Key Disaster Board — KEYCAGE

2026 multisig crisis · April-May

Multisig wasn't supposed to be the attack surface. Now it is.

For a decade, multisig was the "secure default" for institutional crypto. Four months into 2026, four incidents prove the assumption is broken — at $793M+ and counting. The pattern is identical every time: the signature is valid but the action under the signature is the wrong one. Either the signers approved a transaction whose recipient was swapped (Superfortune), or one of N signers added themselves as admin (StablR), or a governance multisig was drained by a single-compromise vector (Drift), or a bridge multisig handed unbacked tokens to an attacker (KelpDAO). MPC, TSS, HSM and threshold-sig all assume the wrong threat model — they protect the KEY, not the INTENT under the signature.

APR 02 · BRIDGE

KelpDAO · $293M

116,500 rsETH siphoned via LayerZero bridge attack on Ethereum. Bridge-key authority was abused at execution time — the same recipient-vs-intent gap.

APR 01 · GOVERNANCE

Drift Protocol · $285M

Solana's largest perp DEX drained via Security Council multisig. A signed governance action carried out an unintended payout. Wrong intent, valid signatures.

MAY 27 · RECIPIENT-SWAP

Superfortune $GUA · $15.18M

Legitimate multisig transaction had its recipient altered during execution. 14.98M GUA → attacker wallet. GUA price −76%. Signers signed the right action; chain executed the wrong one.

MAY 25 · ADMIN-SWAP

StablR · $13.5M unbacked mint

1-of-3 minting multisig. One compromised key added attacker as admin, removed legitimate operators, minted unbacked USDR + EURR. MPC wouldn't have helped — the attacker's signature was "valid".

⬡ THE ANSWER — KEYCAGE-MS

Your multisig signature shouldn't change meaning between approval and broadcast.

KEYCAGE-MS brings KEYCAGE's intent-binding primitives (ABSC · SBV · RWS) to the human multisig surface — Safe / Squads / Gnosis. Every approval is committed against a hash of {recipient + amount + calldata}. If the action drifts between approval and execution, the signature is invalid by construction. An independent veto pool (SBV) reviews every broadcast. And a reversal window (RWS) holds settlement long enough for any signer to reverse.

⬡ HONESTY · WHAT WE COVER

KEYCAGE-MS catches the actual attacks we've seen in 2026 — recipient-swap (Superfortune $15.18M), admin-swap (StablR $13.5M), governance drain (Drift $285M), bridge abuse (KelpDAO $293M). All four. 100% of the $793M+ multisig-and-bridge attack pool of April–May 2026.

v1 covers two surfaces simultaneously: the multisig approval layer (ABSC + AFK + EKE + SBV + RWS + KGR + DKH + ZKA — Superfortune / StablR / Drift class) and the cross-chain bridge layer (BIA + BWV + BCM — KelpDAO class). Drift between commit and execution is detected on either surface; rejection lands in the public KGR graveyard within seconds.

For customers wanting hard-no-bypass guarantees against insider abuse, our Solidity Module Guard + Bridge Guard ship in 2026-Q3 after audit. Off-chain mediator + bypass-detection protect today; audited on-chain guards add the no-bypass guarantee.

Lite · €199 / mo → Pro · €1,999 / mo → Sovereign · €90,000 / yr →

The board

What happened. Why nothing on the market stopped it. What KEYCAGE would have done.

Eight incidents, all source-linked. Hover-tagged with the KEYCAGE primitive that would have stopped it.

Claude Code / Gemini CLI / Copilot AgentMay 2026

CLASS · LEAK — 3 top AI agents, one exploit

A security researcher opened a GitHub PR with a malicious instruction in the PR title. Anthropic's Claude Code Security Review action posted its own API key as a PR comment. The same prompt injection worked on Google's Gemini CLI Action and GitHub's Copilot Agent. GitHub itself became the C2 channel.

Why nothing stopped it: KMS held the key safely. The agent leaked it itself. No KMS, MPC or HSM defends against the principal handing the key out.

KEYCAGE would haveThe leaked string would be useless outside its issuance environment (EKE). The moment anyone tried to reuse it, the key would be marked dead and rejected across subscribing infrastructure (KGR) — and our forensic decoys (DKH) would pinpoint where the leak landed.

oddguan.com — Comment and Control →

StablR (Malta, MiCA issuer)May 25 2026

CLASS · HIJACK · ~$2.8M drained · $13.5M unbacked minted

1-of-3 minting multisig on Ethereum. The attacker compromised one key, added themselves as administrator, removed the legitimate operators, then minted 8.35M USDR and 4.5M EURR from air. DEX-swapped for ~1,115 ETH (~$2.8M); EURR fell ~39%.

Why nothing stopped it: MPC/TSS would have helped against single-key theft. But the key was used by an authorised admin path doing an authorised operation. The intent was the problem.

