Two admin-style compromises this week, neither caused by a contract bug. Echo Protocol on Monad got mint-attacked for $76.7M on paper because its admin key carried no timelock and signed whatever the holder told it to sign. The SquidRouterModule, a third-party Gnosis Safe module, drained 86 Safes for around $3M in roughly two hours. In both incidents the contracts ran exactly as written, with the layer around them taking the entire loss.

In today’s issue.

• Echo Protocol’s $76.7M paper mint on Monad, held to ~$816K actual loss only by shallow chain liquidity

• 86 Gnosis Safes drained for ~$3M via a third-party SquidRouterModule on Ethereum and Base

• KelpDAO rsETH recovery closes; LayerZero post-mortem traces the breach to a March 6 developer compromise

Need to Know

Two of this week’s biggest losses came from configurations around the contract, not from the contract code itself, and the pattern is now consistent enough across 2026 to call the layer above the contract the load-bearing one. Echo Protocol on Monad ran the third headline DeFi incident of the year where a privileged action executed before any monitor could fire, and the SquidRouterModule drains turned 86 Safes into an unaudited co-signer arrangement that nobody on the affected operations teams could fully describe. LayerZero’s full forensic post-mortem on KelpDAO, also published this week, pushed the start date of that incident back to early March and pointed at the same upstream attack surface that Socket’s TrapDoor disclosure describes in technical detail.

The question every security lead should be carrying this week is which contracts in their own stack would behave exactly as designed if the key signing them, or the module attached to them, had been compromised six weeks ago.

—Adrian

The Big One. Echo Protocol’s $76M Paper Mint on Monad

The news. On May 18, 2026, an attacker used a compromised admin key on Echo Protocol’s Monad deployment to mint 1,000 unauthorised eBTC tokens with a paper value of approximately $76.7M. Actual extracted value was ~$816Kbecause Monad’s lending markets did not have the depth to convert the minted supply into real on-chain proceeds. Echo regained control of the admin key the same day and burnt the remaining 955 eBTC the attacker had not yet moved.

What broke and how. The eBTC contract worked exactly as written. The root cause was operational rather than technical. The admin role was secured by a single signature with no timelock, no minting supply cap, and no rate limit. The attacker granted their own wallet minting privileges, deposited 45 eBTC into Curvance as collateral, borrowed 11.29 WBTC (~$867,700), bridged the WBTC to Ethereum, swapped to ETH, and routed approximately 385 ETH through Tornado Cash. Curvance, on the receiving side, did not run a supply sanity check against the freshly minted collateral.

Why it kept happening. This is the third headline DeFi incident of 2026 with the same architectural choice at the centre, a privileged action that executes the moment the key signs it, with no window for monitors to fire or for signers to rotate. Drift’s $285M loss was a 2-of-5 multisig with zero timelock. KelpDAO’s $292M loss was a 1-of-1 DVN, structurally equivalent to a 1-of-1 multisig. Echo’s eBTC contract continued the pattern, with a single key holding mint authority. The only reason Echo did not match Drift and KelpDAO on headline loss is that Monad did not have the liquidity to absorb the trade.

What to check now.

• Inventory every privileged contract action in your stack and confirm whether each one can be executed by a single signature with no timelock between sign and effect.

• For any minting function, add a per-block or per-day supply cap that cannot be bypassed by the same key that holds mint authority.

• For any protocol that accepts another protocol’s tokens as collateral, add a supply-sanity check that compares delta-supply against an expected band before allowing borrows against freshly minted units.

• Move admin keys for any minting or vault contract off any machine that also handles email, code, or web browsing.

• Audit the lending markets that accept your tokens as collateral, since their missing sanity checks become your protocol’s tail risk in any minting-key compromise.

Echo’s contract did exactly what it was written to do, and the configuration around it carried the entire loss, which is the same story playing out across 2026’s admin-key incidents. A single admin key with no timelock and no rate limit is what we were calling a single point of failure on multisigs five years ago. The right question for your team this week is whether anything irreversible in your stack can be executed by a single signature before a monitor would have time to fire.

— Adrian

Chain Reaction. 86 Safes Drained Through a Module Each One Had Installed

The news. On May 25, 2026, Blockaid disclosed an ongoing exploit targeting the SquidRouterModule, a third-party Gnosis Safe module deployed on Ethereum and Base. Eighty-six Safes were drained for approximately $3M to $3.2M in roughly two hours, with all stolen tokens swapped into DAI through attacker-controlled Uniswap V3 pools and consolidated into a single wallet holding ~3.07M DAI. New Market Trading, whose per-user Safe accounts were among the victims, accounted $3.78M in user-side drains per QuillAudits’ analysis, with the same vulnerable contract and attacker EOA as the broader 86-Safe drain.

