Volo - Rekt
On April 21, 2026, $3.5 million left Volo without a single line of code misbehaving.
Because someone had the key and they used it. Everything downstream was just the protocol following orders.
WBTC, XAUm (tokenized gold), USDC - drained across three isolated vaults while the rest of the DeFi world was still processing the wreckage from KelpDAO's $290 million collapse three days earlier. Volo's breach barely broke through the noise.
What did break through was something rarer: Volo announced the hack themselves, before any security researcher caught it, before any alert bot flagged it, before the media picked up the scent.
They froze the vaults, called the Sui Foundation, and went public, all within hours of the attack.
By the time QuillAudits published its first analysis, Volo had already clawed back $2 million and blocked and intercepted 19.6 WBTC. Those funds are no longer under control of the hacker.
Three audits. A bug bounty program. A protocol that had run cleanly for over two and a half years. None of it mattered the moment one key moved from the right pocket to the wrong one.
Volo did everything right. The key still walked out the door. How do you build a security model around that?
April 21, 2026, no researcher had flagged anything. No alert service had published a warning. Volo posted the news themselves.
The statement was direct. Three vaults - WBTC, XAUm, USDC - had been drained.
Approximately $3.5 million gone. All remaining vaults were frozen. Sui Foundation notified. Investigation underway. Losses would be absorbed by the protocol, not passed to users.
The victim published the crime report before anyone else knew there was a crime.
Within thirty minutes of that post, a second update landed: $500,000 in stolen assets already frozen through ecosystem partner coordination.
The clock had barely started and Volo was already in recovery mode.
Attacker Address on Sui: 0xd763599972ea5a8cfe53d182371ee010dc52ace7e39ccff7d8803ba7100fa46a
Attack Transaction 1: 7pTrudZb57z2acJFvC2CnBCuaU6RA1UpU9auDZQEESit
Attack Transaction 2: AQw9wMFfxSpDoF6YAfDhPLvKbdGSkxbGkc1DnZb43RUS
The KelpDAO exploit and the cascading damage it caused had sucked all the oxygen out of the room.
Three days earlier, $290 million had vanished from a LayerZero-powered bridge, and every reporter, researcher, and onchain analyst still had that story open in another tab.
Volo's disclosure landed into that vacuum - factual, timestamped, and almost entirely overlooked for the first 36 hours.
QuillAudits published the first independent researcher-level breakdown on April 23, roughly a day and a half after Volo had already told the world what happened.
Not because the analysis was slow. Because the room was still on fire from KelpDAO.
By the time the security community caught up, Volo had already run through three public recovery updates, coordinated with the Sui Foundation around the clock, and intercepted an attempt to bridge 19.6 WBTC off-chain - funds worth approximately $2.1 million that are no longer under the attacker's control.
Compromised Admin Account on Sui: 0xe76970bbf9b038974f6086009799772db5190f249ce7d065a581b1ac0adaef75
A protocol getting ahead of its own hack story is rare enough to be notable. A protocol doing it during the noisiest exploit week of 2026 and still managing to recover more than half the stolen funds before the first media cycle had fully turned, that's something else entirely.
SlowMist logged the incident under a classification that requires no interpretation: Private Key Leakage.
Three firms - GoPlus Security, ExVul, and Bitslab - each published independent on-chain analyses within 48 hours, all arriving at the same conclusion.
The smart contracts were not touched. The audits were not the failure. The key was the failure, and whoever took it knew exactly which door it opened.
If Volo hadn't announced this themselves, how long would it have taken anyone else to notice?
Six Transactions, Eighty Minutes, One Bridge
The drain on Sui was already done. What happened next was the exit.
Within hours of the exploit, the attacker moved approximately $1.55 million in USDC off Sui and onto Ethereum, six transactions across an eighty-minute window, all routed through Circle's Cross-Chain Transfer Protocol. Clean, fast, and sitting on the public ledger for anyone paying attention.
Attacker EVM Address on Ethereum: 0x0FF50710e37C0Fb6AA9B4EeeCcAa1437562Af1ca
CCTP is Circle's own infrastructure, the same rails that became a flashpoint during the Drift hack three weeks earlier, when $230 million in stolen USDC crossed from Solana to Ethereum across more than 100 transactions during US business hours and Circle didn't freeze a dollar of it.
ZachXBT was blunt about it at the time. The criticism hadn't faded.
This time the outcome was different, not because Circle moved faster, but because Volo's ecosystem coordination got there first.
The attacker's EVM address was flagged across the majority of CEXes, swappers, and KYT compliance tools before the exit window had fully closed.
The address was visible. The funds were largely cornered. It wasn't a problem the attacker got to solve.
The bigger intercept happened on the WBTC side. [The attacker attempted to bridge all 19.6 WBTC.
That attempt was blocked.](https://x.com/volo_sui/status/2046825746706890970) Those funds are no longer under the attacker's control, held instead by ecosystem partners while Volo works out the mechanics of returning them.
It is the single largest recovery action of the incident, and it happened before most of the industry had registered the attack at all.
The $1.55 million in USDC that crossed to Ethereum didn't stay there.
Recovery Update #4 from Volo confirmed that 90% of stolen funds - including what had bridged off Sui - came back in ETH, converted to stablecoins and bridged home.
The attacker's EVM wallet turned out to be a dead end, not an exit.
Working closely with ecosystem partners, Volo froze ~$500K of stolen assets within hours of the attack.
Between the WBTC intercept, the frozen assets, and funds ultimately recovered in ETH across two recovery updates, Volo clawed back nearly all of the $3.5 million taken - a number that would have been zero if the team had waited for someone else to sound the alarm.
The recovery didn't start when the attack happened. When did it actually start?
Controlled Burn
Before the investigation had concluded, the neighborhood was already locking its doors.
NAVI Protocol, one of the larger lending platforms on Sui, paused contracts and activated security procedures within hours of the announcement.
Not because it had been touched. Because in a DeFi ecosystem under this kind of pressure, standing still feels reckless.
NAVI confirmed it was unaffected and reopened deposits and withdrawals within six and a half hours. The pause cost nothing except time. Not pausing, given the week's headlines, could have cost more.
Matrixdock moved quickly to confirm that the physically held gold bars backing XAUm, audited by Bureau Veritas, remained fully intact and unaffected.
The on-chain exploit had touched the token. The vault it represented had not.
Then Matrixdock went further in a later post: After verifying the exploit, they successfully froze the remaining XAUm held in the attacker's address, a second action running in parallel to everything Volo was already doing.
SuiLend confirmed normal operations. No cross-protocol contagion materialized.
The same vault isolation that made three pools a concentrated target also kept the damage contained. No shared attack vector existed across the remaining vaults, by Volo's own account. The architecture held, even when the key management didn't.
Outside the Sui ecosystem, the incident barely registered.
The other exploits from April 2026 had already consumed the industry's attention span.
Drift Protocol's $285 million.
Rhea Finance's $18.4 million margin trading manipulation.
Hyperbridge's $2.5 million forged proof exploit.
By the time Volo's numbers were confirmed, some estimates placed April's total DeFi losses above $600 million.
A $3.5 million exploit, even one with a cleaner response than anything else that month, was not going to lead the week.
Then came the outcome nobody expected.
Four days after the attack, Volo published Recovery Update #4. The perpetrator had been identified. The impact had been contained.
3 days later, Volo released Recovery Update #5 which pushed the recovery number further, the remaining ~64.9 ETH was recovered, bringing total net loss down to approximately $60K, with all vaults except XAUm ready to come back online.
Of the $3.5 million taken, approximately $3.44 million had been clawed back, through the WBTC intercept on the LayerZero bridge, 100.6 XAUm returned to custody via the Sui Foundation, and 90% of the stolen funds recovered in ETH, converted back to stablecoins and bridged back to Sui.
The remaining 115 XAUm the attacker had already sold will be reminted in full through Matrixdock's minting mechanisms.
Net Loss: Approximately $60k. Covered in full from Volo's Treasury. Zero passed to users.
The attacker moved fast. Volo moved faster.
When the final tab on a $3.5 million hack comes to $60k, who exactly lost here?
Some teams in Volo's position go quiet first and talk later.
Volo talked first, moved fast, and got most of the stolen funds back. That's not a low bar they cleared, in 2026, that's the bar most protocols never find.
A back-to-business plan is still incoming. The perpetrator has been identified but not named publicly. The vaults remain frozen pending its release.
There is real, unfinished business here, and Volo has earned enough credibility so far to be held to finishing it.
What won't change when that plan drops is the root cause.
Three audits didn't prevent this. A bug bounty didn't catch it. Neither was ever going to, because you apparently can not audit a human.
Two and a half years of clean operation didn't predict it.
One key, in the wrong hands, was enough - and it will keep being enough, for every protocol still treating key management as an operational footnote rather than an existential variable.
According to Chainalysis, private key compromises accounted for the largest share of stolen crypto in 2024, and drove 88% of losses in Q1 2025 alone.
The pattern is not a secret. The industry reads these findings, nods, and moves on - until the next team is writing the same incident report with different wallet addresses.
Volo handled the exploit better than almost anyone has this year, so why does it feel like the lesson still won't stick for others?
REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.
기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.