Two protocols, $578M lost in 21 days – both through off-chain trust failures no audit touched

Don't scroll Twitter for crypto news
One email. Five minutes. Everything that matters today
The $578M Bill: Why DeFi Keeps Repeating the Same Exploits
In 21 days during April 2026, two DeFi protocols lost $578M to exploits that had nothing to do with flawed smart contract code. Kelp DAO lost $292M on April 18-19 when an attacker forged cross-chain bridge messages. Drift Protocol lost $285M on April 1 when attackers used social engineering to hijack admin access. Both failures trace back to the same structural pattern behind DeFi repeated exploits: trust assumptions that live off-chain, outside the code any audit ever touches.
Track DeFi security events as they happen. Web Snack covers on-chain metrics, protocol risks, and market shifts daily – free, in under 5 minutes.
Why Audits Don't Catch the Vulnerabilities That Actually Drain Protocols
The Drift Protocol attack started months before anyone noticed. In Fall 2025, attackers began targeting members of Drift's Security Council – the small group of wallet holders with admin-level control over the protocol. By March 10, 2026, the attacker had withdrawn funds via Tornado Cash to fund operations. Two days later, on March 12, they created a fake token called CVT.
Between March 23 and 30, they used pre-signed "durable nonce" transactions – instructions that can be signed in advance and executed later, without the signer being present – to stage the attack. On March 26, the Security Council migrated to a new multisig wallet with zero timelock. Any transaction could execute instantly, with no delay for anyone to intervene.

None of this touched the core smart contracts. No audit would have flagged it. DeFi repeated exploits follow this pattern: a small group of people hold keys to a protocol worth hundreds of millions, and attackers spend months engineering access to those keys.
Kelp DAO's failure looked different on the surface. The protocol used LayerZero – a cross-chain messaging system – to bridge assets between blockchains. Kelp configured it with a 1-of-1 verifier setup, meaning a single verifier confirmed every transaction. Attackers took over that verifier's RPC node and hit it with a DDoS attack. The verification system collapsed, they forged cross-chain messages, and drained 116,500 rsETH – a receipt token issued when users stake ETH through Kelp – worth $292M.
How the Drift Protocol Exploit and Kelp DAO Hack Actually Played Out
At approximately 16:05 UTC on April 1, 2026, the Drift attacker activated the pre-staged durable nonce transactions. The fake CVT token got whitelisted as collateral. The attacker deposited 500 million CVT tokens, then borrowed and drained $71.4M in USDC and $159.3M in JLP – a Jupiter liquidity pool token – along with other assets.
Total loss: $285M. That was over 50% of Drift's $550M TVL (total value of assets locked in the protocol). The drain ran for approximately 2.5 hours. More than 20 other protocols were pulled in due to composability – the way DeFi protocols share liquidity, so a failure in one hits many.
The Kelp DAO hack moved faster. Once the attacker controlled the single bridge verifier, forged LayerZero messages passed as legitimate. The drain started. Within 46 minutes, Kelp DAO's emergency multisig – a wallet that requires multiple keyholders to sign before any action executes – paused the contracts. Without that pause, total losses would have reached $391M instead of $292M.
The market impact was immediate. TVL across DeFi dropped from $99.5B to $85.21B on April 18-19 – a $14B contraction in under two days. Aave saw utilization hit 100% as users rushed to withdraw, triggering $5.4B in outflows. AAVE's token dropped 10%.
What "Check Before Using a DeFi Protocol" Actually Means
Two exploits, two different attack vectors, one shared weakness: the security assumptions that sit outside the smart contracts. These bridge vulnerabilities and admin key risks are exactly what drove DeFi repeated exploits in the first half of 2026 – and what most due diligence checklists miss entirely.
Start with bridge configuration. Kelp ran a 1-of-1 verifier setup – one lock, one person controlling it. LayerZero warns against this. Before using any protocol that relies on cross-chain bridges, check how many independent validators verify messages. A single-validator setup carries structural risk no smart contract audit will catch.
Then check admin key structure. Drift's Security Council held upgrade and admin privileges with zero timelock – changes executed instantly. A timelock introduces a delay between when a change is proposed and when it takes effect, giving users a window to exit if something looks wrong. If a protocol's admin functions have no timelock, its security depends entirely on whether a handful of keyholders can resist a months-long social engineering campaign.
Finally, check whether emergency controls exist. Kelp's emergency multisig saved approximately $99M. Drift had no equivalent brake. That single difference – between a protocol that loses everything and one that contains the damage – came down to whether someone could pause the contracts in under an hour.
Kelp DAO | Drift Protocol | |
|---|---|---|
Bridge verifier setup | 1-of-1 (single) | No bridge – admin key attack |
Admin timelock | Not applicable | ✗ Zero timelock |
Emergency multisig | ✓ Paused in 46 min | ✗ None |
Total loss | $292M ($391M potential) | $285M (no containment) |
2026 DeFi Losses Investigation: What Comes Next
Three things remain unresolved as of late April 2026, and each will shape how the 2026 DeFi losses story develops through Q2.
Kelp DAO's root cause analysis with LayerZero, Unichain, and external auditors is ongoing after the April 18 pause. The outcome determines whether the bridge gets patched or rebuilt from scratch, and whether affected users see any reimbursement.
On Drift, Chainalysis has flagged potential links to North Korean state-linked hackers, but attribution is not officially confirmed. Chainalysis is tracking fund movements. Drift has acknowledged liability to the 20+ affected protocols, but reimbursement timelines remain unconfirmed.
The numbers behind 2026 DeFi losses explain why these resolutions matter. Q1 2026 saw $168.6M stolen from 34 protocols – mostly through private key and infrastructure attacks, not smart contract bugs. April alone hit $606M through April 19, the worst single month since 2025. Total 2026 losses reached $771M–$795M by mid-April.
Three things worth watching:
Kelp DAO's bridge verifier update – a move from 1-of-1 to multi-validator would be a direct fix to the exploit vector
Whether Drift implements governance timelocks – the zero-timelock condition on March 26 was the specific failure that let the attack execute without warning
April 2026 final hack totals from DefiLlama – the $606M figure covers through April 19. The final number sets the baseline for how protocols and regulators respond entering Q2 2026.
DeFi security events move fast. Web Snack tracks protocol risks, exploit patterns, and on-chain signals daily – free, in under 5 minutes.
This article is for informational purposes only and does not constitute investment advice. Always conduct your own research before making any financial decisions.
Like this story? There's more tomorrow
Join Web Snack – no fluff, just value
