April DeFi thefts tally
- DeFi projects were hit by multiple exploits in April, draining large sums across protocols. (x.com) - A security tally put April thefts above $600 million, naming KelpDAO $292M, Drift $285M, and Rhea $7.6M. (x.com) - Commentators blamed governance failures and rushed decision‑making for leaving protocols exposed. (x.com)
Decentralized finance projects lost more than $584 million in three April attacks, with KelpDAO and Drift accounting for nearly all of it. (coindesk.com, finance.yahoo.com, beincrypto.com) KelpDAO was hit on April 18 after an attacker minted 116,500 rsETH with no backing, a haul worth about $292 million at the time, according to CoinDesk and DefiPrime. The forged tokens were then used as collateral on Aave to borrow wrapped Ether, spreading losses beyond KelpDAO itself. (coindesk.com, defiprime.com, forbes.com) Drift Protocol, a Solana-based trading venue, lost about $285 million on April 1 after attackers used a compromised admin key and manipulated pricing data to drain vaults, according to multiple reports. Rhea Finance, a decentralized finance hub on NEAR, said an April 16 exploit drained about $7.6 million after fake token pools misled its oracle, the price feed smart contracts use to decide what assets are worth. (finance.yahoo.com, nomoslabs.io, beincrypto.com) Decentralized finance, or DeFi, is a set of crypto applications that replace brokers and exchanges with code. When that code controls bridges, lending markets, or price feeds, a single bug or stolen key can let an attacker move funds in minutes. (cointelegraph.com, defiprime.com, nomoslabs.io) The April losses also reversed the calmer start to 2026. Cointelegraph reported that DeFi exploits totaled about $168.6 million across the first quarter, meaning this month’s three incidents alone far exceeded the January-through-March tally. (cointelegraph.com, coindesk.com) Critics have tied the Drift and KelpDAO incidents to weak controls around privileged access and cross-chain infrastructure. The Hacker News reported Drift said the April 1 attack followed a six-month social-engineering campaign, while post-exploit analysis of KelpDAO focused on a bridge message that should not have been able to mint unbacked tokens. (thehackernews.com, defiprime.com) The projects have said they are investigating and trying to contain the damage. KelpDAO said it was working with LayerZero, Unichain, auditors, and security firms on a root-cause analysis, while Rhea said it paused affected contracts as it coordinated recovery efforts. (cryptopotato.com, cryptoninjas.net) For users, April’s tally showed how quickly losses can jump from one protocol to another. In KelpDAO’s case, the breach did not stop at the token itself; it also left Aave facing an estimated $177 million to $200 million in bad debt tied to the same exploit. (forbes.com, coindesk.com)
