
CVA Security Watch #3: Patience Is the New Exploit
CVA Security Watch #3
A quarterly briefing by the Cybersecurity Working Group at the Crypto Valley Association
Patience Is the New Exploit
On April 1st, Mert, CEO of Helius, posted a hedge nobody in DeFi wants to read: Drift looked exploited. He was already too late. The drain had run quietly for a week, and the attackers behind it had spent six months becoming people its contributors trusted.
Not a bug. A decision to wait, in a compromised RPC node, on a laptop backed up too early, or across six months of manufactured friendship.
Three of Q2 2026's five defining incidents trace to North Korea's state-sponsored hacking apparatus (DPRK). Combined losses: over $611 million. The other two needed no nation-state, just an unwatched cryptography library and a stack of unrevoked token approvals.
None was undone by code an auditor actually read. Each was undone by what sat just outside it. Patience is this quarter's weapon of choice.

When the Audit Never Sees the Whole House
KelpDAO / LayerZero, $290 million, April 18
The attacker never touched KelpDAO's code. Inside LayerZero's own infrastructure, an intruder swapped node binaries and taught the machine to lie: 116,500 rsETH had supposedly been burned on Unichain. It hadn't. KelpDAO's bridge trusted a single verifier, and that verifier said yes.
The stolen rsETH went straight into Aave as collateral, borrowed out as real WETH. Aave's contracts performed exactly as written, that was the problem: $8.45 billion left in 48 hours, leaving Aave holding $123 to $230 million in debt it did not create.
The Working Group's consensus: a textbook audit boundary illusion, contracts audited to death while off-chain dependencies go unreviewed. Calling a single verifier "decentralized" doesn't survive contact with what happened.
The Con Wore a Conference Badge
Drift Protocol, $285 million, April 1
It began with a handshake. In October 2025, a group posing as a quant trading firm approached Drift's contributors at a conference. Over six months they built a real-looking relationship: a Telegram channel, a vault onboarded, over a million dollars of their own capital deposited. By February, Drift's team was meeting colleagues, not strangers.
That trust bought the moment a shared repository link stopped looking like a risk. One click, on a known code-editor flaw, handed over a signing workflow. The rest was mechanical: pre-signed transactions, a multisig needing only two of five signatures, no waiting period. It fired in 128 seconds.
Elliptic and TRM Labs pointed to UNC4736, a North Korean group, the eighteenth DPRK-attributed operation logged that year alone.
The Working Group's view is unambiguous: the human remains the weakest link. Security budgets poured entirely into cyberspace miss half the battlefield.
Old Libraries, New Losses
THORChain, $10.7 million, May 15
A new validator waited out THORChain's churn delay and joined a signing vault. For two days it took part in routine signing ceremonies, each leaking fragments of fellow signers' private key material, a vulnerability public since 2023. A fix sat in THORChain's codebase, committed nine days before the exploit, unshipped.
The attacker reconstructed the vault's private key offline. THORChain's solvency checker halted the network within minutes, with nothing left to save. Eight audits ran in 2025, all above the vault. Not one looked at the vault itself.
The Working Group frames this as a timing problem: don't chase every update the day it ships, but don't let a signing library go three years without a look either.
Six Keys, One Laptop, Zero Multisig
Humanity Protocol, $36.4 million, June 8
A phishing email disguised as an exchange document asked a director to review a lockup schedule. He downloaded it. The attachment gave the sender a foothold on his machine, and from there his MetaMask wallet, which held three of the protocol's six Ethereum signer keys and three of five on BSC. A six-signer multisig, built for six independent judgments, had quietly become one laptop. The threshold was three. The attacker already had three.
What followed was fast: admin ownership transferred, a malicious upgrade, the bridge drained, minting switched on. $36.4 million was laundered through Uniswap before the team's first statement mentioned only "a member" of the foundation.
The Working Group doesn't soften this one: a multisig whose keys all end up in the same place isn't a multisig, it's a single signature wearing a costume.
The Sandwich Bot Got Sandwiched
JaredfromSubway.eth (MEV Bot), $7.5 million, June 20
For years, JaredfromSubway.eth was Ethereum's most profitable mempool predator, front-running pending trades for an estimated $60 million a year. On June 20th, someone finally out-hunted the hunter.
An unknown attacker seeded 66 fake token contracts, dressed up as WETH, USDC, and USDT, paired with fabricated liquidity pools built to look like easy sandwich targets. Jared's bot took the bait, granting spending approvals it never paused to question. Once enough had piled up unrevoked, a single coordinated transaction swept $7.5 million in ETH and stablecoins straight into Tornado Cash.
The Working Group doesn't hold back: the apex predator of MEV got liquidated by its own automated greed, a clean illustration of the tail risk sitting inside every purely algorithmic capital deployment.
Cross-Incident Analysis
The nation-state playbook is diversifying, not repeating: six months and a human touch for Drift, a compromised RPC list and two hours for KelpDAO. Assume both are already running against someone else.
"Audited" describes a boundary, not a guarantee. Every failure this quarter lived in the layer nobody agreed to review: infrastructure, a signing library, a laptop, an approval nobody revoked.
Distributed trust only works when the distribution is real. A single verifier, a multisig with no timelock, six keys on one machine, all wear the vocabulary of decentralization while functioning as a single point of failure.
Deferred maintenance is a bet. The industry lost it three times this quarter, at a price paid by users, and in one case a bot, who never saw the decision being made.
About the Working Group
CVA's Cybersecurity Working Group advances security standards and shares threat intelligence across Web3. Share your perspective, join our upcoming sessions, and visit cryptovalley.swiss.
What's your read on patience as the new attack vector?
Sources
KelpDAO / LayerZero: https://rekt.news/kelpdao-rekt Drift Protocol: https://rekt.news/drift-protocol-rekt
THORChain: https://rekt.news/thorchain-rekt3 Humanity Protocol: https://rekt.news/humanity-protocol-rekt
JaredfromSubway.eth MEV bot: https://www.chainalysis.com/blog/sandwich-attack-jaredfromsubway-hack/
DeFi Hacks and Exploits Database: https://defillama.com/hacks
