Sherlock State of Web3 Security: Q1 2026

Published April 6, 2026 by the Sherlock Research Team

Report: State of Web3 Security, Q1 2026  |  Coverage: January 1 to April 1, 2026  |  Scope: Every confirmed incident exceeding $1M  |  Sources: 21 independent sources, 91 inline citations

The first quarter of 2026 saw approximately $450 million in losses across 145 security incidents in the Web3 ecosystem, according to data aggregated from Cryip, Halborn, and PeckShield. While that headline number is alarming, the underlying data tells a more nuanced story: smart contract exploit losses declined roughly 89% year-over-year according to FX Leaders, but social engineering and infrastructure-level attacks filled the gap with devastating efficiency. The quarter closed with the Drift Protocol incident on April 1, a $285 million exploit attributed to DPRK-linked actors by TRM Labs, which alone nearly doubled the quarter's DeFi protocol losses.

This is the inaugural edition of the Sherlock State of Web3 Security, a quarterly report cataloging every publicly confirmed Web3 security incident exceeding $1 million in losses. This edition covers January through March 2026, with additional coverage of the Drift Protocol incident that landed on April 1. Every claim is sourced. Every number is cited. This report is intended as a reference document for researchers, security teams, protocol developers, and anyone building in Web3 who needs to understand the current threat landscape.

Q1 2026 by the Numbers

Aggregate losses across all Web3 security incidents in Q1 2026 totaled approximately $450 million across 145 discrete events, per tracking from Cryip and corroborated by PeckShield's monthly reports. Of that total, roughly $168 million came from DeFi protocol exploits across 34 protocols, per data reported by FX Leaders. The remaining $282 million was dominated by a single phishing and social engineering incident in January targeting an individual holder.

January was the heaviest month at $340 to $400 million in total losses, heavily skewed by the $282 million social engineering attack. February was the lightest month in eleven consecutive months at $26.5 million per PeckShield, as reported by The Block. March rebounded to $52 million across 20 incidents, a 96% increase from February per CryptoPotato.

The year-over-year decline in smart contract exploit losses is the most important structural signal in the data. DeFi-specific exploits dropped 89% compared to Q1 2025, suggesting that audit coverage and formal verification are improving measurably. But the threat has not diminished; it has shifted upward in the stack, toward private key management, cloud infrastructure, and human targets

Web3 Attack Vector Analysis: Q1 2026

The distribution of attack vectors in Q1 2026 breaks sharply from historical norms. Social engineering and phishing accounted for 84% of total dollar losses, driven almost entirely by the $282 million January incident and the social engineering component of the Drift Protocol attack. By incident count rather than dollar volume, infrastructure attacks (private key compromise, cloud key management failures, bridge validator compromise) represented the dominant category at 76% of classified incidents, per Halborn's quarterly analysis.

Smart contract vulnerabilities, historically the poster child of DeFi risk, accounted for a shrinking share of both incidents and losses. The exploits that did occur tended to involve logic errors in newer or less-audited contracts rather than the classic reentrancy or oracle manipulation patterns of previous years. Oracle manipulation was present in one notable case (YieldBlox on Stellar), but the broader trend is unmistakable: attackers are moving away from on-chain logic bugs and toward off-chain infrastructure and human targets.

A new pattern that emerged this quarter is what PeckShield is calling "shadow contagion": an exploit at one protocol creates cascading bad debt across interconnected protocols. The Resolv Labs incident in March demonstrated this clearly. The minting of unauthorized USR stablecoins created bad debt positions in Morpho Blue, Euler, and Fluid, none of which were directly exploited but all of which absorbed losses from holding or lending against the compromised asset. This interconnectedness means that a single point of failure can propagate across the composability stack in ways that traditional security audits do not model.

January 2026: $340M+ in Losses

January opened the year with the single largest loss event of the quarter. A Trezor hardware wallet user lost approximately $282 million worth of Bitcoin and Litecoin (roughly 1,459 BTC and 2.05 million LTC) in a social engineering attack, first identified and traced on-chain by pseudonymous investigator ZachXBT, as reported by The Defiant. The attacker impersonated Trezor support staff to manipulate the victim into signing malicious transactions. The stolen funds were rapidly converted to Monero through multiple instant exchanges, making further tracing effectively impossible. Yahoo Finance confirmed this as the largest individual crypto theft of 2026 and the biggest social engineering loss in digital asset history, surpassing the $243 million record set in August 2024.

Halborn's January 2026 monthly report cataloged seven DeFi protocol hacks exceeding $1 million for the month, with approximately $86 million in protocol-level losses. The majority of major hacks involved smart contract vulnerabilities with root causes ranging from inherited vulnerabilities to old code to logical implementation errors, but the two most significant protocol incidents involved compromised keys.

