hodler

29 Apr 2026, 12:38

rsETH Exploit Rocks Aave: DeFi is Strengthening

KelpDAO rsETH exploit hit Aave, resulting in 17 billion dollars in deposit losses. Standard Chartered report says DeFi is not fragile, it will strengthen. AAVE price at 95.35 USD, strong support at...

29 Apr 2026, 12:30

Litecoin’s MWEB Bug Let An Attacker Create 85,034 LTC

Litecoin developers have disclosed that a critical validation flaw in the network’s Mimblewimble Extension Block implementation allowed an attacker to create an inflated pegout of 85,034.47285734 LTC in March 2026, before a coordinated emergency response recovered the funds and neutralized the accounting imbalance. The incident, detailed in a postmortem published by Litecoin developer David Burkett on April 28, also set the stage for a second April event in which a later exploit attempt triggered a denial-of-service failure mode, disrupted upgraded mining nodes, and led to a 13-block invalid chain being reorged out. A Critical Litecoin MWEB Validation Failure According to the postmortem, the root issue was a missing validation check in Litecoin’s MWEB block connection path. MWEB inputs are supposed to reference previous MWEB outputs, while carrying metadata used by balance and spend validation logic. That metadata must match the actual MWEB UTXO being spent. In normal mempool and block construction paths, that check existed. But it was not fully enforced during block connection. That gap allowed a malicious block producer to include an MWEB input whose supplied metadata did not match the real UTXO, making a small input appear capable of supporting a much larger pegout. “The intended rule is simple: when an MWEB input spends a previous output, the metadata supplied by the input must match the actual MWEB UTXO identified by the input’s output ID,” the postmortem states. “That check existed in some paths, including normal mempool and block construction paths. But it was not fully enforced in the block connection path.” The exploit occurred at block height 3,073,882. The attacker used an MWEB input with an actual value described as unknown, but “not more than 1.2084693 LTC,” while using fake commitment data to generate a pegout of 85,034.47285734 LTC. The inflated funds were initially sent to a transparent Litecoin address and later split into three transparent-chain outpoints. Because exploitation required bypassing normal transaction relay and block-building checks, the attacker needed to mine a block or control a miner willing to include malformed MWEB data. Miner Coordination, Frozen Outputs And Recovery Once developers identified the vulnerability and confirmed it had already been exploited, they coordinated privately with major mining pools. The aim was to prevent further exploit blocks without immediately alerting the actor before the inflated outputs could be contained. Litecoin Core 0.21.5 and 0.21.5.1 were deployed as emergency miner-focused releases. The latter added a historical exception for the already-accepted exploit block and temporarily rejected spends of the three attacker-controlled transparent outputs. The attacker later attempted to spend at least one frozen output, but upgraded miners rejected the transaction. Developers then contacted the actor, who agreed to sign a recovery transaction returning the funds except for an 850 LTC bounty. “The actor later signed a recovery transaction,” the postmortem says. “That transaction paid: 84,184.47278630 LTC total to the recovery address, split across two outputs. 850.00000000 LTC to an address controlled by the actor as the agreed bounty.” The postmortem adds that Charlie purchased 850 LTC to cover the bounty gap. The full 85,034.47285734 LTC was then pegged back into MWEB at block height 3,078,098, and the resulting MWEB output was frozen. This was designed to restore MWEB’s internal supply balance while ensuring the rebalancing output could not be spent. Litecoin developers said no confirmed user funds were ultimately lost in the March incident. Still, the response required emergency miner coordination, staged releases and special-case handling of historical exploit data. April Attempt Triggered A 13-Block Invalid Chain The second incident began on April 25 at block height 3,095,931, when another actor attempted to use the same original exploit path. Upgraded nodes rejected the malformed MWEB data, but the rejection exposed a separate mutated-block handling issue. The postmortem explains that some serialized MWEB body data could be mutated without changing the canonical Litecoin block hash. When an upgraded node received such a mutated MWEB block over peer-to-peer channels, it could fail while applying the MWEB body, classify the failure as “BLOCK_MUTATED,” and retain the bad serialized data for that block hash. That could interfere with later valid block processing and mining RPC flows such as submitblock. “During the April incident, this caused upgraded mining nodes to reject the bad block but also become unable to continue normal mining operations quickly enough,” the postmortem states. “Unupgraded miners, which did not enforce the MWEB fix, continued extending the invalid chain until upgraded miners coordinated and overtook it.” The invalid chain ran through block height 3,095,943, producing 13 bad blocks in total before the valid chain overtook it. Litecoin developers emphasized that this was not a rollback of valid Litecoin history, but a reorg of an invalid chain produced by miners that had not upgraded or had not fully enforced the MWEB validation rules. Third-Party Losses Remain A Key Open Issue While the March exploit was recovered internally, the April reorg affected some external infrastructure. The postmortem says NEAR Intents processed a swap of 11,000 LTC for 7.78814476 BTC before those LTC were removed from the valid chain, resulting in what Litecoin described as a “large loss” for NEAR Intents. THORChain was also affected, with an attacker swapping 10 LTC for 0.00719957 BTC before the reorg invalidated the Litecoin side of the transaction. Other attempted swaps were reportedly prevented in time, but exact third-party transaction IDs and final loss amounts were still being collected. Litecoin Core 0.21.5.4 was released on April 25 to address the mutated-block DoS failure mode by erasing stored block data for blocks classified as mutated, allowing valid data for the same block hash to be accepted later. Users, miners, exchanges and services were urged to upgrade to Litecoin Core 0.21.5.4 or later and verify that nodes are syncing normally. At press time, LTC traded at $55.95.