What broke and how. Per Blockaid, the attacker exploited the module’s executeSameChainActions() function to impersonate authorised delegates and execute swaps from victim Safes without owner signatures. The 86 affected Safes had all previously installed the SquidRouterModule with elevated privileges, and the module functioned as a pre-authorised co-signer with broad scope. Squid moved quickly to clarify that the vulnerable contract was not developed, deployed, or operated by the core Squid team despite the name on Basescan, calling it a third-party module that “independently integrated with protocols like Squid.” Squid’s own users and integrators were not affected.

Why it kept happening. Safe modules are a pre-authorised execution path. The Safe contract enforces ownership and threshold rules on the owners, but once a module is installed those rules do not apply to it, so an installed module functions as an additional co-signer with whatever scope the module’s own code defines. Those Safes trusted that the module’s executeSameChainActions() enforced the authorisation discipline the module operator implied, and that trust assumption did not hold. The same failure class shows up across 2026’s largest incidents under different names, where trust gets delegated to an off-contract layer and the contract has no way to verify the delegated layer behaved correctly.

What to check now.

• List every Safe-installed module across every multisig your organisation operates, including individual contributor Safes that hold protocol-side privileges.

• For each installed module, confirm whether it is a contract built and operated by your protocol, a contract from a vendor you have a direct relationship with, or a third-party integration whose code your team has not separately reviewed.

• Remove any module whose operator your team cannot name or whose code your team has not reviewed against your current threat model.

• For modules you keep, scope them as narrowly as the module supports, with per-token allowlists, per-chain restrictions, and per-counterparty allowlists.

• Audit the enableModule history of every production Safe, since any module installed during a personnel transition or during an active incident response is high priority for review.

A Safe module is a co-signer that does not ask the owners for permission. If your operations team cannot articulate, from memory and without reading the docs, what every installed module is authorised to do, the module list is your unaudited co-signer list. SquidRouterModule is the version of that question where the answer cost 86 Safes $3M in two hours.

— Adrian

Around the Forums

KelpDAO closes the operational rsETH recovery. KelpDAO transferred the final tranche of 20,373.72 rsETH into LayerZero’s lockbox contract on May 25, closing the operational portion of the recovery from the April 18 bridge exploit. Mints, redemptions, and rewards have been running normally since the May 14 reopening of withdrawals. The Aave side did not recover symmetrically. Aave’s TVL fell from $26.4B to below $14B in the weeks after the exploit and has hovered in the $13.9B to $15.1B band since, with no sign of returning to its pre-incident peak. The DeFi United multi-protocol coalition completing this recovery without a foundation, a regulator, or a centralised actor underwriting the process sets a precedent the industry will keep coming back to when the next bridge fails.

THORChain ADR-028 vote runs, criticism over keeping GG20. THORChain’s recovery proposal for the May 15 vault exploit opened to node-operator voting on May 22, with the protocol absorbing the loss through Protocol-Owned Liquidity, no new RUNE minted, and a 10% bounty offered to the attacker. The contested decision is the choice to keep GG20 in place, patched and upgraded, rather than accelerate the migration to DKLS that Silence Laboratories was already commissioned to deliver in late 2025. Pseudonymous analyst Bird argued that the initial exploit suggests the signing stack has a flaw in randomness generation or local signing isolation and that GG20 carries brittle assumptions that should not be left in production. Choosing to patch a primitive that has now been exploited in production is a defensible operational call only if the patch closes the actual class of flaw, and the technical details of the exploit have still not been publicly released as of the vote opening.

What Else Happened

• Polymarket internal-ops wallet, ~$600K POL, May 22. Six-year-old private key compromise in the rewards-payout backend wallet, confirmed by Polymarket developer Josh Stevens. User funds and market resolution untouched, and the affected wallet sat outside the UMA Conditional Tokens Framework adapter contracts. Drain rate was 5,000 POL every 30 seconds across 15 to 16 addresses.

