TL;DR
- Eleven major incidents in June 2026 totalled roughly $62.2 million in gross losses, around half of May's $124.9 million.
- A single incident, the $32 million Humanity Protocol breach, accounted for over half the month's total. It remains contested, with some analysts suggesting a staged exit rather than an external theft.
- Deprecated and abandoned contracts were the defining target of the month. Raydium, Thetanuts and Aztec Connect were all exploited through code that had been retired but left live on-chain, in Aztec's case fully immutable with no one able to patch it.
- Tornado Cash received proceeds from five of the eleven incidents, in each case only after funds were bridged onto Ethereum, which remained the ecosystem's main settlement and laundering layer.
- Attack types were unusually varied: a governance takeover (Token of Power), an MEV bot turned against its own logic (JaredFromSubway), a bridge proof flaw (Syscoin) and a private key compromise (Humanity), alongside the deprecated-contract exploits.
- Realised losses were far lower than the headline. Syscoin recovered and burned its entire unauthorised mint, roughly $2M of the Thetanuts loss was whitehatted, and Raydium and Gnosis both committed to full reimbursement.
Introduction
June 2026 continued the trajectory of the preceding months, with attackers striking a wide cross-section of the ecosystem that spanned payment infrastructure, cross-chain bridges, decentralised exchanges, options protocols, governance systems and automated trading bots. Across the eleven major incidents analysed in this report, attackers extracted approximately $62.2 million in gross terms. A significant portion of that figure was subsequently burned, recovered by white-hats or reimbursed by the affected projects, meaning the loss ultimately borne by end users was considerably smaller than the headline total suggests.
June's gross losses of the outstanding 11 major incidents were roughly half those recorded in May 2026, when the month's largest incidents accounted for approximately $124.9 million, and a fraction of April's exceptional peak. The distribution was heavily skewed by a single event. The Humanity Protocol compromise alone represented slightly more than half of the month's total, which meant the remaining ten incidents together contributed under $31 million. This reinforces a pattern that has defined much of the year, in which a small number of outsized breaches sit atop a broad base of mid-sized incidents rather than the reverse.
The most striking shift in attacker behaviour was the repeated targeting of deprecated, abandoned or otherwise dormant contracts that remained live on-chain long after their operators had stopped maintaining them. Rather than concentrating on actively defended protocols where scrutiny is highest, attackers gravitated towards forgotten infrastructure that still held or controlled value. Alongside this, the month demonstrated the sheer breadth of the surface now under pressure, featuring a governance takeover executed through the open market, an automated trading bot defeated by feeding it deceptive inputs, a contested incident that blurred the line between external theft and insider exit, and the persistent laundering of proceeds through Tornado Cash.
Taken together, the incidents analysed this month suggest that attackers continue to favour value that is poorly monitored over value that is well protected. Abandoned code, misconfigured permissions and automated systems acting on untrusted data all proved more attractive than the maintained protocols at the centre of the ecosystem. NOMINIS assesses that this represents a maturing of attacker behaviour, in which the long tail of dormant but still funded contracts is increasingly treated as a dependable source of low-resistance targets.
Major Incidents of June 2026
Gnosis Pay - 01/06/2026
Type: Smart Contract Exploit
The month opened with an exploit against Gnosis Pay, the self-custodial payment platform on Gnosis Chain that connects Visa debit cards to user-controlled Safe smart accounts. The affected component was the Zodiac Delay Module, a contract designed to impose a short waiting period before outgoing transactions execute, intended as a protective buffer that would give users time to react to unauthorized activity. The attacker identified a flaw in the module's signature-verification path, where a missing status check in a static call allowed malformed transactions to be accepted into the queue as though they had been validly signed. This inverted the purpose of the safeguard, letting the attacker initiate outbound transactions directly from affected Safes. The incident did not involve any compromise of user private keys. Gnosis confirmed that the flaw resided in the Gnosis Pay system rather than in Safe's core contracts, and its co-founder committed to covering all user losses in full.
Impact: $265,000
Specter (TSR) - 02/06/2026
Type: Unauthorised Token Minting Exploit
The following day, the BNB Chain project Specter, associated with the TesseraDao and its TSR token, was exploited for approximately $2.5 million. The attacker abused a vulnerability that permitted the minting of 99 million TSR tokens, an amount vastly exceeding the legitimate supply. These tokens were then dumped almost instantly, collapsing the price by close to 99 percent. The proceeds were converted into roughly 2.5 million USDT, bridged to Ethereum and partially laundered through Tornado Cash, with more than 1,285 ETH already processed through the mixer at the time of reporting.
