four incidents · four different protocols · same structural gap
$2.375 billion in losses that substrate-tier enforcement would have prevented. Four incidents. 2022–2025. All with public postmortems. The pattern is structural, not configurational.
FEB 2025 · $1.46 BILLION · DELEGATECALL HIJACK
Safe wallet. 3-of-N multisig. Cold storage. All signatures valid. Standard institutional-grade custody.
The signers reviewed what looked like a routine transaction. The transaction invoked DELEGATECALL to an attacker-controlled contract that rewrote the Safe's implementation slot. After that, the Safe was the attacker's.
AtlasGuard rejects Enum.Operation.DelegateCall at the module boundary. The transaction cannot reach the implementation rewrite.
On-chain proof: DelegateCallBlocked() · selector 0xe125cec9
Sources: SlowMist postmortem · Chainalysis brief.
JUL 2023 · $130 MILLION · SINGLE-POINT ADMIN CONTROL
A working cross-chain bridge protocol with router contracts and admin keys.
Co-founder Zhaojun He held all admin keys. He was detained by Chinese authorities in May 2023. Two months later, $130M+ drained from routers in one sweep. No second key. No role separation. No period cap.
Substrate-tier role separation. Aggregate per-period cap on outflow. The custody of keys is decoupled from the custody of unbounded action.
On-chain proof: PeriodLimitExceeded + RoleConflict
Sources: Multichain team statements · Chainalysis · TechCrunch.
SEP 2022 · $160 MILLION · BRUTE-FORCED VANITY KEY
A hot-wallet admin address generated via Profanity, a vanity-address tool used for short, memorable addresses.
Profanity's key generation was brute-forceable. Attackers cracked the private key and drained the wallet. No target allowlist. No period cap. Key compromise was equivalent to total drain.
Target allowlist plus period cap. Even with the key compromised, the attacker cannot transfer to addresses outside the allowlist, and cannot drain more than the cap permits in a window.
On-chain proof: TargetNotAllowed(address) + PeriodLimitExceeded
Sources: Evgeny Gaevoy public statements · 1inch security writeup on Profanity.
MAR 2022 · $625 MILLION · MULTISIG THRESHOLD MET
A 9-of-9 validator multisig on the Ronin Bridge — effectively 5-of-9 for liveness.
Four validator keys compromised via Sky Mavis subsidiary infrastructure. The fifth obtained via spear-phishing the Axie DAO. Threshold met. One fraudulent withdrawal moved 173,600 ETH and 25.5M USDC.
Substrate-tier period cap rate-limits any single drain — the $625M moves over many periods, not one. Target allowlist blocks unfamiliar destinations. Threshold compromise does not equal unbounded action.
On-chain proof: PeriodLimitExceeded(uint256, uint256) · selector 0x26636381
Sources: Sky Mavis blog · US Treasury Lazarus attribution.
Every loss had identity. Every loss had signatures. Every loss had multisig or delegated authority. None of them had substrate-tier enforcement.
The gap is structural, not configurational. You cannot fix it by adding more signers, more cold storage, or more careful operations. You fix it by making the bound part of the contract path itself — the action either satisfies the envelope or does not exist on-chain.
The pattern adds up. The receipts are public. The substrate is the layer the agent era needs.
Bounded authority is the only thing the postmortems agree on.