Crypto News

2026 DeFi Hacks Redefine Security Challenges for Wall Street

By Telemac

Share

2026 DeFi Hacks Redefine Security Challenges for Wall Street

Over the span of a few weeks in the spring of 2026, the decentralized finance sector was struck by a series of attacks of unprecedented scale. On April 1, Drift Protocol on Solana lost $285 million. On April 18, Kelp DAO suffered a $292 million exploit on its rsETH bridge built on LayerZero infrastructure. These two incidents, combined with a series of smaller hacks including an $8.8 million IoTeX bridge attack and an 80 percent crash of the USR stablecoin, brought total funds stolen since the start of the year to over $600 million, making April 2026 the worst month in the sector’s history in terms of security incidents. Behind these staggering figures lies a troubling realization for financial institutions that were beginning to adopt DeFi protocols: the threat no longer comes solely from flaws in smart contract code, but from a new paradigm of operational and human attacks.

Context

For years, the central argument in favor of decentralized finance rested on code transparency. Unlike traditional financial systems, DeFi protocols are publicly audited, their rules are inscribed in smart contracts accessible to everyone, and their operation can be verified in real time on the blockchain. This transparency was presented as a guarantee of superior security. Smart contract audits, conducted by specialized firms such as OpenZeppelin, Trail of Bits, or Sigma Prime, were the standard before any major launch. A protocol that had not been audited by at least two reputable firms was considered immature.

Yet the exploits of 2026 overturned this logic. Neither Drift Protocol nor Kelp DAO presented flaws in their source code. The smart contracts were theoretically inviolable. The attack did not target the code, but the infrastructure, processes, and people surrounding these protocols. At Drift, the attackers did not exploit a vulnerability in the DeFi code but a combination of social engineering of multisig signers and a Security Council whose timelock had been circumvented. At Kelp, the problem did not come from the smart contract but from the configuration of the decentralized verifier network validating cross-chain messages.

This evolution marks a turning point in the cyber threat facing the crypto ecosystem, and raises fundamental questions about the sector’s ability to protect itself against state-sponsored, patient, and sophisticated adversaries. North Korean state-sponsored hacker groups, in particular, demonstrated that they could spend six months building fictitious personas and establishing relationships with employees before striking. This operational patience is unparalleled by typical security audits, which focus on code and not the humans who administer it.

The Facts

Drift Protocol, the largest perpetual futures derivatives protocol on Solana with a total value locked of $550 million before the attack, was drained of $285 million on April 1, 2026 in just twelve minutes according to on-chain analyses from DefiLlama. The stolen funds were largely converted to USDC via Jupiter, a DEX aggregator on Solana, then transferred to Ethereum. The forensic analysis conducted by cybersecurity firm TRM Labs enabled attribution of the attack with medium confidence to a North Korean state-sponsored hacker group, UNC4736, also known by the aliases AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.

Chainalysis confirmed that the fund flows used to prepare and test the operation traced back to the Radiant attackers, another North Korean group. The operation was described by Drift itself as « a six-month attack » in a public report. CrowdStrike representatives had already decoded in January 2026 the activities of Golden Chollima, described as an offshoot of Labyrinth Chollima oriented toward cryptocurrency theft targeting small fintech firms in the United States, Canada, South Korea, India, and Western Europe.

The method employed was particularly refined. The attackers exploited a Solana feature called « durable nonces » to have members of the Drift Security Council unknowingly sign transactions. This council had a timelock designed to protect the protocol against hostile takeovers. But the attackers had spent months building a relationship of trust with the signers, so that they signed transactions they believed were legitimate without realizing they were granting admin control of the protocol. Once control was obtained, the attackers were able to drain the funds in record time, without the Security Council’s timelock being able to trigger its protection mechanism.

Kelp DAO, for its part, lost approximately $292 million on April 18 through exploitation of its rsETH bridge built on LayerZero infrastructure. The attack mechanism was as follows: LayerZero’s bridge protocol relies on a decentralized network of verifiers called the Decentralized Verifier Network, abbreviated DVN. In Kelp DAO’s case, this configuration had been reduced to a single verifier, a practice known as a 1-of-1 configuration. An attacker forged an invalid cross-chain message, causing rsETH to be released on the destination blockchain without any rsETH having been burned on the source blockchain.

LayerZero publicly acknowledged on May 9, 2026, in a statement remarkable for its frankness, that the company had « made a mistake » by allowing its own verifier to secure high-value transfers in this risky configuration. LayerZero’s technical director stated that the protocol had not been compromised and that the attack had targeted internal RPC infrastructure used by the decentralized verifier network. The company also insisted that developers remained responsible for their own security settings, a position that was challenged by Kelp DAO.

The consequences spread far beyond Kelp DAO. Aave, the largest DeFi lending protocol with billions of dollars in lending volume, froze rsETH, wrsETH, and WETH markets across all deployments. Aave’s stablecoin markets reached 100 percent utilization, meaning no withdrawals were possible. Aave’s estimated bad debt reaches between $123.7 million and $230.1 million depending on the loss socialization scenario applied. This diversity of estimates illustrates the uncertainty surrounding the distribution of losses among the protocol’s different actors.

