CVA Security Watch #2: When Systems Work… But Still Break
CVA Security Watch #2
A quarterly briefing by the Cybersecurity Working Group at the Crypto Valley Association
Summary
The latest wave of incidents in Web3 security reveals a critical shift:
The most damaging exploits are no longer driven by novel code vulnerabilities, but by flawed assumptions in system design, validation, and configuration.
Across multiple cases, protocols behaved exactly as intended, yet still failed.
This edition distills five recent incidents into clear, actionable insights to help builders, operators, and investors better understand emerging risk patterns.
When Prices Can Be Bent, Value Can Be Extracted
Makina Finance - $4.1M Loss
What happened
An attacker used approximately $280M in flash loans to temporarily distort liquidity pool balances and force the protocol to update its internal valuation using manipulated data.
Why it worked
-
Reliance on instantaneous pool state as a price oracle
-
No time delay, no averaging mechanism (TWAP), no sanity checks
-
Critical accounting function callable by anyone
Outcome
The protocol recorded an inflated valuation and allowed value extraction before prices normalized.
A separate MEV actor replicated the exploit within one block, capturing a significant portion of the proceeds.
Key takeaway
Temporary market distortions can become permanent accounting truth if safeguards are missing.
If Collateral Can Be Manipulated, Debt Becomes the Weapon
Venus Protocol - Bad Debt Event (March 2026)
What happened
An attacker manipulated the price of a low-liquidity collateral asset, artificially inflating its value before using it to borrow high-value assets from the protocol.
Why it worked
-
Reliance on on-chain pricing influenced by low-liquidity markets
-
Collateral factors and risk parameters were too permissive
-
Liquidation mechanisms could not react effectively under distorted conditions
Outcome
When the collateral price normalized, positions became undercollateralized.
The protocol was left with millions in bad debt, rather than direct vault draining.
Key takeaway
In lending systems, collateral quality and oracle robustness define security boundaries not just code correctness.
If You Don’t Verify Ownership, It Doesn’t Exist
Step Finance - $1.3M Loss
What happened
The attacker crafted transactions that bypassed insufficient validation checks, enabling unauthorized withdrawals from token vaults.
Why it worked
-
Weak validation of authority and account ownership
-
Incorrect assumptions about trusted account structures
-
No limits or safeguards to restrict abnormal withdrawals
Outcome
Funds were drained through transactions that appeared structurally valid but violated underlying ownership logic.
Key takeaway
In composable systems, every assumption must be explicitly verified and the format is not proof of legitimacy.
When Accounting Diverges from Reality, Value Can Be Created from Nothing
Solv Protocol - Voucher Exploit (March 2026)
What happened
An attacker exploited flaws in voucher minting and redemption logic, allowing them to extract value without providing equivalent backing.
Why it worked
-
Mismatch between internal accounting and actual asset backing
-
Missing invariants ensuring 1:1 correspondence between vouchers and underlying assets
-
Complex financial abstractions masking edge-case vulnerabilities
Outcome
The attacker repeatedly interacted with flawed logic to create unbacked value, resulting in a direct drain of protocol-controlled funds.
Key takeaway
Every synthetic or derivative representation of value must maintain strict, verifiable backing at all times.
What You Launch Is What Attackers Get
What happens
Protocols are deployed with unsafe default configurations, exposing critical functionality from the first block.
Why it works
-
Vulnerabilities are immediately visible on-chain
-
No technical sophistication required to exploit
-
Teams assume configurations will be updated later
Common issues
-
Public admin functions
-
Missing limits or constraints
-
Unrestricted minting or withdrawals
-
No circuit breakers or delays
Key takeaway
There is no “safe window” after deployment, default settings are production settings.
Cross-Incident Analysis
These incidents reflect a broader shift in Web3 risk:
1. Systems are failing by design, not by accident
The underlying logic functioned as intended but failed under adversarial use.
2. Assumptions are the new attack surface
-
Price integrity
-
Collateral valuation
-
Ownership validation
-
Accounting consistency
-
Deployment configuration
3. Economic design is as critical as technical security
Exploits increasingly target market mechanics and financial assumptions, not just code.
4. Speed removes the margin for error
Flash loans, atomic execution, and MEV reduce response time to effectively zero.
About the Cybersecurity Working Group
The Crypto Valley Association Cybersecurity Working Group brings together industry participants to advance security standards, share threat intelligence, and promote best practices across the Web3 ecosystem.
The working group collaborates with leading security organizations, including Halborn, a member of the Crypto Valley Association and a globally recognized blockchain security firm contributing to the resilience and security of the digital asset industry.
Professionals, builders, and organizations are encouraged to engage with the working group to:
-
Stay informed on emerging threats
-
Contribute to best practices
-
Help shape a more resilient ecosystem
Sources
Makina Finance incident
https://rekt.news/makina-rekt
Step Finance incident
https://rekt.news/step-finance-rekt
Default configuration risks
https://rekt.news/default-settings
Venus Protocol incident
https://www.halborn.com/blog/post/explained-the-venus-protocol-hack-march-2026
Solv Protocol incident
https://www.halborn.com/blog/post/explained-the-solv-hack-march-2026
Stay connected with CVA: follow us on LinkedIn, Twitter, and YouTube for updates, insights, and upcoming events. Visit our website to learn more about our initiatives, become a member, or reach out directly.