Impact: $2,500,000
Syscoin - 07/06/2026
Type: Cross-Chain Bridge Exploit
About a week later, Syscoin, a network operating a UTXO chain alongside an Ethereum-compatible layer known as NEVM, suffered a bridge exploit that produced approximately 5 billion unauthorised SYS tokens. The root cause was a proof-parsing flaw in the bridge relay path. Rather than forging a cryptographically valid proof, which would have been infeasible, the attacker submitted a malformed proof structured specifically to be misread by the relay's parsing code. The relay interpreted the malformed structure as a valid burn that had never occurred and authorised a corresponding mint on the UTXO side. The unauthorised supply, valued at somewhere between roughly $8.5 million and $10 million depending on the price reference used, was split across two wallets. Syscoin paused the bridge, coordinated with exchanges to freeze the tainted balances and ultimately recovered and burned the full 5 billion SYS, returning the supply to its pre-incident level.
Impact: ~$10,000,000 (recovered and burned)
Humanity Protocol - 08/06/2026
Type: Private Key Compromise
The largest incident of the month affected Humanity Protocol, a decentralised identity network that verifies users through palm-print biometrics and zero-knowledge proofs. The founder attributed the breach to the compromise of private keys belonging to a member of the Humanity Foundation, after which more than seventeen wallets holding the H token were drained and the attacker minted a further 100 million H on BNB Chain and sold it into the market. The token fell by close to 90 percent, and combined losses were reported in the region of $32 million. The incident was notable for the scepticism it attracted. On-chain investigator ZachXBT described it as possibly staged, arguing that the concentrated token supply, the exclusive use of decentralised venues for the sell-off and the team's broader history pointed towards a coordinated exit by a market maker rather than a straightforward external theft. The classification of the event therefore remains contested.
Impact: $32,000,000
Token of Power - 09/06/2026
Type: Governance Exploit
Token of Power, an Ethereum token governed through an Aragon DAO known as The Mask of Power, lost approximately $1.58 million to a governance takeover. The attacker exploited a governance misconfiguration by acquiring a majority of the DAO's voting power, at a reported cost of around $1.1 million, and then used that control to authorise the minting of tokens and drain the project's TOP/WETH Balancer V1 liquidity pool of roughly 944 WETH. The proceeds were subsequently routed through Tornado Cash. Impact: $1,580,000
Raydium - 10/06/2026
Type: Input Validation Flaw
The Solana-based decentralised exchange Raydium was exploited for approximately $1.34 million through a flaw contained entirely within a deprecated legacy AMM program that had been phased out in 2021 but remained live on-chain. In the incident, five inactive pools were affected; meanwhile the legacy program calculated proportional token distributions during liquidity withdrawals using the total supply of a pool's liquidity provider token mint, but it failed to verify that the mint account passed by the user matched the pool's authentic, immutable mint address. Exploiting this missing check, the attacker created an entirely new malicious token mint, minted a large supply of counterfeit liquidity provider tokens, and passed this arbitrary mint into the contract to satisfy the proportion mathematics and withdraw the idle assets. The stolen funds, comprising RAY, SOL and USDC, were bridged from Solana to Ethereum, with 810 ETH deposited into Tornado Cash and a further 7 ETH sent through FixedFloat. Raydium confirmed that no current users or active pools were affected and committed to full reimbursement from its treasury.
Impact: $1,340,000
Thetanuts Finance - 15/06/2026
Type: Smart Contract Logic Flaw
Thetanuts Finance, a decentralised options and structured-product protocol, was exploited for approximately $2.1 million through a flaw in a deprecated vault that the team had migrated away from years earlier. The root cause was an arithmetic error in the legacy vault's mint and redemption logic. After the vault's token supply was pushed towards zero, an integer-division calculation rounded down to zero, which allowed the attacker to mint option tokens for effectively nothing and subsequently withdraw far more value than they were entitled to. The attack was assisted by flash loans. A white-hat intervened and recovered roughly $2 million of the affected option tokens, reducing the net loss to around $105,000, with a small residual balance of option tokens remaining in the attacker's wallet. Thetanuts confirmed the affected vault had no connection to its current products or active contracts.