KEYCAGE would haveThe admin-swap simply wouldn't sign — no human had declared that intent (ABSC). An independent veto layer would have caught the swap-then-mint pattern (SBV). And the mint would have been held in the reversal window long enough to kill it (RWS).

Gizmodo / Blockaid attribution →

Grok agent on BaseMay 2026

CLASS · HIJACK · ~$200K drained

A Grok-powered agent obeyed a hidden Morse-code instruction inside an X reply and sent ~$174-200K worth of tokens to an attacker address on Base. The agent had session-key authority. The action was in scope. The intent had been hijacked.

Why nothing stopped it: EIP-7702 session keys, scoped wallets, even authority caps — none of them check whether what's being signed is what the human meant.

KEYCAGE would haveThe transfer to an unfamiliar address didn't match the human's declared intent (ABSC) — the signature simply doesn't happen. Even if it had, the reversal window (RWS) gives you time to undo it.

CCN — AI agent drained for $200K →

Superfortune ($GUA)May 27 2026

CLASS · SWAP · ~$15.18M lost

During the execution of a legitimate multisig transaction to transfer unlocked tokens to the airdrop claim contract, the recipient address was altered. ~14.98M GUA was sent to the wrong address.

Why nothing stopped it: the signers approved a transaction whose intent was altered after they signed. Multisig didn't help — the wrong intent was the signed intent.

KEYCAGE would haveThe altered recipient wouldn't match the original declared intent (ABSC) — the signature is invalid. An independent veto layer (SBV) would have stopped it during the broadcast window. The reversal window (RWS) is your safety net even when the first two don't catch it.

SlowMist Hacked database →

Moltbook (AI social network)2026

CLASS · LEAK · 1.5M API keys exposed

Wiz disclosed an exposed Moltbook database revealing 1.5M API keys for major LLM providers. LLMjacking — the resale of stolen LLM credentials for inference at the victim's expense — was minutes away.

Why nothing stopped it: KMS/HSM don't apply to keys sitting in a misconfigured DB. By the time a leak is discovered, billing has already started.

KEYCAGE would haveStolen keys would be useless outside their issuance environment (EKE); the world would know within seconds (KGR); and our forensic decoys (DKH) would have surfaced the dump the moment it was indexed — before LLMjacking begins.

Wiz — exposed Moltbook database →

AWS-key 40-minute exposureMay 12 2026

CLASS · LEAK · 40-min window before scanners caught

An AI coding agent committed hardcoded AWS keys to a public GitHub repo. Automated scanners detected the breach 40 minutes later — long enough for resourceful attackers to weaponise the credentials.

Why nothing stopped it: AWS KMS still protects what's stored in it. It does not stop an agent from writing keys to source code.

KEYCAGE would haveThe committed key would be useless to anyone running it from elsewhere (EKE) — and would be rejected across subscribing infrastructure within seconds of detection (KGR). 40 minutes becomes irrelevant.

Dev|Journal — I was that developer →

GitGuardian 2026 — secrets sprawl censusApr 2026

CLASS · LEAK · 28.6M secrets / 1.2M AI / 24k in MCP configs

GitGuardian's State of Secrets Sprawl 2026: 28.6M new secrets in public GitHub commits in 2025 (+34% YoY); 1.2M AI-service secrets (+81% YoY); 24,000 secrets in MCP configuration files alone, with 2,100+ confirmed valid.

Why nothing stopped it: rotation hygiene fails because rotation breaks production. The longer keys stay valid, the more they spread. The market's answer — "detect and rotate" — runs the clock against the attacker.

KEYCAGE would havePer-agent ephemeral keys mean a leaked secret is dead before it's useful. Keys bound to the agent's runtime identity (AFK) refuse to work for a copy elsewhere. And we turn quiet rotation into industry-wide rejection (KGR).

Help Net Security — GitGuardian 2026 census →

OpenClaw (open-source agent)2026

CLASS · REUSE · 135k+ GH stars · adopters wired to Slack

OpenClaw — open-source AI agent with 135,000+ GitHub stars — surfaced multiple critical vulnerabilities. Adopters wired it into corporate Slack/Workspace with elevated privilege: shadow-AI in the trust boundary.

Why nothing stopped it: the agent was authorised; its identity matched. The privilege it inherited from its host application was the problem.

KEYCAGE would haveKeys bound to the agent's runtime identity (AFK) invalidate themselves the moment the agent meaningfully shifts — fork, tampering, hijack. Signing is bound to the human's intent (ABSC), and an independent veto layer (SBV) catches anomalies the rest miss.

eSecurityPlanet — Weekly roundup May 2026 →

Real keys. Real catastrophes.
Every one would have been contained.

Multisig wasn't supposed to be the attack surface. Now it is.

Your multisig signature shouldn't change meaning between approval and broadcast.

Four ways agent keys go wrong.

What happened. Why nothing on the market stopped it. What KEYCAGE would have done.

Eight capabilities. Sixteen days of disasters. One product.