Web3 security is entering the age of economic attacks
What happened this month
July 2026 saw continued high incident volume in the Web3 ecosystem, though with generally smaller per-incident losses compared to earlier 2026 peaks. Activity focused on DeFi protocols, with a mix of oracle manipulations, governance attacks, and logic flaws. The month reinforced that exploits increasingly target operational and economic design rather than pure code vulnerabilities.
Emerging security trends
Governance capture as a primary vector
Attackers increasingly treat token accumulation as an economic attack surface rather than hunting for code bugs. The BonkDAO incident (and similar smaller cases like BarnBridge) shows how low-participation DAOs can be overtaken by purchasing voting power to execute legitimate but malicious proposals. This highlights that on-chain governance without strong quorums, timelocks, or delegation safeguards is fundamentally gameable.
Sophisticated oracle & timing manipulation
Oracle-dependent protocols (especially perps and RWAs) face repeated exploitation through timestamp gaming, future-dated reports, and compromised feed components, as seen in the Ostium ~$18-24M drain. Attackers leverage protocol-owned automation tools against the system itself, moving beyond simple price flashloan attacks to more persistent manipulation of data freshness and sequencing.
Shift toward operational & economic design flaws
A growing share of losses stems from logic errors, accounting oversights, auto-approvals, donation attacks, and access control gaps rather than classic smart contract vulnerabilities. This reflects improved code auditing but persistent weaknesses in how protocols handle incentives, permissions, and edge cases at the system level.
Rising focus on post-quantum & long-term resilience
While not tied to a single July incident, industry discussions emphasize preparing for quantum threats to signatures and the need for crypto-agility. Combined with AI-assisted attacks and defenses, this signals a broader maturation toward proactive, future-proof security architectures beyond immediate exploit prevention.
Incident spotlight: BonkDAO (July 6, 2026)
An attacker drained approximately $20-21.3 million worth of BONK tokens from the BonkDAO treasury on Solana’s Realms governance platform. The attacker submitted a seemingly benign proposal (BIP-76), accumulated enough voting power by purchasing BONK tokens, and executed a transfer of treasury funds to a controlled wallet once the proposal passed.
Lessons learned
Implement robust governance safeguards such as higher/variable quorums, mandatory timelocks for treasury actions, and multi-signature or guardian vetoes for large transfers.
Drive consistent voter participation through delegation incentives, clear proposal review processes, and tools that surface suspicious proposals early, low turnout creates easy capture opportunities.
Treat token distribution and economic concentration as core security risks; design DAOs with whale-resistance mechanisms (e.g., voting caps, quadratic voting, or reputation-weighted systems) and regularly stress-test governance under adversarial token-buying scenarios.
Emerging threats
AI & social engineering
AI tools are accelerating targeted campaigns, including voice/video deepfakes for executive impersonation and automated phishing that adapts in real-time. While not the direct cause of July’s biggest incidents, broader ecosystem reports note rising use of AI for credential harvesting and social engineering to compromise developer accounts or wallet seeds, often as the entry point for access-control attacks.
Supply chain security
Package poisoning and dependency compromise remain potent. Malicious npm/Rust crates and CI/CD pipeline attacks continue to surface, enabling stealthy credential theft or backdoors. Attackers target browser wallet extensions and build-time processes, highlighting the fragility of the open-source Web3 software stack.
Infrastructure & key management
Oracle and timing manipulation emerged as a refined technique (e.g., Ostium’s use of future-dated reports via protocol-owned forwarders). Predictable or compromised private keys, broken signature verification, and cloud misconfigurations also persist. Cross-chain systems and bridges stay attractive due to complexity in message verification and asset bridging.
Governance & economic attacks (Rising category)
Newer vectors focus on token-weighted voting capture and proposal manipulation. Low-turnout DAOs with fixed quorums allow attackers to buy temporary majorities cheaply, as demonstrated in July. This shifts threats from code exploits to incentive design flaws.
OPSEC quick tip: Monitor token accumulation around governance proposals
Low-turnout DAOs are vulnerable to “quiet” voting power grabs. Attackers can accumulate tokens over days without triggering alarms, exactly what enabled the BonkDAO incident. Early detection of unusual buying patterns near active proposals can give teams critical reaction time.