29 Apr 2026, 12:19

Polymarket dismisses 'nonsense' claims of data breach by dark web seller

Polymarket has dismissed claims of a massive data breach by a dark web seller, calling the reports “nonsense.” The threat actor using the handle “xorcat” claimed to have leaked a database affecting over 300K records and an Exploit Kit, containing roughly 1GB of records (names, pseudonyms, and wallet addresses). The attacker, who claimed to leak Polymarket’s data on a popular cybercrime forum, explained that the data was extracted via undocumented API endpoints, a pagination bypass, and a CORS misconfiguration in Polymarket’s Gamma and CLOB APIs. The pack also included an auto-dump script and working POCs for multiple CVEs. Specifically, the pulled data included 10,000 unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, and base address), and over 4,111 comments with attached profile objects. The attacker also provided proof-of-concept scripts and alleged that the data included 1,000 report records containing 58 unique ETH addresses and an admin_auth_addr indicator, as well as over 48,000 gamma markets with full metadata, condition IDs, and token IDs. Additionally, there were over 250,000 active CLOB markets with FPMM addresses, and over 292 events with submitter/resolver ETH addresses and internal usernames. The leak also included 100 reward configurations with USDC contract addresses and daily rates, 9,000 follower profiles (with names, pseudonyms, and proxy wallets), and internal user IDs exposed in createdBy/updatedBy fields. Polymarket breach poses a national security threat Polymarket is at the center of a major integrity scandal that poses a different kind of breach–one of national security status. The DOJ and the CFTC are using the recent breach as a primary example of why prediction markets need stricter oversight, arguing that they can incentivize the leakage of classified intelligence for profit. That exposes traders–including high-profile political figures–to targeted phishing or harassment. These claims follow a pattern of confirmed cybersecurity failures that have shaken user confidence over the past six months. Attackers in the February 2026 API/Bot manipulation exploited a design flaw in Polymarket’s order system, and engineered “nonces” to cancel on-chain trades while keeping off-chain records valid. That caused bots to incur massive losses based on erroneous API reports. Polymarket also confirmed another third-party authentication breach in December 2025. The breach was linked to a vulnerability in a third-party login tool (reportedly Magic Labs), which allowed attackers to drain funds even from accounts with 2FA enabled. Another phishing attack in November 2025 on Polymarket’s comment section led to over $500,000 in user losses. Regulators shift to active prohibition as prediction market volume grows Regulators are shifting from passive observation to active prohibition as prediction markets grow in volume. The Brazilian government blocked 27 platforms in April 2026 (including Kalshi and Polymarket), citing concerns over household debt and consumer protection. Authorities in Romania and Portugal also blocked specific political contracts recently to prevent speculative betting on elections. Meanwhile, Polymarket has adopted more stringent internal rules as of March 2026. The rules explicitly bar trades based on stolen information or “insider” knowledge of geopolitical events. Polymarket also entered into a Regulatory Services Agreement with the National Futures Association (NFA) to implement real-time surveillance. The move signaled a shift toward mainstream financial compliance. Regulators have also closely examined high-profile trades, such as the $32,000 bet on the capture of Nicolás Maduro, which yielded a $436,000 profit just before official news broke in January 2026. The White House and various agencies have since warned against trading on non-public information related to geopolitical conflicts, such as the U.S.-Iran war. On the other hand, Bernstein analyst Gautam Chhugani expects increased regulatory clarity at the federal level to boost the growth of prediction markets. He estimates that total prediction market volume will reach $240 billion in 2026 (+370% from last year). Chhugani also projects that the prediction market trading volume will reach $1 trillion a year by the start of the next decade at a compound annual growth rate of roughly 80% between 2025 and 2030. The makeup of traded contracts is also likely to change. If you're reading this, you’re already ahead. Stay there with our newsletter .

