Signing secret in APK enabled forged support tokens. KYC docs, IP addresses, and risk scores exposed for any user.
Feb 25, 2026A bridge gateway smart contract refunded relayer gas using a flat 16-gas-per-byte estimator, overpaying on every call and amplifiable by appending zero-byte padding to drain ETH from the gateway balance.
Feb 24, 2026Domain allowlist used substring matching. Attacker domain passed the check, WebView leaked session tokens.
Feb 24, 2026Timing flaw in login verification bypassed email check entirely. Full recovery phrase and private key extracted in 60 seconds.
Feb 23, 2026A Web3 quests platform shipped a production blockchain data provider API key in its public Next.js bundle, allowing any unauthenticated visitor to create and delete webhooks on the company's billed third-party account.
Feb 21, 2026A self-custody wallet provider's production telemetry exposed thousands of Bitcoin extended public keys to the open internet, enabling permanent wallet surveillance.
Feb 21, 2026Unauthenticated webhook endpoint allowed full-read SSRF. Cloud IMDS accessed via redirect bypass, 14 internal hosts mapped.
Feb 21, 2026Anonymous role had read/update/delete on 13 tables. 45,372 wallet addresses with trading volumes exposed.
Feb 21, 2026A P2P trading platform's internal executive dashboard endpoint required no authentication, exposing approximately $30M in crypto reserves, live business metrics, and user personal data.
Feb 21, 2026Dev server in production exposed 6.1MB database with admin credentials, API tokens, and GitHub PAT.
Feb 21, 2026