Step Finance: $30 Million

Step Finance, a portfolio management and analytics platform on Solana, suffered a $30 million loss due to private key compromise. Halborn's January report attributed the incident to compromised deployer keys, which allowed the attacker to drain protocol-controlled funds. The attack vector was infrastructure-level rather than a smart contract bug, consistent with the broader trend of key management failures observed throughout the quarter.

Truebit: $26.4 Million

Truebit, a computation verification protocol, lost $26.4 million through an exploit of a five-year-old contract with a minting vulnerability. The attacker identified a function that allowed unauthorized token minting in a contract that had been deployed years earlier and largely forgotten. Halborn noted that an error in the old contract allowed attackers to mint TRU tokens essentially for free and burn them to drain value from the protocol. This highlights the long-tail risk of deprecated or unmaintained contracts that still hold significant value.

February 2026: $26.5M in Losses

February was the quietest month for Web3 security losses in nearly a year. PeckShield reported $26.5 million in total losses across 15 incidents, as covered by The Block, representing a 69.2% month-on-month decrease from January's protocol-level losses. CoinTelegraph reported that PeckShield attributed the decline to fewer mega-hacks, heightened volatility, and tighter risk controls.

YieldBlox: $10.2 Million

YieldBlox, a DAO-managed lending protocol on Stellar, lost $10.2 million through a price manipulation attack on February 21. The attacker manipulated price feeds to inflate collateral values and borrow against them, draining lending pools before the oracle corrected. Notably, Stellar network validators were able to freeze approximately $7.2 million of the stolen funds, a recovery rate unusual in DeFi exploits and possible only because of Stellar's validator-level asset freezing capabilities. Halborn's February report covered the incident in detail.

IoTeX: $8.9 Million

IoTeX, an IoT-focused blockchain, lost $8.9 million on February 21 when an attacker compromised the private keys controlling a cross-chain bridge. The bridge key compromise allowed the attacker to forge withdrawal transactions and drain bridge reserves. Halborn attributed the incident to infrastructure-level key management failures rather than a smart contract vulnerability in the bridge logic itself.

Foom: $2.3 Million

Foom, a smaller DeFi protocol, lost $2.3 million through a smart contract vulnerability. Details on the specific exploit mechanism were limited in public reporting, but the loss was confirmed across multiple tracking sources and included in PeckShield's February aggregates.

March 2026: $52M in Losses

March saw losses nearly double compared to February, with PeckShield reporting $52 million across 20 discrete incidents per The Block. CryptoPotato covered the 96% month-over-month increase. March also introduced the shadow contagion pattern through the Resolv Labs incident, which had cascading effects across multiple lending protocols.

Resolv Labs: $25 Million

Resolv Labs, the issuer of the USR stablecoin, suffered the most consequential exploit of Q1 2026 when an attacker compromised the project's AWS KMS (Key Management Service) infrastructure. Chainalysis published a detailed analysis of the incident, and Halborn published a full technical breakdown. The attacker used the compromised cloud keys to authorize the minting of approximately 80 million unauthorized USR tokens from a collateral deposit of roughly $100K to $200K, as detailed by DEV Community's technical analysis.

The root cause was not a smart contract bug in the traditional sense. The contract enforced a minimum USR output but critically had no maximum mint ratio, no on-chain price oracle check, and no cap. Whatever the key holder signed would get minted. The 80 million newly minted, unbacked tokens flooded DEX liquidity pools and USR's dollar peg collapsed to as low as $0.20, an 80% crash, before partially recovering to around $0.56.

The direct loss to Resolv was approximately $25 million, but the downstream impact was broader. PeckShield noted that the USR crash created "systemic bad debt" across Morpho Blue, Euler, and Fluid. NomosLabs reported that Fluid/Instadapp alone absorbed over $10 million in bad debt and saw $300 million in outflows in a single day. None of those downstream protocols had a vulnerability in their own code, but their composable integration with the compromised asset transmitted the loss across the ecosystem.

Venus Protocol: $3.7 Million

Venus Protocol, a lending platform on BNB Chain, suffered $3.7 million in losses through a donation attack that bypassed supply caps on the low-liquidity THE (Thena) token. The attacker had been accumulating THE tokens for nine months prior to the exploit, building a position controlling approximately 84% of Venus's supply cap for the token. Instead of using the standard deposit function, the attacker transferred tokens directly into the vTHE smart contract, distorting the protocol's internal exchange rate and bypassing supply limitations. The attack inflated THE's spot price from $0.263 to over $0.51 and left Venus with approximately $2.18 million in bad debt according to Venus's post-mortem.

Solv Protocol: $2.7 Million

Solv Protocol lost $2.7 million through a double-mint exploit, where the attacker found a way to mint duplicate tokens within a single transaction context. The exploit targeted a logic error in the minting function's state management rather than an access control failure.

