Volo Protocol Loses $3.5M in Vault Exploit Amid April 2026 Hacks

Sui-based yield vault protocol Volo lost roughly $3.5 million after an attacker drained three of its vaults holding WBTC, XAUm, and USDC. The incident, reported on April 22, adds Volo to a growing list of DeFi protocols breached during April's $606 million hack wave.

DeFi lost $606M in 18 days this April. Web Snack tracks every exploit so you don't have to - subscribe for free.

Context

April 2026 has become the worst month for DeFi security since the Bybit breach in February 2025. Data from DefiLlama shows 12 separate incidents totaling $606.2 million in the first 18 days alone - 3.7 times the combined losses of Q1 2026.

Two attacks accounted for 95% of that figure. Drift Protocol on Solana lost $285 million on April 1 after North Korean-linked actors spent six months posing as a quantitative trading firm. Kelp DAO's LayerZero-powered bridge was drained of $292 million on April 18, the largest single DeFi exploit of the year. Both have been attributed with medium-to-high confidence to North Korea's Lazarus Group.

Volo, a liquid staking and yield vault platform owned by NAVI Protocol, had operated without a major security incident since its acquisition in January 2024. The protocol had been audited by OtterSec, Movebit, and Hacken, and its vaults held a combined $3.3 million in TVL as of mid-April, according to its public dashboard.

Details

The exploit targeted three Volo vaults: the WBTC Vault, the XAUm Vault, and a stablecoin vault holding USDC. The WBTC vault was the largest, holding roughly $2 million in deposits before the drain. The XAUm vault, which offered exposure to tokenized gold, held approximately $62,600. The remaining losses came from the stablecoin vault.

The exact attack vector has not yet been publicly disclosed. Volo and its parent protocol NAVI have not released a detailed post-mortem at the time of writing. The investigation is ongoing.

"The episode also shows how interconnected DeFi protocols can transmit shocks beyond the initial point of failure, with withdrawal activity and market freezes extending to platforms without direct exposure to the exploit" - Peter Chung, Head of Research at Presto Research

Impact

Volo's $3.5 million loss is small compared to Kelp's $292 million or Drift's $285 million. But the timing makes it worse than the number suggests. DeFi TVL has already dropped by $13 billion to $85.6 billion since KelpDAO, its lowest level in a year. Aave alone saw $8.45 billion in deposits exit over 48 hours. Even protocols on separate blockchains with no direct exposure to KelpDAO, like Solana's Kamino, reported hundreds of millions in outflows.

For the Sui ecosystem specifically, the Volo breach reopens wounds from last year's $223 million Cetus Protocol exploit, which forced the Sui Foundation to step in with a loan to compensate users. Sui's DeFi infrastructure is smaller and more concentrated than Ethereum's, so each incident carries outsized weight.

"There's a tremendous risk-reward imbalance in DeFi. Users will no longer accept the slightly higher - and sometimes lower - than risk-free rate they get by depositing in lending pools" - David Shuttleworth, Anchorage Digital Protocol Team

Next Steps

Volo and NAVI Protocol are expected to publish a post-mortem detailing the attack method and any recovery efforts. Whether the protocol offers a compensation plan, as Aethir did after its $90,000 bridge exploit earlier this month, remains an open question.

The broader DeFi sector faces immediate pressure to tighten security. LayerZero has already announced it will no longer sign messages for any application using a single-verifier setup. Arbitrum's Security Council froze $71 million in ETH linked to the KelpDAO attacker on April 21. DeFi hack frequency is up 68% year-over-year, with 47 incidents in the first four and a half months of 2026 versus 28 in the same period last year.

April still has eight days left. With year-to-date losses already at $771.8 million across 47 incidents, 2026 is on pace to rival 2025's record-setting year for crypto theft.

April's DeFi hack wave isn't slowing down. Get Volo updates and exploit alerts straight to your inbox - subscribe to Web Snack.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.