• MAP Protocol Butter Bridge V3.1, ~$180K extracted, May 20. Cross-chain bridge contract bug. Per Blockaid, an abi.encodePacked collision across dynamic-bytes fields in the bridge’s retry verification path allowed a forged retry to pass the guard check. The attacker minted 1 quadrillion MAPO (4.8M× the ~208M legitimate supply), dumped roughly 1B fake MAPO into Uniswap, and extracted about $180K. MAP Protocol paused mainnet and announced migration to a new contract.

• Solv Protocol BRO reentrancy, May 3 (post-mortem published this week). ERC transfer callback minted BRO tokens before the calling function completed, allowing a recursive mint loop in the BitcoinReserveOffering contract. [rekt.news] Solv has since moved more than $700M in tokenised BTC infrastructure off LayerZerofollowing the KelpDAO fallout.

• WUSD.fi / GLOVE incentive abuse, ~$200K, May 25. Sybil attack on WUSD._englove. Each fresh msg.senderwrapping at least 100 WUSD while holding fewer than 2 GLOVE could mint up to 2 GLOVE via Glove.mintCreditlesswith no sybil resistance. The attacker used EIP-7702 helper contracts and a Morpho USDT flash loan to repeat wrap/unwrap cycles, harvest GLOVE, and dump it into Uniswap V3. [exvulsec on X]

• TrapDoor cross-registry supply chain, 34+ packages, May 22 onward. Socket disclosure on May 24 of malicious packages on npm, PyPI, and Crates.io targeting Aptos, Sui, and Solana developer environments. Payloads modify .cursorrules and CLAUDE.md files to weaponise AI coding assistants against the developer. [Socket]

• GitHub Actions supply chain compromise of actions-cool/issues-helper. All existing tags moved to a malicious imposter commit that steals CI/CD credentials from GitHub Actions workflows. [The Hacker News] Any crypto org using third-party GitHub Actions should pin to commit SHAs rather than tags and audit their last 30 days of workflow runs.

• Nx Console VS Code extension compromised, 2.2M installs. Version 18.95.0 executed a credential-stealing payload on workspace open. Affected users must update to 18.100.0 and rotate every credential the workspace could reach. [The Hacker News]

On the Clock

LayerZero applications running 1-of-1 DVN configurations need to re-pin to a multi-DVN setup before LayerZero Labs’ enforcement deadline catches them. The company has committed to refuse acting as the sole verifier on any channel going forward and has restructured its cloud infrastructure rather than patching it. THORChain v3.18.1 ships vault protections that node operators need in place before any v3.19 restart of trading. [Chain.Buzz]

For any developer in your organisation hit by the three supply-chain compromises covered in What Else Happened (TrapDoor, the Nx Console extension, or the actions-cool/issues-helper Action), treat every credential reachable from that workstation or workflow as compromised pending rotation. Detection times averaged minutes. Exposure windows of minutes have repeatedly been enough to reach deployer keys.

Long Reads

LayerZero Labs KelpDAO Incident Report (PDF). The most important reading of the week if you operate any system whose security depends on infrastructure run by another company. Prepared with Mandiant, CrowdStrike, and zeroShadow, with UNC4899/TraderTraitor attribution. The same DPRK group that hit Safe{Wallet} for $1.5B in February 2025. Worth reading alongside the Chainalysis companion analysis, which frames the exploit as a broken accounting invariant that lived outside the contract.

THORChain Exploit Report #1. The first official post-mortem from THORChain on the May 15 vault drain, including the response timeline and the rationale for the ADR-028 path. Useful both as a model of post-mortem communication and as direct input for any team currently running GG20 in production.

Socket on the TrapDoor crypto stealer supply chain attack. Primary technical breakdown of the cross-registry campaign, including encryption schemes, persistence mechanisms, and the full affected package list. Required reading for anyone running a CI pipeline that installs third-party packages.

The Operator’s Read

The Laptop Is the Attack Surface

Crypto security in 2026 still threat-models the contract and not much else. Audits get spent on contract code, bug bounties pay out on contract bugs, post-mortems start at the transaction hash. Several of the headline losses of recent years have come from somewhere upstream of that transaction hash, on a laptop nobody in security has touched.

From where I sit, that is the gap. Auditing a contract is the “easiest” job in the stack because the contract sits in public, runs deterministically, and gets reviewed by every researcher as long as the project runs a Bug Bounty Program and/or have an Audit Competition.

The developer’s MacBook runs whatever they npm installed on Tuesday, with whatever permissions they were granted in their first week of onboarding, behind whatever antivirus the IT vendor renewed in 2021. The asymmetry of attention is the entire story.