The Drift Protocol Hack: $285M on April 1, 2026

While technically falling one day outside Q1, the Drift Protocol exploit on April 1, 2026 is included in this report because of its significance and proximity. At approximately $285 million in losses, the Drift incident is the largest DeFi protocol exploit of 2026 to date and the second-largest in Solana's history, behind only the $326 million Wormhole bridge hack in 2022.

Drift Protocol is a decentralized derivatives exchange on Solana. TRM Labs reported that the attack was the culmination of a six-month social engineering campaign that began in the fall of 2025. DPRK-linked operatives, tracked under the cryptonym UNC4736 (also known as AppleJeus, Citrine Sleet, and Gleaming Pisces), systematically targeted Drift contributors. The Hacker News detailed how one contributor was compromised after cloning a malicious code repository, while a second was persuaded into downloading a weaponized wallet application via Apple's TestFlight.

The attack itself combined multiple vectors. The compromised contributors were social engineered into pre-signing hidden authorizations, which the attacker used to execute a zero-timelock Security Council migration that eliminated the protocol's last line of defense. The attacker then deployed an entirely fictitious asset called CarbonVote Token, seeded it with a few thousand dollars in liquidity and wash trading, and Drift's oracles treated it as legitimate collateral worth hundreds of millions. The entire on-chain execution took approximately 12 minutes.

Elliptic's analysis corroborated the DPRK attribution through independent fund-tracing, and CoinDesk covered the attribution. The Drift team described it as "an attack six months in the making," attributing it with medium confidence to the UNC4736 group.

The Drift incident crystallizes several of the quarter's threat themes: social engineering as the initial access vector, months of patient preparation, speed of on-chain execution measured in minutes rather than hours, nation-state-level sophistication, and the difficulty of post-exploit asset recovery when attackers are operationally prepared for rapid laundering.

2025 Context: The Bybit Baseline

Any discussion of 2026 security trends requires acknowledging the event that defined the previous year's threat landscape. In February 2025, Bybit, a centralized exchange, lost approximately $1.5 billion in what became the largest single theft in cryptocurrency history. The FBI's Internet Crime Complaint Center (IC3) attributed the attack to the Lazarus Group (also tracked as TraderTraitor and APT38). TRM Labs published extensive tracking analysis, and BleepingComputer reported that the initial compromise came through a social engineering attack on a Safe{Wallet} developer, whose workstation was used to inject malicious JavaScript into the multisig interface.

The Bybit incident established several precedents that carry directly into 2026. It demonstrated that DPRK-linked actors have both the capability and the intent to target crypto infrastructure at the highest value tiers. It showed that social engineering combined with infrastructure compromise can bypass even institutional-grade security setups. And it proved that the speed and scale of crypto laundering infrastructure, particularly through cross-chain bridges and mixing services, makes post-theft recovery extremely difficult once the initial window closes.

The Drift Protocol incident on April 1, 2026 bears operational similarities to Bybit: social engineering entry via developer compromise, rapid on-chain execution, DPRK attribution, and sophisticated laundering. The lineage from Bybit to Drift suggests an operational playbook that is being refined and reused.

Emerging DeFi Security Threat Patterns

The Infrastructure Layer Is the New Attack Surface

The most significant shift in Web3 security during Q1 2026 is the migration of attacks from the smart contract layer to the infrastructure layer. Private key compromise (Step Finance, IoTeX), cloud key management compromise (Resolv Labs), and social engineering (the $282M January incident, Drift Protocol) collectively accounted for the vast majority of losses. Smart contract exploits, while still present, represented a declining share (down 89% YoY). This shift has implications for how protocols allocate security resources: auditing Solidity code is necessary but increasingly insufficient when the deployer keys are stored in a compromised cloud account or when a team member can be socially engineered.

Shadow Contagion Across Composable Protocols

The Resolv Labs incident introduced a contagion pattern that the ecosystem has not yet developed adequate defenses against. PeckShield flagged this pattern as "shadow contagion" in its March report. When a collateral asset is compromised, every protocol that accepts that asset as collateral inherits exposure. The bad debt that cascaded into Morpho Blue, Euler, and Fluid from the Resolv exploit was not caused by vulnerabilities in those protocols. It was caused by their composable integration with an asset whose issuer was compromised at the infrastructure level. Current risk frameworks tend to evaluate protocol security in isolation; the Resolv incident demonstrates that integrated risk assessment across the composability stack is essential.