29 Apr 2026, 11:19

Zondacrypto client data end up for sale on the darknet

Customer data from the failed exchange Zondacrypto, one of the largest in Poland and the region, has reportedly ended up on the darknet. News of the leak comes after the platform halted withdrawals amid liquidity issues, followed by the suspected disappearance of its chief executive. Zondacrypto client information sold for cheap to fraudsters Personal details of traders on Zondacrypto, a major exchange on the Polish market, can now be purchased for a few hundred euros on the darknet, according to local reports. The leak from the coin trading platform’s customer database, which is yet to be officially confirmed, adds to the troubles with the Estonia-registered crypto service provider. Zonda’s website has been down for days, and when it’s back online, logging into accounts has been next to impossible, as per the leading Polish crypto news portal, Bitcoin.pl. That’s after the exchange stopped processing client transactions earlier this month, most notably withdrawals, following media revelations that its reserves had been almost fully depleted. User data has now been put up for sale, news articles and social media posts claim. Rafał Łapać, a Polish game developer and crypto enthusiast, recently took to X to unveil: “I received information from a trusted person working in cybersecurity: Zonda’s customer database has already ended up on the darknet.” Two sets of information have been offered, he added. The smaller, cheaper package, which includes email addresses and other basic identification data, can be bought for as little as 550 euros. The larger and more expensive file contains much more, including scans of ID documents, verification selfies, login histories, and wallet addresses. Its price is approximately 0.6 BTC. The comprehensive set can be a desired tool for cybercriminals, who can use it to impersonate people and commit serious financial fraud, experts in the field say. The information can be employed to open bank accounts, take out loans, or sign contracts without the victims’ knowledge, they elaborated, listing the potential consequences. Zonda users advised to do what they can to protect their data If the reported security breach proves real, Zondacrypto customers can still take certain measures to prevent further damage. One option is to block their PESEL number, the unique identification code issued to Poles, which features basic personal info such as date of birth and gender. This can be done quickly and free of charge through mObywatel, the app that allows citizens and residents of Poland to securely store identity documents in digital format and access government services through their mobile devices. On Wednesday, Bitcoin.pl also advised readers who traded on the troubled exchange to change their passwords for all services, for which they used the Zonda login details, and enable two-factor authentication. The website also urged crypto investors to be wary of offers for recovery of lost funds, as these may be merely attempts to steal what’s left of their money. Clients of the Polish-rooted platform, which operates under an Estonian license, can also apply for state compensation in both countries, the financial news outlet Bankier.pl reported last week. According to law enforcement authorities, some 30,000 people may have been affected by the collapse of the exchange, with their losses exceeding 350 million złoty (over $95 million). Zondacrypto saga continues to unfold The problems at Zondacrypto started after media reports quoted an analysis by the market intelligence firm Recoveris showing that the platform had lost over 99% of its reserves. While rejecting claims the exchange is at the brink of insolvency, its CEO Przemysław Kral admitted the company did not have access to a wallet with 4,500 BTC, worth over $330 million. He blamed the founder, Sylwester Suszek, for never handing over the key before he went missing in 2022. Zond is also at the heart of a major political conflict in Warsaw between the government led by Prime Minister Donald Tusk and President Karol Nawrocki. They are clashing over the future of cryptocurrency regulation in Poland, which is yet to implement the EU’s Markets in Crypto Assets (MiCA) rules. If you're reading this, you’re already ahead. Stay there with our newsletter .

