Every quarter we publish what the scanning corpus is actually showing us, rather than what the cycle's mood suggests. Sentiment is loud and unreliable; the contracts are quiet and precise. Q1 2026 produced roughly $890M in exploit losses, a 23% rise in governance-related failures, and a widening gap between security scores on layer-1 versus layer-2 chains. Read together, those three numbers describe an industry whose attack surface is moving faster than its defences.
For context, public datasets put total Web3 losses across the first half of 2025 near $3.1 billion, with the average smart-contract exploit costing on the order of $1.9 million. The Q1 figure is not an aberration; it is the run-rate of a category that has industrialised faster than its security has.
The losses are not random. They cluster exactly where human attention is thinnest and automated tooling is least mature — governance logic, signature handling, and the long tail of unaudited launches.
Where the money went
The single largest category by frequency remains signature and access-control failures — manipulation of the cryptographic or permission checks that are supposed to gate privileged actions. These are rarely failures of mathematics and almost always failures of implementation: validation treated as a checkbox rather than an adversarial surface. The mental model “signatures are secure because cryptography” is true of the primitive and irrelevant to the code around it.
Governance failures, up 23%
The quarter's standout trend is the rise in governance-related exploits. As more protocols hand control to tokens, timelocks, and on-chain voting, the governance layer becomes the contract — and an under-examined one. Flash-loan-funded vote captures, proposal payloads that do more than they describe, and quorum assumptions that hold in theory but not under a motivated adversary all featured. Decentralising control without hardening it simply relocates the single point of failure from a key to a process.
The L1 / L2 score gap
Across our reads, contracts on established layer-1 chains scored measurably higher on the Security pillar than their layer-2 counterparts. The likeliest explanation is not the chains themselves but their populations: cheaper deployment and faster launches on L2s lower the cost of shipping unaudited code, so the median L2 contract is younger, less reviewed, and more concentrated in ownership. Cheap to deploy is, in security terms, cheap to get wrong.
The long tail keeps getting longer
The structural story underneath the loss figures is volume. Launchpads continue to mint tokens at a scale no human audit industry could ever cover — millions of contracts, the overwhelming majority of which fail within their first day. Most are not exploits in the criminal sense; they are simply abandoned or mediocre. But that firehose is exactly why the incumbent model — a multi-week, five-figure manual engagement — leaves the long tail entirely unprotected. The gap between what gets audited and what gets deployed is the industry's real exposure.
The AI inflection
This is also the quarter the tooling shifted. AI agents demonstrably found real, paid-out vulnerabilities, and public benchmarks now put automated agents in the 70%-plus range at detecting known vulnerability classes. But the same research is candid about the ceiling: agents reliably catch well-known patterns and respond to human context, and just as reliably fail at end-to-end novel exploitation. The honest reading is not “AI replaces auditors” but “AI finally makes the long tail addressable, with human judgment reserved for where it actually moves the needle.” That is the posture we build on.
What it means for the rest of 2026
Three expectations follow. Governance surfaces will keep drawing attackers until protocols treat voting logic as adversarially as they treat token transfers. The L2 score gap will persist until launch friction rises or screening becomes default. And the long tail will only be covered by tooling that is fast and cheap enough to meet it where it deploys — in seconds, at the point of trade, on every chain. The losses are a forecast as much as a tally. They tell you where the next quarter's headlines will come from.