What 23,818 audit findings reveal about Web3 security
Support CypherTalk - Help fund Ethereum security education
The DAO Security Fund quadratic funding round is now live, and CypherTalk has been selected as part of the round.
CypherTalk is a public-good podcast focused on:
Ethereum security
Privacy and operational security
Real-world attack analysis
Cryptography and defensive research
Support CypherTalk here.
Why this matters
Security education is one of the most scalable ways to reduce preventable losses across Ethereum.
As attacks become more sophisticated, especially with AI accelerating exploit discovery and phishing operations, improving user and builder awareness becomes increasingly important.
If you hold an Ethereum Security badge, your vote carries even more weight in the round.
Thank you for helping support open security infrastructure for Ethereum.
The state of Web3 security (2022 - Q1 2026)
Oak Security, in collaboration with rekt.news, recently published a four-year empirical analysis covering:
23,818 published audit findings across 22 firms
218 documented exploit incidents
US$7.76 billion in aggregate losses
Key Findings
52% of total losses originated from human-vector attacks rather than smart-contract bugs
Private-key compromise, phishing, and supply-chain attacks now exceed all code-level exploit categories combined
Audit volume tripled between 2022 and 2024, while ecosystem losses showed no corresponding decline
Eight incidents alone accounted for over 50% of aggregate losses
Ethereum and BNB Chain represented 94% of total recorded losses
The report reinforces a growing industry reality:
Web3 security is no longer only a smart-contract auditing problem. Operational security, infrastructure security, governance security, and human-vector defence are increasingly critical.
READ THE FULL REPORT HERE
GPT-5.5 matches mythos preview in cybersecurity evaluations
Recent testing conducted by the UK’s AI Security Institute (AISI) suggests that OpenAI’s GPT-5.5 now performs at a similar level to Anthropic’s heavily publicised Mythos Preview model on advanced cybersecurity evaluations.
The findings are significant because Mythos Preview was previously framed as representing an unusually high cyber capability threshold requiring restricted release.
According to AISI’s testing:
GPT-5.5 achieved comparable performance across expert-level cybersecurity tasks
The model successfully completed complex reverse-engineering and exploitation challenges
GPT-5.5 solved one advanced Rust binary disassembly challenge autonomously in just over 10 minutes
GPT-5.5 became one of the first publicly accessible models to partially succeed in AISI’s simulated enterprise attack scenarios
Advanced offensive cybersecurity capabilities are no longer unique to isolated frontier models. They are increasingly emerging as a byproduct of general improvements in reasoning, coding, autonomy, and long-horizon task execution.
Broader Threat Trends (May 2026)
Rapid growth in AI-assisted phishing and social engineering campaigns
Increasing use of autonomous malware agents
Rising security failures across AaI pipelines, agents, and integrations
Shrinking patch windows due to accelerated vulnerability discovery
Lower operational barriers for attackers using AI-assisted tooling
The security landscape is rapidly shifting toward AI-accelerated exploitation and defence.
OPSEC tip of the month
Rename your Bluetooth devices and Wi-Fi hotspots
Avoid using:
Real names
Device models
Identifiable labels
Why this matters
Bluetooth and hotspot names are publicly broadcast and easily detected using nearby scanning tools.
This can enable:
Passive identification in public spaces
Correlation of identity with devices
Increased exposure to social engineering
Small change. Real privacy gain.
CypherTalk podcast highlights
The state of Web3 security with Diogo Patão from rekt.news
This episode explores the newly released Web3 security reports from Oak Security and rekt.news, alongside broader discussions on:
The rise of AI-assisted attacks
Why human attack vectors now dominate ecosystem losses
Recent large-scale exploits and operational failures
How builders and users can improve security practices
The future of blockchain security research
“AI is here to help us, not just to attack.” LISTEN HERE
Password manager security & applied cryptography with Matilda Backendal
Key discussion points:
End-to-end encryption is often weaker in practice
Cloud systems frequently lack true default encryption
Password managers remain a critical security dependency
Security trade-offs between usability and formal guarantees
Cryptography is constantly shaped and often weakened, by real-world implementation constraints. LISTEN HERE
Auditing cryptographic protocols with Nadim Kobeissi
Key discussion points:
Limits of formal verification in real-world systems
Responsible disclosure challenges
AI’s role in vulnerability discovery and stockpiling
Emerging post-quantum and AI-augmented threat models
“Claims of formal verification being bug-free are often exaggerated.” LISTEN HERE
DeFi, banking risk & evolving oversight
New episode of MetaMarkets featuring Furkan Danisman
This episode explores whether DeFi lending systems such as Aave can meaningfully compete with traditional banking infrastructure.
Topics discussed include:
Aave V3’s previously reported 0% non-performing loan ratio
How recent incidents challenge assumptions around DeFi resilience
Whether tail-risk events are properly captured in DeFi risk models
Whether markets can self-correct security failures
The growing possibility of stronger regulatory frameworks
LISTEN HERE
Featured Audit - AtomOne v4 (Cosmos SDK L1)
This month, Oak Security audited AtomOne v4, a Cosmos SDK-based Layer 1 forked from the Cosmos Hub.
The review focused on protocol-level upgrades spanning:
Governance systems
Economic mechanisms
Cross-chain infrastructure
READ HERE
Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.