29 Apr 2026, 11:10

Aftermath Finance Exploit: Sui DEX Halts Operations After Critical Security Breach

BitcoinWorld Aftermath Finance Exploit: Sui DEX Halts Operations After Critical Security Breach The decentralized exchange (DEX) Aftermath Finance , built on the Sui (SUI) network, has temporarily suspended all operations after identifying a security exploit. The project announced the suspension on its official X account, stating that the team is actively investigating the issue with its main security partners. This precautionary measure aims to minimize the potential impact on user funds. The exploit was isolated to its perpetual futures (PERP) section. Aftermath Finance Exploit: Immediate Response and Investigation The Aftermath Finance exploit triggered an immediate response from the development team. Within hours of discovering the vulnerability, the DEX paused all trading and withdrawal functions. The team emphasized that the suspension is a temporary measure. They are working closely with leading blockchain security firms to analyze the breach. Early reports suggest that the exploit targeted a specific vulnerability in the PERP smart contract. The team has not yet disclosed the total value locked (TVL) affected or the number of user accounts impacted. This incident highlights the persistent risks within decentralized finance (DeFi). Even established platforms on high-performance networks like Sui are not immune to attacks. The Aftermath Finance security team is conducting a thorough forensic audit. They aim to identify the root cause and prevent future occurrences. Users are advised to remain patient and avoid interacting with the platform until further notice. Understanding the Sui DEX Hack: Technical Details The Sui DEX hack appears to have exploited a logic flaw in the perpetual futures trading engine. Perpetual futures are derivative contracts that allow traders to speculate on asset prices without an expiry date. They require complex smart contract logic to manage leverage, funding rates, and liquidations. A bug in this logic can allow an attacker to manipulate prices or drain funds. Security experts suggest that the attacker may have used a flash loan attack. Flash loans allow borrowing large sums of crypto without collateral, as long as the loan is repaid within the same transaction. Combined with the smart contract flaw, this could enable the attacker to drain the PERP liquidity pool. The Aftermath Finance team has not confirmed this theory. However, it is a common vector in DeFi exploits. Key technical aspects of the incident include: Isolated vulnerability: The exploit only affected the perpetual futures section, not other parts of the DEX. Immediate pause: The team halted all operations within minutes of detecting the anomaly. Security partners: Multiple unnamed security firms are assisting in the investigation. User funds: The team claims all measures are taken to minimize impact on user funds. Impact on Sui Network and DeFi Ecosystem The Aftermath Finance exploit has broader implications for the Sui network. Sui is a Layer-1 blockchain designed for high throughput and low latency. It has attracted several DeFi projects due to its performance. However, security incidents can erode user confidence in the entire ecosystem. Aftermath Finance is one of the leading DEXs on Sui. Its temporary shutdown reduces liquidity options for traders. This could lead to higher slippage and reduced trading activity on the network. Other Sui-based projects may face increased scrutiny from users and investors. The Aftermath Finance suspension serves as a reminder that security audits are not foolproof. Continuous monitoring and rapid response are critical. Market reaction has been muted so far. The SUI token price has not experienced significant volatility. This suggests that the exploit may have been contained before causing widespread damage. However, the full financial impact remains unclear. The team has promised a detailed post-mortem report once the investigation concludes. Lessons from the Aftermath Finance Security Breach Every Aftermath Finance security incident teaches valuable lessons to the DeFi community. First, perpetual futures platforms require rigorous testing. Their complex logic makes them a prime target for attackers. Second, rapid response protocols are essential. Aftermath Finance’s quick pause likely prevented a larger loss. Third, transparency builds trust. The team’s immediate public announcement, even without full details, is a positive