. It’s just a fact worth occasionally sitting with.

The phone makes it possible to never sit with it. Boredom makes it unavoidable.

That’s not a bug. That’s the whole point.