Or: Why we’re doing a security summit when everyone’s tired of conferences

Balancer had been audited by OpenZeppelin, Trail of Bits, Certora, and ABDK Consulting.

Over a dozen audit reports spanning five yexars. Formal verification. Bug bounties running across every major chain. Half a decade of battle testing.

On November 3rd, 2025, someone drained $128 million.

The vulnerability? A rounding error so subtle the developers left a comment in the code calling it “expected to be minimal.” Trail of Bits had actually flagged it back in 2021, specifically noting concerns about the exact function that got exploited. They couldn’t prove it was exploitable at the time, so it got marked “undetermined severity” and everyone moved on.

Four years later, someone proved it. Then they deployed their attack contract onchain, essentially publishing a tutorial. Within days, other protocols using similar code started bleeding money too.

The Same Mistakes Keep Happening

Attackers have discovered a more efficient approach: Hunting through legacy code for bugs everyone assumed were fixed or deprecated. The method works consistently enough that it’s become systematic.

Abracadabra got hit three times in two years. $6.5M in January 2024, $13M in March 2025, $1.8M in October 2025. Twenty one million dollars across three exploits, each one more preventable than the last. They had audits from multiple firms. They had bug bounties. They even had a fork called Synnax Labs that got audited by PeckShield right before getting exploited using the exact vulnerability Abracadabra would face months later.

PeckShield deleted that audit report afterward. Just… removed it.

Bunni lost $8.4 million in September. Cyfrin had audited them in June and found 50+ issues.

Their report literally warned: “Considering the number of issues identified, it is statistically likely that there are more complex bugs still present… it is recommended that a follow up audit be undertaken prior to continuing to deploy significant monetary capital to production.”

Bunni scaled anyway. Three months later they got drained through a rounding bug in their custom liquidity formula.

“The archives are fast becoming a shopping list.” Old code. Known patterns. Predictable outcomes.

The Economics Favor Exploitation

Picture this: You’re a security researcher who finds a critical vulnerability in a protocol holding $50 million. The bug bounty pays $50K for disclosure. Exploiting it could net $5M.

Cork Protocol’s bounty maxed at $100K. The exploit netted $12 million. The exploiter made 120x more by going dark than they would have made staying white hat.

SuperRare didn’t even have a bug bounty when they lost $730K to a vulnerability so basic ChatGPT could spot it. Researchers actually tested this and fed the code into ChatGPT. The AI immediately flagged the access control bug.

LayerZero launched a $15 million bug bounty in 2023. The substantial reward has kept them off the exploit leaderboards. Proper incentive alignment works when protocols actually fund it.

The broken economics show up most clearly in post exploit behavior. GMX lost $42 million in July 2025 and immediately offered a $5 million recovery bounty. KiloEx lost $7.5 million to what researchers called “Oracle 101 level stuff,” then paid $750K to get it back.

The recovery money was there. Prevention could have used those same funds.

Speed Compounds Mistakes

GANA Payment lasted nine days from launch to liquidation. $3.1 million gone through leaked keys. They moved too fast to establish proper security.

TMXTribe lost $1.4 million to a logic bug. The team didn’t pause anything. Didn’t make statements. Just kept deploying new contracts while the exploit was happening. Then went silent.

The radio silence raises questions about whether it was really a bug.

WOO X got hit for $14 million in July. Phishing attack compromised a team member’s device, gave attackers access to their development environment. Three strikes in two years for the WOO ecosystem: Kronos Research in 2023, WooFi in 2024, WOO X in 2025. Same team, different attack vectors, same operational security failures.

They called it “quick detection” even though $14 million walked out the door.

The Knowledge Already Exists

In March 2023, Euler Finance lost $197 million. Most protocols die from something like that.

Euler spent eighteen months rebuilding. Their v2 relaunch came with 31 audits and $7.5 million in bug bounties – a different universe from the $1 million program they had when the hack hit. They aligned incentives so disclosure became worth more than exploitation. They learned from being on the leaderboard and made sure they’d never be there again.

We know what kills protocols. We know which attack vectors get reused. We know which audit firms do thorough work and which ones stamp reports for fees. We know exactly what bug bounty programs should cost relative to TVL.

The information exists in isolated silos. Security researchers who’ve earned seven-figure bounties know which protocols actually pay fairly. White hats who chose disclosure know exactly where that calculation breaks down. Teams who survived exploits know what 3 AM operational paralysis feels like. Auditors willing to be honest know where their industry cuts corners. We see the patterns before they become exploits.

These people operate in separate worlds. They rarely talk to each other. They treat each other like adversaries instead of potential allies.

Why A Rekt Security Summit?

So We’re hosting a security summit

Yes, we see the irony. A publication that’s built its reputation documenting your failures now wants to help prevent them. We’ve made a business out of your worst days. We’ve ranked your losses on a leaderboard.

But here’s the thing: we’ve also watched the same patterns repeat for four years. We’ve seen protocols die from problems that were solved elsewhere. We’ve watched researchers who found critical bugs choose exploitation because disclosure wasn’t worth the hassle. We’ve seen auditors stay quiet about industry problems because speaking up means losing clients.

March 28th. Cannes. One day.

The timing is deliberate. Thousands of people will be in Cannes during Stable Summit week discussing stablecoins and institutional adoption. We’re hosting a parallel conversation about whether that future can actually be built without solving the security fundamentals first.

Who should attend

If you’ve told your community “we’re audited by four firms” and still can’t sleep, you already know why.

If you’ve found a critical bug and spent more time calculating exploit value than filling out the bounty submission, we should talk about why that calculation exists.

If you run an audit firm and you’ve ever marked something “out of scope” because fixing it would blow the timeline, this is your chance to say that out loud in a room where everyone else has done the same thing.

If you watched Balancer get exploited four years after Trail of Bits flagged the exact function and thought “that could be us” – it probably will be, unless something changes.

If you’ve survived an exploit and learned things you’ve never written in a post-mortem because it would make you look worse, bring those stories.

If your biggest vulnerability is sitting in a Slack channel with “we’ll fix this after launch” pinned at the top, you’re exactly who needs to be there.

What actually changes

One conference won’t fix crypto security.. We’re not naive enough to think otherwise.

But we’ve seen what happens when the right people have real conversations. When researchers explain what motivates their decisions. When auditors admit their limitations publicly. When teams share what actually worked during a crisis versus what sounded good in theory.

Every protocol will face a security incident eventually. The timing is uncertain, but the occurrence is near certain. The question becomes whether you learned from everyone else’s expensive mistakes first.

We’re building one point where the knowledge actually transfers before it costs someone another nine figures.