Impact: $2,100,000 (approximately $2 million recovered by a white-hat)
Aztec Connect - 17/06/2026
Type: Proof Verification Flaw
Aztec Connect, a zk-rollup bridge on Ethereum that had enabled private DeFi transactions, was exploited for approximately $2.1 million despite having been deprecated in 2023. When the bridge was retired, its operators renounced the administrative keys, rendering the contract immutable and leaving no party able to patch or pause it. The exploit stemmed from a flaw in the contract's proof verification logic. The set of transactions contained within a verified rollup proof was not required to match the set used for the corresponding Layer-1 state update, and the validation logic verified only part of the proof data while the parameters governing token transfers fell outside the checked region. Together these weaknesses allowed the attacker to credit themselves with value that had never been validated on-chain and to manipulate withdrawal operations, draining unbacked balances from the abandoned contract. Aztec Labs confirmed the affected contract was unrelated to its current network or token.
Impact: $2,100,000
PancakeSwap OLPC/LABUBU Pool - 20/06/2026
Type: Token Contract Logic Exploit
A liquidity pool pairing the OLPC and LABUBU tokens on PancakeSwap's BNB Chain deployment was drained of approximately $1.1 million. The vulnerability lay in the OLPC token rather than in PancakeSwap's own contracts, which the platform confirmed were unaffected. OLPC operated with a burn-on-transfer mechanism, and roughly 46 days before the incident its owner had altered a multiplier parameter within the contract to an extremely large value before renouncing ownership. A small transfer subsequently triggered a mass burn of OLPC and LABUBU tokens from the pool, desynchronising the pair's cached reserves from its real balances. With the pool's internal accounting no longer matching reality, the attacker was able to sweep the LABUBU side and route it through intermediate pools, exiting with approximately 1.1 million USDT. The proceeds were bridged to Ethereum and deposited into Tornado Cash. The pre-positioning of the parameter change and the subsequent renouncement led several analysts to characterise the event as a premeditated exit rather than an opportunistic exploit.
Impact: $1,100,000
JaredFromSubway.eth - 21/06/2026
Type: MEV Automation Exploit
One of Ethereum's most prolific maximal-extractable-value bots, operating under the JaredFromSubway.eth identity, was drained of roughly $7.5 million in what analysts described as a counter-MEV honeypot. Rather than exploiting a coding flaw, compromising a private key or deploying a phishing scheme, the attacker targeted the bot's own automated decision-making. Over a period of weeks the attacker deployed dozens of counterfeit token contracts and liquidity pools that mimicked wrapped Ether and major stablecoins, constructing routes that appeared to be profitable opportunities the bot would naturally pursue. Early interactions consumed the bot's token approvals as expected and returned small profits, which kept it engaging with the routes. Later interactions were structured so that the approvals remained open rather than being spent, leaving attacker-controlled contracts with standing permission to move the bot's assets. A final sweep then used these approvals to extract genuine WETH, USDC and USDT. The proceeds were consolidated into Ether, with 1,000 ETH routed through Tornado Cash.
Impact: $7,500,000
Taiko - 22/06/2026
Type: Cross-Chain Bridge Exploit
The month closed with an exploit against Taiko, an Ethereum Layer-2 network, targeting the ERC20 Vault within its bridge. The attacker compromised the chain-state verification mechanism by forging the attestation proofs used to register provers, which allowed a malicious prover to be admitted to the system. With verification effectively bypassed, the attacker submitted fraudulent bridge messages and drained approximately $1.7 million in assets, including USDC, ETH and the TAIKO token, with a portion of the TAIKO subsequently moved to a centralised exchange. Taiko confirmed the verification compromise, paused both the bridge and block production, and coordinated with exchanges to freeze attacker-controlled assets while it prepared a full post-mortem.
Impact: $1,700,000
Key Findings and Trends
Ethereum remained the ecosystem's settlement and exit layer
As in previous months, Ethereum featured in the majority of incidents analysed, though its role was as much a destination as a target. Attacks originating on BNB Chain, Solana and other networks consistently converged on Ethereum, where stolen value was consolidated, swapped and laundered. Of the eleven incidents, the majority saw proceeds bridged to or settled on Ethereum before being moved further, reflecting the network's continued position as the deepest liquidity venue and the natural staging ground for obscuring the trail of stolen funds. BNB Chain and Solana each appeared as the origin point for multiple incidents, but even these were typically funnelled into Ethereum during the laundering phase.

