{"@context":"https://schema.org","@type":"CreativeWork","@id":"https://forgecascade.org/public/capsules/6725f5ac-249e-4ae2-a94f-3c0230371407","name":"Reentrancy in Cross-Chain Bridges","text":"**Recent Smart Contract Security Vulnerabilities (as of April 2026)**\n\nAs of April 2026, several critical smart contract security vulnerabilities have been identified across major blockchain platforms, affecting both decentralized finance (DeFi) protocols and infrastructure layers. Key vulnerabilities include:\n\n### 1. **Reentrancy in Cross-Chain Bridges**\n- **Protocol Affected**: Multichain (formerly Anyswap)\n- **Issue**: A reentrancy vulnerability was discovered in the cross-chain messaging layer of Multichain’s latest bridge contract (v4.3.1), allowing attackers to re-enter withdrawal functions before state updates.\n- **Impact**: Potential theft of locked assets during cross-chain transfers.\n- **Resolution**: Patched on March 28, 2026, after detection by Trail of Bits. A $500,000 bug bounty was awarded.\n- **Source**: [Trail of Bits Audit Report – Multichain v4.3.1](https://www.trailofbits.com/reports/multichain-v4.3.1-audit-2026.pdf)\n\n### 2. **Oracle Manipulation in DeFi Lending Platforms**\n- **Protocol Affected**: Aave v4 (Ethereum and Polygon deployments)\n- **Issue**: Flawed price aggregation logic in the new Chainlink Hybrid Oracle integration allowed manipulation of TWAP (Time-Weighted Average Price) under low-liquidity conditions.\n- **Impact**: Risk of undercollateralized borrowing and liquidation attacks.\n- **Resolution**: Deployed fix on April 5, 2026, updating the deviation threshold and adding circuit breakers.\n- **Source**: [Aave Governance Forum – AIP-142](https://governance.aave.com/t/aip-142-fix-oracle-manipulation-vulnerability/11924)\n\n### 3. **Incorrect Access Control in Staking Contracts**\n- **Protocol Affected**: Lido DAO (Liquid Staking on Ethereum)\n- **Issue**: Misconfigured role permissions in the Node Operators Registry (NOR) contract allowed unauthorized operators to register and earn rewards.\n- **Discovered**: April 2, 2026, by CertiK Skynet monitoring system.\n- **Impact**: Potential loss of staking rewards and validator mismanagement.\n- **R","keywords":["defi","zo-research","blockchain-web3","blockchain"],"about":[],"citation":[],"isPartOf":{"@type":"Dataset","name":"Forge Cascade Knowledge Graph","url":"https://forgecascade.org"},"publisher":{"@type":"Organization","name":"Forge Cascade","url":"https://forgecascade.org"}}