Three DeFi Hacks in 27 Days Expose Shared Vulnerability: Privileged Execution Paths Lack Verification

Key Takeaways

• Three distinct DeFi attacks across January–February 2026 (CrossCurve $3M, IoTeX $4.4–8.8M, AI agent plugins) target the same architectural failure: unverified privileged execution paths
• CrossCurve's ReceiverAxelar contract omitted caller verification, allowing spoofed cross-chain messages identical in class to the 2022 Nomad hack
• IoTeX's validator owner private key compromise demonstrates that operational security failures remain the dominant attack vector in DeFi
• AI agent plugin supply chains show 11.3% malicious contamination rate—1 in 9 plugins compromised, creating automated attack entry points
• EIP-7702 (designed to limit AI agent wallet access) has been weaponized by InfernoDrainer and PinkDrainer, with over 90% of on-chain delegations linked to malicious contracts

Three Attack Vectors Across Three Infrastructure Layers

When different attack methods converge on a single root cause, forensic analysis reveals systemic architecture failure rather than isolated negligence. February 2026's security crisis spans three distinct layers—smart contract, operational, and AI agent—yet all trace to the same principle: privileged execution paths are treated as trusted by default rather than verified continuously.

Layer 1: Smart Contract Design (CrossCurve, Jan 31)

The CrossCurve exploit drained $3M via spoofed cross-chain messages. The ReceiverAxelar contract processed messages from the Axelar gateway but omitted one critical check: verifying that the function caller was actually the Axelar gateway itself. Any external actor could invoke the expressExecute function with a fabricated message payload, which the contract then executed as a legitimate cross-chain transaction. The attacker used 10 wallets to drain $1.3M from Ethereum and $1.28M from Arbitrum.

This vulnerability class is technically identical to the August 2022 Nomad bridge hack ($190M)—missing message validation—across four years and multiple audit cycles.

Layer 2: Operational Security (IoTeX, Feb 21)

The IoTeX ioTube bridge compromise drained $4.3M directly and minted approximately $8.5M in unauthorized tokens. The attack vector was a compromised validator owner private key—the credential controlling the bridge's upgrade mechanism on Ethereum. Using that key, the attacker performed a malicious contract upgrade, granting control over both the TokenSafe reserve vault and the MintPool minting authority. IoTeX traced 66.6 BTC to identified addresses but recovery prospects are limited.

This failure class predates smart contracts entirely—key management. The attack mirrors the March 2022 Ronin bridge hack ($625M), four years earlier.

Layer 3: AI Agent Supply Chain (February 2026, documented ongoing)

AI agent ecosystems face a new attack surface: malicious plugin contamination. Research documented 11.3% malicious plugin contamination in AI agent marketplaces—meaning over 1 in 9 plugins contain malicious code designed to execute unauthorized transactions or exfiltrate private data. Separately, Google Threat Intelligence documented state-level actors (attributed Lazarus Group) deploying AI-generated adaptive malware targeting crypto/DeFi infrastructure.

The Cloud Security Alliance classified a new vulnerability class: Logic-layer Prompt Control Injection (LPCI), where attackers poison AI agent memory stores to create persistent malicious instructions that survive session resets. Unlike smart contract bugs or key compromise, LPCI attacks the agent's cognitive decision-making layer itself.

The Shared Architectural Failure: Unverified Trust Paths

These three attacks share one common failure mode across layers: privileged execution paths are attacked because their authority is assumed rather than continuously verified at invocation time.

• CrossCurve: expressExecute function trusted that only Axelar gateway would call it—no caller verification
• IoTeX: Upgrade mechanism trusted that only the legitimate validator owner would invoke it—no real-time key verification or multi-sig requirement
• AI Agents: Agent runtimes trust that plugins sourced from a marketplace have not been compromised—no runtime sandbox isolation or behavioral verification

In each case, the attack succeeded by presenting a credential (function call, private key, plugin) that the system accepted without sufficient verification. The response in all three layers must follow the same principle: shift from assumed trust to continuous verification.

The EIP-7702 Paradox: When Mitigation Becomes the Attack Surface

Ethereum's Pectra hardfork introduced EIP-7702 specifically to address the AI agent wallet problem: the mechanism allows externally owned accounts to temporarily delegate execution authority to smart contracts with restricted session permissions, theoretically limiting what an AI agent can do with a user's wallet. In principle, this is sound mitigation—session keys with bounded authority.