Recommended actions
Set up alerts for wallets acquiring >0.5–1% of supply in a short window, especially around open governance proposals.
Monitor Realms (or equivalent) dashboards daily for new proposals and cross-reference with on-chain whale movements.
Use tools like Nansen, Arkham, or custom Dune dashboards to flag exchange-to-DAO wallet flows.
Establish a rapid response protocol: pause executions or trigger community review if anomalous accumulation is detected.
Implementing this low-effort monitoring can prevent the next governance surprise, start today with free on-chain tools.
CypherTalk
Antonio Viggiano on how Monad is using AI for security
This episode explores:
AI-assisted vulnerability discovery and security triage
Protocol fuzzing and invariant testing
Testing blockchain clients vs. smart contracts
Building security tooling inside protocol teams
Why AI-generated reports require strong validation processes
The future of agentic fuzzing and AI-driven security research
Listen here
AI-assisted security with Prof. Arthur Gervais
This episode explores:
How AI is transforming vulnerability discovery
AI-assisted smart contract security
Real-time blockchain exploit detection
The balance between offensive and defensive AI
Why human expertise remains essential in an AI-driven security landscape
Emerging threats from AI-powered social engineering and autonomous agents
Listen here
MetaMarkets
Why the CLARITY act matters
Jan recently spoke with Jacob Robinson, host of the Law of Code podcast, about:
The CLARITY Act
Permissionless innovation
Decentralisation and regulation
The future of crypto compliance
If you’re interested in how regulation is evolving alongside Web3 security, it’s well worth a listen.
Listen here
In the media
CoinDesk - “Crypto’s security nightmare won’t be solved by ordinary audits”
Stefan examines a growing disconnect between what audits evaluate and what attackers exploit. While audits continue to improve code quality, today’s largest losses increasingly stem from compromised private keys, governance attacks, insider compromise, supply-chain vulnerabilities, and operational failures. The piece argues that the industry must evolve beyond audit-centric security models and embrace defense-in-depth strategies that address human and organizational risks.
Read here
Newsweek - “Crypto cybersecurity practices must refocus on human error”
In Newsweek, Stefan highlights how many of crypto’s most damaging incidents originate from simple operational mistakes rather than coding flaws. As AI lowers the cost of phishing and social engineering, human vulnerabilities are becoming increasingly attractive targets. The article argues that security should be treated the same way banks and critical infrastructure providers approach it: as a continuous organisational discipline rather than a one-time review.
Read here
Both articles reach the same conclusion as our latest research.
Oak updates
Introducing TRACE: Threat modelling for modern organisations
Modern organisations no longer operate behind a single security perimeter. Critical infrastructure now spans cloud platforms, third-party providers, contractors, automation, remote teams, and distributed decision-making. Traditional threat modelling frameworks weren’t designed for this environment. That’s why we released TRACE, Oak Security’s open-source threat modelling methodology for distributed, cloud-first organisations.
TRACE helps organisations model
Technical systems
Human decision-making
Organisational structure
Trust relationships
External dependencies
The release includes the complete TRACE methodology and a long-form research paper. TRACE is released under the Creative Commons Attribution 4.0 (CC BY 4.0) licence and is free to use, modify, and build upon.
Explore TRACE
The OpSec academy
Threat modelling is only one part of operational security. We’ve also expanded the Oak OpSec Academy, a growing library of free operational security guides covering device hardening, wallet and key management, infrastructure security, authentication, secure communications, incident response, and physical security. Every guide is free to access and designed to provide practical improvements your team can implement immediately.
Browse the OpSec Academy
Oak security is now a SEAL certification provider
Operational security has become one of the largest sources of loss across Web3. We’re pleased to announce that Oak Security can now perform SEAL Certifications. Unlike traditional smart contract audits, SEAL Certifications evaluate whether protocols can defend against operational threats, detect incidents quickly, and respond effectively when attacks occur. As operational failures increasingly dominate ecosystem losses, security assessments need to evaluate far more than code.
Interested in obtaining a SEAL Certification? Contact us at info@oaksecurity.io or via the contact form.
Stay connected
Looking to strengthen your protocol’s security? Whether you’re interested in security audits, operational security, SEAL Certification, threat modelling, or protocol design, our team is here to help.
Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.