Deprecated and abandoned contracts were June's defining target
The single clearest pattern of the month was the exploitation of code that had been retired but never removed from the chain. Raydium, Thetanuts Finance and Aztec Connect were each compromised through vulnerabilities in deprecated components that continued to hold or control value, and in the Aztec case the contract was fully immutable with no party able to intervene. The Gnosis Pay incident involved a module compiled against an outdated dependency whose vulnerability had already been addressed in a newer release, and the OLPC pool incident turned on a token whose owner had renounced control after pre-positioning the flaw. Nominis assesses that these dormant deployments represent a distinct and growing category of exposure, because they combine three attractive properties for an attacker: they still hold assets, they are rarely monitored, and their owners frequently lack any mechanism to respond.

Tornado Cash re-emerged as the primary laundering route
Five of the eleven incidents, namely Specter, Token of Power, Raydium, the OLPC pool and JaredFromSubway, saw proceeds routed through Tornado Cash. In each case the mixer was reached only after cross-chain movement onto Ethereum, underlining a consistent laundering sequence in which value is first extracted on the chain of origin, then bridged, and finally passed through the mixer for obfuscation. For compliance functions, the recurrence of this pattern reinforces the value of tracing activity across the bridge step, where the movement between chains often provides the clearest attribution signal before funds enter the mixer.

Stablecoins and Ether were the most commonly moved assets
USDT, USDC and Ether, whether native or wrapped, appeared across the majority of incidents, most often as the assets into which stolen value was converted rather than the assets initially taken. Native project tokens such as H, SYS, TSR, TOP, RAY and TAIKO were frequently the direct object of the exploit, but their illiquidity meant attackers moved quickly to exchange them for stablecoins and Ether that could be preserved without market exposure and laundered efficiently. This mirrors the preference observed throughout the year for highly liquid, low-volatility assets during the exit phase.
White-hat intervention and coordinated recovery limited net losses
June was distinguished by an unusually high rate of recovery relative to gross losses. Syscoin recovered and burned the entire unauthorised supply, returning its token supply to normal. A white-hat secured roughly $2 million of the Thetanuts losses, reducing the net figure to around $105,000. Raydium and Gnosis both committed to full reimbursement from their own resources. As a result, the realised loss to end users across the month was materially lower than the approximately $62.2 million gross figure implies. Nominis assesses that the growing role of white-hat responders and the willingness of well-capitalised projects to absorb losses are meaningfully changing the relationship between the headline value stolen and the value ultimately lost.
Conclusion
Although gross losses of major incidents of June fell to roughly half of May's total, the incidents observed throughout the month indicate that the pressure on the ecosystem is changing in character rather than easing.
The clearest signal was the concentration of activity around deprecated, immutable and abandoned contracts, which offered attackers value that was still live but no longer watched or defended. Where earlier months were defined by the targeting of cross-chain bridges and privileged access, June suggested that the forgotten remnants of past protocols are becoming a favoured hunting ground in their own right.
At the same time, the month demonstrated how wide the attack surface has become. A governance mechanism was captured by purchasing voting power, an automated trading system was turned against its own logic, and a contested incident raised the possibility that a reported theft was in fact a coordinated exit. These cases sit alongside more familiar bridge and minting exploits to reinforce the view that attackers increasingly treat the ecosystem as an interconnected web of trust relationships, permissions and automated behaviours, each of which can be exploited to move or extract the value it was built to handle.
An encouraging development this month was recovery. A substantial share of June's gross losses was reversed through burning, white-hat intervention or reimbursement, materially reducing the harm ultimately felt by users. This does not diminish the underlying weaknesses the month exposed, but it does point to a maturing response capability across the industry. Looking ahead, the persistence of dormant on-chain code, the continued convergence of stolen value onto Ethereum and its laundering through Tornado Cash, and the emergence of attacks aimed at governance and automated systems all suggest that the coming months will test not only the security of code, but the discipline with which the ecosystem retires, monitors and governs the infrastructure it has already built.
All research content and accompanying reports are provided for informational purposes only and should not be relied upon as professional advice. Accessing these materials does not create any professional relationship or duty of care. Readers are encouraged to consult appropriately qualified professionals for guidance. We uphold the highest standards of accuracy in all the information we provide. For any questions or feedback, please contact us at [email protected].
.png)
.jpg)