The tremor spread across the entire sector. Total value locked in DeFi dropped by $15 billion since the exploit, according to DeFiLlama data. Several protocols with no direct rsETH exposure experienced massive withdrawal pressures. A coordinated rescue movement, dubbed « DeFi United » and led by Aave service providers, was launched to restore rsETH collateral and prevent systemic collapse. Lido and EtherFi were among the first to offer their assistance.

Analysis

These two attacks illustrate a major evolution in the financial cyber threat landscape. The security flaw is no longer in the code but in the gaps between components: RPC infrastructure, verifier configurations, multi-signature governance processes, and above all the human dimension. Smart contract auditors certify that the code does what it was written to do, but they cannot certify that signers’ private keys will not be compromised by a six-month social engineering operation.

The Bank Policy Institute’s report, an American think tank specializing in banking issues, analyzed in detail the three risks inherent to DeFi lending highlighted by these attacks. First risk: dependence on oracle and bridge feeds for fund flow validation. Second risk: concentration of services on a small number of protocols, meaning that the failure of one can trigger domino effects. Third risk: the absence of traditional safety nets, such as deposit insurance, that exist in traditional finance.

This shift in the threat poses a particular problem for traditional financial institutions that were beginning to explore DeFi. These organizations have robust compliance departments and rigorous computerized security procedures for their internal systems. But they lack experience with targeted operational attacks on decentralized infrastructures, where each component can present an attack surface not identified by typical audits. Financial institutions’ usual penetration tests do not cover the attack vectors described in the 2026 exploits.

Banking institutions preparing products based on regulated stablecoins, under the U.S. GENIUS Act, will need to integrate this reality into their risk analysis. The stablecoin market now reaches $323 billion, and major American banks, from JPMorgan to Bank of America to Goldman Sachs and Santander, are preparing their offerings. The security of underlying protocols is no longer a marginal technical question: it is a direct systemic risk for institutions contemplating depositing billions of dollars in them.

Market Reactions

The market response was immediate and contrasting. On one side, the tokens of affected protocols crashed. Drift Protocol’s native token suffered a massive drop after the hack announcement, and its partner tokens, SolanaFloor and Remora Markets, had to cease operations. On the other side, some actors used this crisis to strengthen their position. Lido and EtherFi were among the first to offer assistance within the DeFi United operation, demonstrating that the sector can mobilize collective resources in times of crisis.

Ethereum gas prices oscillated depending on position buybacks and massive transfers related to rescue operations. The price of ETH itself was not significantly affected in the days following the Kelp DAO attack, suggesting that the market made the distinction between a specific operational security problem and a collapse of the blockchain sector as a whole. This relative resilience of Ethereum’s price contrasts with the deeper crashes that a hack of this magnitude could have caused a few years earlier.

On the regulatory front, the American administration continued to advance the stablecoin framework. The GENIUS Act, signed in July 2025 by President Trump, reached new milestones in 2026 with proposals from the FDIC, the OCC, and FinCEN to regulate stablecoin issuers under Bank Secrecy Act standards. OCC comments on stablecoin payment rules closed on May 1, 2026, closing 18 months of regulatory uncertainty for issuers. Law firm Paul Hastings noted in an analysis that the U.S. Court of Appeals for the Third Circuit had affirmed a preliminary injunction in favor of Kalshi on prediction markets, which could have implications for crypto derivatives products.

Perspectives

In the short term, the sector must adapt to a new reality: social engineering attacks and operational infrastructure exploits will likely multiply. State-sponsored hacker groups, particularly North Korea, have demonstrated that they can mobilize considerable resources over periods of several months to achieve their objectives. DeFi protocols must now implement specific countermeasures: multi-factor verification for governance actions, real-time cross-chain flow monitoring, and team training on social engineering risks.

In the medium term, the question of responsibility in cross-chain bridge security remains unresolved. LayerZero and Kelp DAO mutually blame each other for the failing configuration. Kelp DAO published a detailed memo stating that LayerZero personnel had approved the 1-of-1 configuration during eight integration meetings over two and a half years. LayerZero responded that Kelp had « deployed multiDVN then manually downgraded to 1-of-1. » This contractual and technical ambiguity could deter institutional players until it is resolved. Chainlink, LayerZero’s competitor in the oracle and bridge market, has already benefited from protocol migrations seeking to avoid new LayerZero exposures.

For investors and institutions, the lesson of 2026 is clear: DeFi offers attractive yields but presents operational risks not captured by traditional smart contract audits. The entity that appears most secure may be the one whose invisible attack surface is the largest. The path toward institutional adoption of decentralized finance necessarily passes through a complete overhaul of security standards, beyond simple code audits, and through the emergence of new responsibility standards for cross-chain infrastructures.

Sources

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles