The State of Web3 Security (2022 – Q1 2026)

A four-year empirical analysis of 23,818 published audit findings across 22 firms and 218 real-world exploit incidents totals US$7.76 billion in losses.

Produced by Oak Security in collaboration with rekt.news.

Key findings from the report

• 52% of total losses came from human-vector attacks, not smart contract bugs

• The top 8 incidents accounted for 50.6% of all recorded losses.

• Audit volume tripled between 2022 and 2024, but ecosystem-wide losses did not materially decline

• Private-key compromise, phishing, supply-chain compromise, and governance attacks now exceed code-level exploits in financial impact.

• Ethereum and BNB Chain accounted for 94% of aggregate losses.

Download the full report. Talk to the authors.

April 2026 marked the worst month for crypto exploits in over a year, but the real signal was how the attacks unfolded.

The main dangers are changing from usual smart contract problems to issues with operational security, infrastructure breaches, cross-chain dependencies, and ongoing social engineering schemes. Increasingly, the distinction between nation-state operations and financially motivated attacks is becoming difficult to identify.

What we’re seeing

Infrastructure and operational security are becoming the primary attack surface

Q1 and April exploit data reveal a clear trend:

• Phishing and social engineering campaigns continue to outperform traditional smart contract exploits.

• Bridge infrastructure remains structurally fragile.

• Cloud, IAM, validator, RPC, and frontend compromise vectors are increasing.

Attackers are becoming more patient, coordinated, and operationally sophisticated.

For protocols, these developments mean security audits can no longer stop at code review alone.

Drift Protocol (~$285M)

Attackers reportedly spent months building credibility before exploiting oracle and collateral weaknesses linked to whitelisting mechanisms.

• Social engineering now rivals smart contract vulnerabilities in severity.

• Collateral governance and oracle dependencies remain critical failure points.

• Insider-access assumptions require far deeper review.

We are increasingly seeing the following:

• Operational trust assumptions becoming the primary exploit path

• Attacks designed around protocol processes rather than code alone

Kelp DAO / LayerZero Bridge (~$292M)

Forged cross-chain messages reportedly enabled attackers to spoof bridge activity and trigger cascading liquidity disruptions across integrated systems.

The downstream impact ultimately became larger than the initial exploit itself.

• Bridges remain one of the highest-risk areas in Web3.

• Cross-chain trust assumptions require adversarial testing.

• Protocols increasingly inherit risk from connected ecosystems.

This is especially critical for:

• Relayer validation

• Oracle dependencies

• Governance execution across chains

• Emergency response coordination

AI-Assisted phishing is accelerating

We are seeing increasing reports of the following:

• Deepfake support calls

• AI-generated impersonation attempts

• Targeted phishing using scraped public data

• Session hijacking and browser-based credential theft

The sophistication gap between attackers and average users is widening rapidly.

Verification processes matter more than ever:

• Multi-channel confirmation

• Hardware wallet usage

• Strict signing hygiene

• Minimising screen sharing and remote access workflows

Governance is becoming a security layer

Recent incidents continue to reinforce the following:

• Upgrade systems

• Multisigs

• Timelocks

• Emergency powers

• Operational governance

…are now core components of security infrastructure.

The industry conversation is evolving beyond “Was the code audited?” toward more fundamental questions:

• Who controls upgrades?

• How quickly can permissions change?

• What happens during emergencies?

• How transparent are recovery procedures?

Regulatory pressure is raising operational expectations

MiCA implementation, stablecoin reserve scrutiny, proof-of-reserve discussions, and broader compliance expectations are pushing protocols toward more mature operational standards.

Security reviews increasingly need to assess the following:

• Governance transparency

• Incident response readiness

• Operational controls

• Infrastructure resilience

• Custody and access management

OPSEC quick tip

Separate wallets by function

One wallet should never handle everything.

Recommended separation:

• Cold storage

• Active trading

• Governance voting

• Testing / experimental apps

• Public-facing identity

Concentrating too many permissions and assets within a single signer continues to be one of the most common paths to catastrophic wallet compromise.

Podcasts

CypherTalk - Censorship resistance with Shayan Eskandari

A talk about how to resist censorship and build privacy systems and what the future holds for decentralised communication, including information on MoaV and the challenges of working in limited situations.

Listen here.

MetaMarkets - Stablecoin intelligence, liquidity, and regulation

Featuring Max Grabner.

The discussion explores the following:

• Stablecoin infrastructure

• Treasury intelligence

• MiCA implications

• Liquidity fragmentation

• Sanctions screening

• The future competitive landscape for issuers

Listen here.

ETHMilan 2026

Stefan Beyer, our co-founder, will be speaking at ETHMilan 2026 as part of a security panel, along with researchers, builders, and security experts working across blockchain infrastructure, audits, and AI-powered defence systems.

Security remains one of the most critical layers of the onchain ecosystem, especially as operational and infrastructure risks continue accelerating across Web3.

See you in Milan.

Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.