In April 2026, the DeFi sector faced its most severe trust crisis in recent years. According to organizations like CertiK, the security losses caused by hacking, exploits, and other incidents that month totaled approximately $634 million to $651 million, a explosive increase of over ten times compared to $59.5 million in March, setting the highest monthly loss record since March 2022. More alarmingly, there were a total of 31 independent attack events that month—almost one per day—both in terms of loss amount and attack frequency, breaking DeFi's historical records.

At the heart of this storm were two major cases—KelpDAO and Drift Protocol—that together accounted for over 90% of the stolen assets that month. KelpDAO was exploited through a vulnerability in a single validator of its cross-chain bridge, allowing the attacker to bypass security measures and mint $292 million worth of rsETH tokens out of thin air, which were then used as collateral to borrow real Ethereum on platforms like Aave. This operation not only put nearly $200 million of potential bad debt on Aave but also triggered over $8 billion in withdrawals from the platform within 24 hours, causing TVL to plummet by about 32%. The subsequent Drift Protocol incident was equally shocking: after six months of infiltration for intelligence gathering, the attacker stole the admin keys and transferred approximately $285 million worth of assets. Both cases were linked to North Korea’s Lazarus Group, whose on-chain behavior characteristics were highly consistent across these series of attacks.

This wave of security crises was no accident but a concentrated explosion of the long-term “efficiency-first” development model of DeFi. It fundamentally exposed systemic risks at three levels: First, the validation mechanism of cross-chain bridges has fatal flaws; a single validator architecture ties hundreds of millions of dollars to the security of one private key. The 2022 Ronin bridge incident had already warned of similar risks, but the industry collectively ignored them. Second, social engineering and long-term infiltration attacks are becoming new major threats, with attack methods shifting from simple code vulnerabilities to comprehensive breaches of personnel permissions and process flaws. Third, the composability of DeFi amplifies gains but also links risks—an opening in one protocol can quickly cascade through collateral chains, causing multi-protocol shocks.

The market-level chain reactions were equally intense. The entire DeFi sector saw a short-term outflow of about $13 billion in TVL, with Aave deposits down 38% and AAVE tokens falling by 15% to 21%. Funds clearly shifted from high-risk protocols to more mature lending platforms or centralized custody solutions. The deeper impact lies in the erosion of institutional trust: JPMorgan explicitly stated that ongoing security flaws and stagnant TVL growth severely dampen DeFi’s appeal to institutions. Meanwhile, Standard Chartered Bank, while optimistic about the long-term prospects of the RWA market, also acknowledged that structural upgrades to cross-chain risk management are a prerequisite.