Admin key compromised, UUPS upgrades pushed to over a dozen vaults across four chains - Wasabi Protocol lost $5.9 million before most users saw a single alert. No multisig. No timelock. April 2026 was DeFi's worst month on record. Are we April Fools?
The AI protocol wired to your org has been exploited a dozen times since 2025. The creator called the flaw expected behavior. One hacker used Claude to breach nine Mexican agencies. Crypto firms on this stack could be exposing on-chain operations and internal comms.
$3.5 million drained from Volo on Sui after an admin private key was compromised, likely via social engineering. Three vaults hit - WBTC, XAUm, USDC. Volo self-disclosed first, and recovered nearly all of it, with a net loss of just $60K.
DPRK breached LayerZero's infrastructure, forged a bridge message, and walked $290 million out of KelpDAO in one transaction. Aave is holding hundreds of millions in bad debt. The dominoes are still falling. DeFi United is scrambling to catch them.
NEAR Protocol's Rhea Finance lost $18.4 million after an attacker exploited a margin parser that counted fake swap route minimums as real collateral. $9 million frozen or recovered. $4 million in ZEC routed into Zcash's shielded pool, cryptographically unrecoverable.
On April 13, 2026, a missing bounds check in Hyperbridge's MMR proof verifier allowed forged proofs to pass. 1 billion DOT minted. Two attacks, combined with opportunistic withdrawals from drained pools, leading to $2.5 million in losses according to Hyperbridge.
KYC giant Sumsub verifies millions of users for over 4,000 clients, but who verified Sumsub? Opaque ownership, unnamed investors, 18 months of undetected breach. The questions nobody thought to ask are still unanswered.
DPRK hackers spent 6 months sending proxies to befriend Drift Protocol. Conferences, trust, $1 million deposited. $285 million later, those friends vanished. No code broken. No bug found. Just a six-month con, a fake token, and a culture that never saw it coming.
On March 22, Resolv Labs lost $25 million when a compromised private key handed an attacker unlimited USR minting power. No oracle check. No mint cap. 80 million tokens printed. Hardcoded oracles and automated liquidity kept feeding broken markets long after the damage was done.
An attacker spent 9 months building a position, bypassed Venus Protocol's supply cap via a known donation exploit, and extracted $3.7 million, leaving $2.15 million in bad debt on a protocol that has now been rekt four times in five years.
Price impact kills. $50 million in, 327 AAVE out. Aave's interface routed through CoWSwap, a solver picked a $73K pool for a $50 million trade. Every warning fired. Every contract performed. The dark forest cleaned up the next block. Full fee refund planned.
A misconfigured oracle cap triggered $27.78 million in healthy wstETH liquidations on Aave on March 10. 34 accounts liquidated for a configuration error they had no part in. No attacker, no hack, no market crash. Full reimbursement planned.