- DeFiLlama tracked 28 crypto hacks in April 2026, with total losses reaching US$635.2 million by month-end.
- KelpDAO and Drift Trade accounted for US$578 million, or roughly 91% of April’s tracked losses.
- Chainalysis said the KelpDAO bridge exploit exposed off-chain verification risk rather than a conventional smart-contract failure.
April became the most hack-filled month in crypto by incident count, with DeFiLlama tracking 28 exploits and US$635.2 million (AU$882.0 million) in losses as two infrastructure failures dominated the damage.
DeFiLlama’s hack database showed KelpDAO as April’s largest incident at US$293 million (AU$407.3 million), followed by Drift Protocol at US$285 million (AU$396.2 million). Together, the two attacks accounted for US$578 million (AU$803.4 million), or roughly 91% of all April losses tracked by the database.
The rest of the month was smaller but broader. DeFiLlama listed Rhea Lend at US$18.4 million (AU$25.6 million), Grinex at US$15 million (AU$20.9 million), Wasabi Perps at US$5.5 million (AU$7.6 million) and more than 20 additional incidents across DeFi, wallets and infrastructure.
Related: Strategy’s High-Yield Stock Will Continue to Fuel Bitcoin Surge, Says Bitwise CIO
KelpDAO Bridge Failure
Chainalysis said attackers linked to North Korea’s Lazarus Group stole about US$292 million (AU$405.9 million), or 116,500 rsETH, from KelpDAO’s LayerZero bridge on April 18. The blockchain analysis firm said the incident was “not a smart contract vulnerability” but an attack on off-chain infrastructure.
According to Chainalysis, compromised RPC nodes and denial-of-service pressure against external nodes fed false data to a 1-of-1 verifier setup. The result was a transaction that appeared valid to the system even though the underlying state was falsified.
KelpDAO paused contracts after the exploit and blocked a second attempted theft of 40,000 rsETH, worth about US$95 million (AU$132.1 million), Chainalysis said. The Arbitrum Security Council also froze 30,766 ETH of downstream attacker funds, limiting part of the follow-on movement.
Aave Liquidity Shock
The KelpDAO bridge adapter released 116,500 rsETH in a single block, after which the attacker looped collateral across Aave, Compound and Euler for about US$236 million (AU$328.0 million) in WETH and wstETH within 46 minutes.
Aave V3 Ethereum Core available liquidity fell from US$9.77 billion (AU$13.58 billion) to US$5.75 billion (AU$7.99 billion) within 29 hours, according to Glassnode.
WETH available liquidity dropped from US$689 million (AU$957.7 million) at 5:00 p.m. UTC to US$1.5 million (AU$2.1 million) by 7:00 p.m. UTC on April 18 as utilisation reached 100%.
Glassnode said protocol contracts, oracles and liquidation engines worked as specified, but the episode still exposed how bridge verification failures can cascade into lending-market liquidity stress.
Credit: Source link