Nation-State Actors Are Accelerating

The DPRK attribution of the Drift Protocol incident by TRM Labs, combined with the Lazarus Group's FBI-confirmed role in the 2025 Bybit hack, establishes a pattern of nation-state-level actors systematically targeting crypto infrastructure. These actors combine social engineering, custom malware, and operational security (rapid laundering through mixers and cross-chain hops) in ways that are qualitatively different from opportunistic exploit hunters. The six-month preparation timeline revealed in the Drift incident suggests that DPRK-linked groups are investing significant resources in long-duration social engineering campaigns rather than relying on purely technical attack vectors.

Deprecated Contracts as Long-Tail Risk

The Truebit exploit, which targeted a five-year-old contract with a minting vulnerability, illustrates a category of risk that grows over time rather than shrinking. As the Web3 ecosystem ages, the number of deployed contracts that hold value but are no longer actively maintained or monitored increases. These contracts represent a growing long-tail attack surface. Protocols that have deprecated contracts but have not revoked their permissions or migrated their assets carry risk that compounds with each passing year.

Methodology and Sources

The Sherlock State of Web3 Security is a quarterly report compiled by the Sherlock Research Team using the following primary and secondary sources. Incident-level data was cross-referenced across at least two independent sources before inclusion. Dollar figures represent approximate loss values at the time of each incident and may differ from final post-recovery figures where recoveries occurred.

Primary data sources: Halborn January 2026 report, Halborn February 2026 report, Halborn Resolv hack explainer, Halborn Venus Protocol explainer, PeckShield data via The Block (February), PeckShield data via The Block (March), Chainalysis Resolv hack analysis, TRM Labs Drift attribution, Elliptic Drift analysis, FBI IC3 Bybit/Lazarus attribution.

Secondary sources: The Hacker News (Drift), CoinDesk (Drift attribution), The Defiant ($282M theft), Yahoo Finance ($282M theft), AMBCrypto (ZachXBT investigation), CoinTelegraph (February data), CryptoPotato (March data), FX Leaders (Q1 aggregate), Cryip (January aggregate), CryptoTimes (shadow contagion), Gizmodo (Resolv), NomosLabs (Resolv), Venus governance post-mortem, BleepingComputer (Bybit), TRM Labs (Bybit).

All figures marked as approximate reflect the inherent difficulty of precise loss quantification in DeFi, where token prices fluctuate during and after exploit events, partial recoveries may occur over time, and secondary losses (such as shadow contagion bad debt) are not always captured in primary incident tracking.

Frequently Asked Questions

How much money was lost to Web3 hacks in Q1 2026?

Approximately $450 million was lost across 145 Web3 security incidents in Q1 2026, according to data from PeckShield, Halborn, and Cryip. Of that total, roughly $168 million came from DeFi protocol exploits across 34 protocols per FX Leaders, while the remainder was dominated by a $282 million social engineering attack targeting an individual in January.

What was the biggest crypto hack in 2026?

The largest crypto hack in 2026 as of early April is the Drift Protocol exploit on April 1, 2026, which resulted in approximately $285 million in losses. TRM Labs and Elliptic attributed the attack to DPRK-linked actors. The attacker used a six-month social engineering campaign combined with a fabricated collateral token to drain the Solana-based derivatives protocol in approximately 12 minutes.

Are DeFi exploits increasing or decreasing in 2026?

DeFi-specific smart contract exploits declined approximately 89% year-over-year in Q1 2026 compared to Q1 2025. However, total losses have not declined proportionally because attacks have shifted toward infrastructure-level targets such as private key compromise, cloud key management failures, and social engineering, which can produce larger individual losses than smart contract bugs.

What is shadow contagion in DeFi?

Shadow contagion is a pattern identified by PeckShield where an exploit at one protocol creates cascading losses across other protocols composably integrated with it. The term describes the downstream bad debt that appeared in Morpho Blue, Euler, and Fluid following the Resolv Labs exploit in March 2026. None of those downstream protocols were directly hacked, but they accepted USR stablecoin as collateral, and when Resolv's infrastructure was compromised and unauthorized USR was minted, the resulting collapse in USR's value created systemic bad debt across all protocols holding it.

Is North Korea behind crypto hacks in 2026?

DPRK-linked actors have been attributed to the Drift Protocol exploit ($285M, April 2026) by TRM Labs and Elliptic, and were confirmed by the FBI as responsible for the Bybit exchange hack ($1.5B, February 2025). Both incidents share operational patterns: developer-targeted social engineering, months of preparation, rapid on-chain execution, and sophisticated cross-chain laundering.

What are the most common Web3 attack vectors in 2026?

In Q1 2026, the most common attack vectors by dollar losses were social engineering and phishing (84% of total losses), followed by infrastructure attacks including private key compromise and cloud key management failures (76% of incidents by count, per Halborn). Smart contract vulnerabilities accounted for a declining share of both incidents and losses compared to previous years, with the notable exceptions of oracle manipulation (YieldBlox), donation attack (Venus Protocol), and minting logic errors (Truebit, Solv).

‍