step. Users appreciate honesty during crises. Fourth, diversification of security partners is wise. Relying on a single auditor can create blind spots. Key takeaways for DeFi projects include: Conduct multiple independent audits for complex smart contracts. Implement real-time monitoring systems to detect anomalies. Maintain a clear communication channel with users during incidents. Have a pre-defined emergency response plan, including contract pause mechanisms. Aftermath Finance Suspension: Timeline of Events Understanding the timeline helps contextualize the Aftermath Finance suspension . The exploit was first detected by the team’s internal monitoring systems. Within minutes, the decision was made to pause all operations. The official X announcement followed shortly after. As of now, the investigation is ongoing. The team has not provided an estimated timeline for resuming operations. They have assured users that updates will be shared as soon as they become available. The community is watching closely for the post-mortem report. This timeline underscores the importance of preparedness. Aftermath Finance had a response plan in place. This allowed them to act swiftly. Other projects should take note and develop similar protocols. Expert Analysis on the Sui Network DeFi Exploit Security experts have weighed in on the Sui network DeFi exploit . Many emphasize that the Sui blockchain itself is not compromised. The vulnerability lies in the application layer. This is a common pattern in DeFi hacks. The underlying blockchain remains secure, but smart contracts built on top can have flaws. One expert noted that perpetual futures platforms are particularly challenging to secure. They involve multiple moving parts, including oracles for price feeds, funding rate calculations, and liquidation engines. A bug in any of these components can be exploited. Another expert highlighted the importance of bug bounty programs. These incentivize white-hat hackers to find vulnerabilities before malicious actors do. Aftermath Finance had a bug bounty program, but it did not catch this exploit. This suggests the need for more comprehensive testing methodologies. The Aftermath Finance exploit is a stark reminder that DeFi security is an ongoing process. No platform can claim to be 100% secure. Continuous improvement and vigilance are necessary. Conclusion The Aftermath Finance exploit on the Sui network has forced the DEX to suspend operations. The team is investigating the breach with security partners. The exploit was isolated to the perpetual futures section. Users are advised to wait for official updates. This incident highlights the critical importance of smart contract security in DeFi. It also demonstrates the value of rapid response and transparent communication. The Aftermath Finance team’s actions will likely set a precedent for how future exploits are handled. The broader Sui ecosystem will be watching closely as the investigation unfolds. FAQs Q1: What is the Aftermath Finance exploit? A: The Aftermath Finance exploit is a security breach on the Sui-based DEX that targeted its perpetual futures section, forcing the platform to suspend all operations temporarily. Q2: Are my funds safe after the Aftermath Finance hack? A: The team has stated that all measures are being taken to minimize the impact on user funds. However, the full extent of the damage is still under investigation. Q3: How long will Aftermath Finance be suspended? A: The team has not provided a specific timeline. Operations will resume only after the investigation is complete and the vulnerability is patched. Q4: Was the Sui blockchain itself hacked? A: No. The exploit was isolated to the Aftermath Finance smart contract. The Sui network remains secure. Q5: What should I do if I have funds on Aftermath Finance? A: Do not interact with the platform until official updates are provided. Monitor the project’s official X account for announcements. This post Aftermath Finance Exploit: Sui DEX Halts Operations After Critical Security Breach first appeared on BitcoinWorld .

29 Apr 2026, 10:55

Kyberswap Exploiter Moves 2,900 ETH to Tornado Cash Two Years After $65M Heist

Andean Medjedovic, the Canadian national charged by the U.S. Department of Justice for stealing $65 million across two decentralized finance ( Defi) exploits, moved 2,900 ETH worth $6.8 million to Tornado Cash on Wednesday. Key Takeaways: Andean Medjedovic moved 2,900 ETH worth $6.8 million to Tornado Cash on April 29, 2026. The DOJ charged Medjedovic