$840 million disappeared in the time period of nearly five months, totalling over 50 distinct incidents. This is a 70 percent year-over-year increase over the same five-month period in 2025. Yet raw numbers can cover up the actual reality of the situation. 72 percent of 2026’s losses were not just the result of one component of buggy code, but there were also other involved factors like stolen credentials, a poisoned infrastructure, and North Korean intelligence that established a good relationship for months before conducting an attack. The month of april alone was responsible for $630 million of that.
1. KelpDAO: ~$292 million (April 19)
This exploit shows us the cleanest picture of how DeFi’s attack surface has seen the transition.
On 19 April, attackers acquired control of LayerZero bridge’s internal RPC nodes, which were responsible for the data supplied to KelpDAO and modified them into acknowledging the cross-chain message from the attacker. The faulty setup was a 1-of-1 DVN based on the single verifier to check each cross-chain message and that was directly opposite to LayerZero’s own documented guidelines on making the use of multiple redundant verifiers.
The damage was 116,500 rsETH and that makes nearly about 18 percent of the total circulating supply. Additionally, these were issued without collateral. Within a matter of hours after the exploit, Aave had to freeze rsETH markets on V3 and V4. In the time period of just a few days, $13 billion went out of DeFi markets as lending protocols were looking to reduce their exposure to bad debt that was tied up in rsETH collateral.
2. Drift Protocol: ~$285 million (April 1)
The Drift protocol exploit was not due to any bug. It was involved in the six months of preparation by the North Korean state-linked attackers.
The attackers worked for almost 6 months building a good relationship with the Drift team before obtaining advanced administrative access to the Solana-based DEX. The attack was then more of a numbers game: whitelist a fake collateral asset, pump up the price of that asset, and simply borrow the real funds against it. The assets like SOL, ETH, and USDC were all taken out and bridged to other chains in the matter of hours of the opening window.
It does not matter how many times the code was reviewed and made more secure by Drift itself; none of them would have ever failed. It had carried out completely what it was made to do so. The hackers got entry to the front door successfully and devoted the previous months to influencing somebody to access the important keys.
3. Humanity Protocol: $30–32 million (June 9)
A private key that belonged to one member of the Humanity Protocol foundation was compromised. The hackers started with draining 17 Wallets from Ethereum and then moved the attack to BNB Chain and following that, they took access of the proxy admin. In addition to this, the group also minted 100 Million more $H tokens (valued at ~$12.9 million at the time of mint). The $H token experienced a drop of more than 80 percent and the price went from ~$0.67 to ~$0.13.
Internal team attack or not? ZachXBT (an on-chain investigator) raised the question about internal team involvement publicly. The team subsequently refuted these allegations but the investigations were still in place.
4. Resolv: $27M+ (Q1 2026)
Q1 was looking bad until April worsened it. $27 million was wiped out on oracle & logic manipulation by Resolv and a vulnerability audit is supposed to catch this. Step & Truebit dropped in the same quarter and the reason was nothing different in this case. It was young code, high-speed protocols, and public exploits. Total funds that were wiped out were ~$137 million. The month of april made this figure look not serious enough.
5. Step Finance: $26M+ (Q1 2026)
Step Finance’s exploit made a wipeout of funds of more than $26 million to the same flaw group as Resolv that was the logic and oracle manipulation. The exploit didn’t involve any smart contract manipulation but the access control from the attackers gaining administrative access and unauthorized control over staking permissions. These events took place when no one thought about what the month of april will bring.