Yet Wintermute and GoPlus Security report that over 90% of observed on-chain EIP-7702 delegations are linked to malicious contracts. Phishing groups InfernoDrainer and PinkDrainer have weaponized the upgrade by deploying sites mimicking legitimate DeFi protocols and tricking users into signing EIP-7702 delegation transactions.

A documented victim lost $146,000 in a single EIP-7702 phishing transaction. The security improvement has become the attack surface: defenders designed a mitigation, attackers adopted it faster than legitimate users.

This exemplifies the security arms race asymmetry in DeFi: attackers can deploy a new phishing campaign in hours; legitimate protocols require audit cycles, UI updates, and user education to integrate new security mechanisms safely. The mitigation designed to constrain attacker capabilities has become an attacker tool.

THORChain as the Shared Laundering Infrastructure

A diagnostic thread connects the IoTeX bridge hack to the broader DeFi security crisis: the attacker routed stolen funds via Uniswap (ETH swap) then used THORChain to bridge to Bitcoin—a decentralized, KYC-free cross-chain swap protocol with $1B+ daily volume.

Once funds reach Bitcoin via THORChain, centralized exchange asset freezing becomes ineffective—no custodian holds the assets, no exchange KYC ties them to an identity. THORChain is now the default laundering exit for medium-scale bridge hacks ($1M–$10M), a pattern that regulators will eventually target.

The implication: solving DeFi bridge security alone is insufficient. As long as cross-chain swap protocols like THORChain offer KYC-free Bitcoin bridges, stolen funds can be converted and exfiltrated beyond law enforcement reach. Comprehensive bridge security requires simultaneous improvements in bridge architecture and regulatory coordination on cross-chain swap venues.

NEAR's IronClaw: The First Hardware-Secured Response

On February 25—one day after IoTeX's hack was receiving industry-wide coverage and exactly as Google's AI malware warning was being published—NEAR Protocol launched IronClaw, a hardware-secured AI agent runtime using Trusted Execution Environment (TEE) isolation, as part of the broader NEARCON platform announcement.

IronClaw's architecture directly addresses the supply-chain contamination threat: Trusted Execution Environment hardware isolation creates a secure enclave where agent execution cannot be tampered with by compromised plugins or malicious instructions. The timing—within 24 hours of the documented 11.3% plugin contamination rate—is either prescient or coincidental, but the architecture maps precisely to the AI agent security crisis.

Whether IronClaw scales to institutional adoption remains uncertain; that TEE-based runtime isolation is the correct defensive architecture for AI agent security is clear from the empirical contamination data.

What This Means for DeFi Participants

The February 2026 security crisis reveals that DeFi's infrastructure maturity remains fundamentally asymmetric: smart contract auditing has achieved institutional standards, but operational security (key management, private key protection) and supply-chain security (plugin/dependency verification) remain pre-institutional.

For Builders: The lesson is not "add more audits." CrossCurve was backed by Curve Finance founder Michael Egorov and had been through multiple security reviews. The lesson is "shift from assumed trust to continuous verification." Smart contracts must assume the caller is untrustworthy until cryptographically proven otherwise. Bridge upgrade mechanisms must require multi-sig authority with geographic key distribution. AI agent runtimes must isolate execution in hardware-enforced sandboxes.

For Institutional Participants: Bridge-based cross-chain strategies remain unacceptably risky. Every layer from ReceiverAxelar gaps to validator key compromise to LPCI attacks to THORChain laundering represents a systemic failure mode. Native asset transfer protocols (like Ethereum's cross-L2 asset bridges) are fundamentally more secure than third-party bridge mechanisms.

For Regulators: Cross-chain swap venues like THORChain have become essential laundering infrastructure for DeFi hacks. Comprehensive bridge regulation must include both bridge architecture standards and regulatory coordination on cross-chain swap venues—otherwise fixing bridges alone is insufficient.

The good news: architectural solutions exist. TEE-based runtime isolation for AI agents, multi-sig time-locked upgrade mechanisms for bridges, continuous verification for smart contract access control. The bad news: these solutions are not yet standard practice, and the attack surface is expanding faster than defenses mature.