The 2026 receipts are not subtle. Socket disclosed 34+ malicious packages across npm, PyPI, and Crates.io in TrapDoor last week, with payloads that modify .cursorrules and CLAUDE.md files specifically to weaponise the AI coding assistant against the developer who installed them. The Nx Console VS Code extension shipped a credential-stealing payload to 2.2 million developers in version 18.95.0, executed the moment the workspace opened. The Shai-Hulud npm worm hit 314 packages in 22 minutes via one stolen token. The actions-cool/issues-helper GitHub Action moved every existing tag to a malicious commit that scraped CI/CD credentials from every workflow that pinned by tag rather than commit SHA. That is one week. Pick any week in 2026 and the list reads longer.

The shape of the attack has not changed. Get something on the developer’s machine, harvest credentials, pivot. Bybit’s $1.5B February 2025 heist started on a Safe{Wallet} developer’s laptop. LayerZero’s $292M KelpDAO breach this April started on a LayerZero developer’s laptop, with the attacker sitting in the company’s cloud infrastructure for forty-three days before pulling the trigger. Drift’s $285M loss in early 2026 was preceded by six months of social engineering aimed at developer contributors, including in person at industry conferences. Same group in many of these cases, same pattern, larger numbers each time.

When engaged in a crypto org’s threat model and the developer endpoint is not covered, then you should know what already the next post-mortem would look like.

The threat-modelling fix is unglamorous and not optional. Every developer laptop, every VS Code or Cursor install, every CI runner, every contributor environment is a production endpoint. Each one needs an entry in the threat model that lists what credentials it can reach, what services it can deploy to, what production assets sit one rotation behind its login password. If the answer to “what happens if this laptop is compromised right now” is anything other than “the blast radius is contained to this laptop,” the threat model has a hole and the laptop has too much trust. The action is to walk every contributor environment back to the principle of least privilege the rest of your security program already runs on. Most crypto orgs would be horrified at what a typical engineer can reach with one harvested credential, which is exactly why most crypto orgs need to do this exercise this quarter.

The detection fix is EDR, MDR, or XDR, and the difference between those three and the consumer antivirus your org is probably running is the difference between catching a pivot and reading about it eight weeks later in a Mandiant report. Consumer antivirus catches what attackers stopped using in 2015. EDR watches behaviour, so when the legitimate-looking package opens a reverse shell to an unusual IP three hours after install, something fires. MDR puts humans on the other end of those alerts so they get triaged at 3am instead of next Monday. XDR correlates across endpoints so the same compromised package landing on three contributor laptops shows up as one incident rather than three unread emails. A $50-per-seat EDR subscription is cheaper than every individual line item in the LayerZero post-mortem, and the security team you already employ will be much happier doing the threat-modelling work above if they know they have a chance of catching what slipped through.

The key-custody fix is the one I keep being surprised I have to repeat. Production signing keys belong in a hardware security module or a cloud KMS. AWS KMS, GCP Cloud KMS, Azure Key Vault, Fireblocks, any reputable HSM vendor. The cleartext key never leaves the boundary. The signing operation calls the boundary, the boundary signs, the result comes back. A .env file on a contributor’s MacBook is operational hope dressed up in a filename. The day that laptop is compromised, and statistically it will be, the keys in that .env file have to be treated as fully owned by the attacker from the moment the malware lands. If those keys can move funds or change configuration anywhere in production, the loss is whatever the attacker can move before you notice. Echo Protocol noticed within hours and still lost $816K against a $76.7M paper exposure, with the cap set by chain liquidity rather than by any control Echo had in place. The next protocol that runs the same configuration on a chain with deeper pools will not get the same lucky cap.

Put it bluntly. Crypto orgs in 2026 spend more on contract audits than on the laptops those audits are commissioned from, and the most valuable production credential in your organisation right now is sitting on someone’s MacBook, next to a Slack message from a recruiter on LinkedIn and a VS Code extension that updates itself overnight. The contract you spent six months auditing will keep doing exactly what it was written to do. Whether that ends well for your protocol depends on whether your threat model includes the path from “someone updated Cursor on Tuesday” to “the admin key signed an unauthorised mint on Friday.”

Closing Tab

The next admin-key compromise will land on a chain with deeper liquidity than Monad, or on a Safe{Wallet} with a module nobody on the operations team can name from memory, and the headline number and the actual loss will be the even higher number.

Adrian Hetman Burn Notice Operational intelligence for Web3, every week.