April 2026 has emerged as one of the most costly months for crypto security, with more than $600mn drained across major incidents including Drift Protocol, the leading decentralized perpetuals exchange on Solana, Kelp DAO, a liquid restaking protocol that issues rsETH, Rhea Finance and Hyperbridge.
Yet, the scale of losses tells only part of the story. The nature of the vulnerabilities has evolved, moving from isolated smart contract bugs toward systemic weaknesses in infrastructure, governance, bridges and collateral management.
A shifting attack surface
Year-to-date in 2026, eight major incidents have resulted in roughly $702mn in direct losses, with April accounting for the vast majority. Two outsized events – Drift Protocol and Kelp DAO – drove much of the damage.
Exploits this year broadly fall into three categories. Smart contract and design flaws persist but no longer dominate. Truebit lost $27mn to an integer overflow, while Venus suffered architectural weaknesses combined with economic manipulation that left just over $2mn in bad debt after liquidations.
Chart
Infrastructure and privileged access failures now claim a larger share. Step Finance’s roughly $40mn breach stemmed from compromised executive devices. Resolv’s incident involved a breakdown in offchain infrastructure and signing authority, allowing unauthorized minting of its USR stablecoin and subsequent value extraction. Drift Protocol, the largest single incident at $285mn, reflected failures in governance and operational controls more than pure code vulnerabilities, according to onchain analysts and security firm Chainalysis. Reports link the attack to a sophisticated, months-long operation involving social engineering.
Cross-chain and control-plane failures have grown in prominence amid fragmented liquidity. Hyperbridge lost roughly $2.5mn due to weaknesses in proof verification. Preliminary details on Kelp DAO point to bridge infrastructure and verifier assumptions, with the attacker forging cross-chain messages via LayerZero to drain 116,500 rsETH – about 18% of circulating supply – worth roughly $292mn, according to multiple onchain security reports.
In several cases, the underlying code functioned as intended. The surrounding operational stack failed instead. These shifts mark a broader evolution in how attackers target interconnected DeFi systems.
Contagion risk rises
As the source of exploits has broadened, so has their impact. Interconnected DeFi markets mean failures spread rapidly through shared collateral, lending platforms, and cross-chain liquidity.
The Resolv incident showed this dynamic clearly: after unauthorized minting, USR lost its peg, spiking utilization to 100% on lending markets such as Morpho and Euler and forcing emergency risk adjustments. The Venus exploit, despite a modest direct loss, triggered thousands of liquidations across thin markets and left lingering bad debt.
Kelp DAO provided the starkest example. After the rsETH drain, the attacker deposited the tokens as collateral on Aave rather than dumping them immediately. This move drained liquidity, pushed utilization in key markets to 100%, and contributed to roughly $6.2bn in reported withdrawals from Aave. Exploits have become liquidity shocks that ripple across the ecosystem.
Chart
Source: TokenTerminal
Collateral is the fault line
The common thread in the largest incidents is collateral. Modern DeFi relies heavily on rehypothecation – the repeated reuse of assets as collateral across protocols – to boost capital efficiency. This structure also creates fragility: when one asset falters, effects cascade.
In the Drift exploit, attackers introduced a fabricated collateral asset with an engineered price history, enabling large withdrawals against worthless backing. Rhea Finance saw attackers create fake liquidity pools on the NEAR network to manipulate routing and valuation, extracting about $18.4mn. Kelp DAO illustrated how inconsistencies in cross-chain asset accounting can inject unbacked collateral into lending markets, with impacts extending far beyond the original protocol.
For institutional participants, risk assessment must now extend beyond whether a single contract is secure. The key questions are where an asset is used and how deeply it is embedded across interconnected protocols.
April’s more than $600mn in losses mark a significant hit. Yet, the deeper shift is structural: risk has migrated from smart contracts into infrastructure, governance, bridges, and collateral flows. Rising composability means failures now propagate faster and farther. Protocols may mitigate such risks through strengthened multi-signature controls, enhanced cross-chain verification mechanisms, and tighter collateral rate limits.
Markets must therefore evaluate resilience within the broader system, not just in isolation. In 2026, the largest losses stem less from a single broken contract and more from systems too interconnected to fail quietly.
