DeFi United
DeFi will win
TLDR:
April 2026 saw ~40 hacks in DeFi with $600m+ stolen, the two biggest being Drift for $285m and KelpDAO for $292m.
Aave’s Stani Kulechov led a voluntary industry coalition called “DeFi United”, raising over $300 million to restore KelpDAO’s rsETH backing.
As of May 15th KelpDAO has fully restored operations without any loss to its users, and completely re-worked its bridging structure to strengthen the protocol.
DeFi has been written off many times before, yet each time it’s grown stronger all without any government intervention as in TradFi - as Aave say “DeFi will win”.
April saw approximately 40 recorded DeFi hacks, with two very big ones including Drift for $285m and Kelp Dao for $298m, and last week we had yet another biggie with Thorchain being hacked for over $10m as uncovered by ZachXBT.
Zeneca wrote a great deep dive on what happened last month and I'd encourage you to read it here. We agree on the facts but land somewhere different on the conclusion. His conclusion is ultimately that DeFi’s in a scary moment and it’s best to be out, while I think it’s in these moments where the biggest opportunity lies.
If this post resonates with you and you enjoy the content then please share it with a friend and get rewarded for doing so!
This blog goes out weekly to over 20,000 subscribers. Please message me if you’re interested in sponsorships or partnerships.
DeFi hacks in April
Over $600m million was stolen across more than 40 separate incidents in April, more than one exploit every single day. Two hacks did almost all the damage though, those were KelpDAO and Drift. Both were supposedly traced back to North Korean hackers - an antagonist state-actor in DeFi who I will certainly write about in a future post.
The other ~38 incidents weren’t small either. They spanned every corner of the ecosystem, protocol exploits, oracle manipulations, and bridge attacks across Ethereum, Solana, and various L2s.
Two distinct attack types drove most of the damage this month. The first was a social engineering attack, where attackers targetted the people running the Drift protocol rather than the code itself.
The second was a bridge smart contract and infrastructure vulnerability, where the code or rather configuration with KelpDAO and their Layer-Zero setup was exploited. It’s worth understanding how both actually happened.
KelpDAO and Drift
Drift was the largest perpetuals exchange on Solana, with around $550 million in total value locked. On 1st April attackers drained $285 million in just 12 minutes!
The setup for this hack took 6 months though. The attackers posed as a quantitative trading firm, built genuine relationships with Drift contributors, and even deposited over $1 million of their own funds to appear legitimate!
Once they had the team's trust, they used a Solana feature called "durable nonces" to get key members to unknowingly pre-sign transactions. Normally, Solana transactions expire within about 60 seconds if not submitted, which is a built-in safety mechanism.
Durable nonces remove that expiry entirely, meaning a signed transaction can sit dormant and be executed at any point in the future. The team members had no idea the transactions they'd signed could still be used months later. On April 1st, the attackers submitted the tx’s, transferred admin control over, and drained the money.
Drift suspended services after the hack and has been working through a recovery plan for affected users. A separate Solana yield protocol called Carrot permanently shut down as collateral damage, citing the Drift fallout as the reason.
KelpDAO is a liquid restaking protocol on Ethereum, which essentially means they let you stake ETH and keep using it across other chains at the same time. They do this through issuing their own rsETH token, which represents your staked ETH, and is widely available on 20+ chains.
The attack here was a different kind of problem entirely. KelpDAO had configured their LayerZero bridge with a single verifier, known as a “DVN”, holding full authority over a $392 million escrow.
LayerZero’s own integration documentation explicitly recommends using at least two independent verifiers for this exact risk, but KelpDAO used the single default and never changed it.
The DVN's job is to read blockchain state via RPC nodes and confirm that tokens were burned on the source chain before the destination chain releases anything. The attackers compromised those RPC nodes directly, feeding the DVN false information.
Because there was only one DVN and it trusted what its data feeds told it, it fraudulently verified burns that never happened, triggering 116,500 rsETH to be minted with no real ETH backing it! The attackers then deposited it as collateral on Aave and borrowed real ETH against it, effectively stealing $292 million from Aave.
The fallout was arguably worse than the hack itself as $8.4 billion left Aave in deposit outflows within 48 hours, and total DeFi TVL dropped by more than $13 billion from around $96bn to $83bn due to generalised fear in the market.
DeFi's track record
Although these hacks were particularly painful, DeFi has been written off multiple before and always come back stronger. The DAO hack back in 2016 is one of the most infamous examples of these.
Back then Ethereum was still just a young and fledgling project, and DeFi wasn’t even a thing, when around $60 million in ETH was stolen from the DAO, which was around 31% of all ETH in circulation at the time!
The community response was to do a hard fork of Ethereum itself, a deeply controversial decision that split the chain into Ethereum (ETH) and Ethereum Classic (ETC). Since then Ethereum went on to become the backbone of the entire DeFi industry, peaking at around $170bn in DeFi value onchain.
In 2022 alone, Ronin Network lost $625 million, Wormhole lost $320 million, and Nomad lost $190 million, all within months of each other. DeFi TVL dropped sharply and people also became very bearish at the time.
However, each of those episodes forced the ecosystem to get smarter. Auditing standards improved, bridge architectures were redesigned, and isolated market models (like the one Morpho popularised) were designed specifically to prevent contagion spreading between pools.
Subsequently DeFi TVL grew again and the protocols that came out the other side were more battle-hardened than the ones that went in!
DeFi United
After the KelpDAO exploit Aave’s founder Stani Kulechov didn’t wait around. Within days he pledged 5,000 ETH of his own money and began organising what became known as “DeFi United”, a voluntary industry coalition to restore the rsETH backing and make users whole.
ETH was pledged from many big projects into recapitalising the bridging mechanism that was drained to restore the ETH backing rsETH tokens. No one was legally obligated to contribute but the community came together to do this.
Aave contributed 25,000 ETH. Arbitrum alone voted to release roughly 30,766 ETH (around $71m) that they’d managed to block of the hacked money to the recovery effort. Lido, EtherFi, Arbitrum DAO and Mantle DAO also all joined.
The coalition raised over $300 million in total and as of May 15th KelpDAO announced a full recovery! With all rsETH deposit, withdrawal, and bridging operations being reinstated.
More importantly, they rebuilt their entire bridge security architecture. Instead of one DVN they now have four independent attestors, they migrated away from Layer-Zero to Chainlink CCIP, and they increased block confirmations and deprecated risky bridge routes.
This is exactly what the post-hack ecosystem looks like when it responds correctly!
DeFi will win
“DeFi will win” is Aave’s motto, and the response to April’s hacks is them living it out. Within a few weeks they’d raised over $300m and made users whole. The most telling detail though isn’t the millions raised, it’s what happened after.
KelpDAO rebuilt their entire bridge security architecture, replacing their entire system with something substantially better, and Aave’s openly discussing how to take these learnings into their new Aave v4 system. The industry as a whole learned through the pain.
This is the pattern in DeFi that follows after every major incident.
The DAO hack led to better smart contract auditing standards across the board. The 2022 bridge exploits led to entirely new bridge architectures. Isolated market designs like Morpho’s exist because of the contagion failures that came before them. Each hack exposes a weakness and the ecosystem responds by hardening around it.
This is also what makes DeFi fundamentally different from TradFi. When a TradFi institution fails, the response is a government bailout, a regulatory framework, or both. When DeFi fails, the community voluntarily pools capital, builds better infrastructure, and ships the fix. No government institutions or bailouts needed.
The protocols that come out of this period will be trusted with more capital than ever before. That’s always been the pattern. And we’re excited to be building one of them with yieldseeker.xyz. In the future we’ll look back at these times and speak of how overcoming the pain led us to build a better and more secure DeFi ecosystem.
The opportunity in DeFi belongs to the people who stay. DeFi is united. DeFi will win.
Whenever you’re ready, these are the main ways I can help you:
Want high crypto returns? Earn up to 14% APY with your own Yieldseeker agent!
Love Web3 & AI? Follow @afoxinweb3 on X for insights!
Entrepreneur using AI? Join our AI community to accelerate your results!