DeFi Loses $577 Million in 18 Days as KelpDAO and Drift Exploits Expose a Security Crisis

Decentralised finance has lost $577 million across two exploits in 18 days. The Drift Protocol was drained of $285 million on April 1, 2026 via social engineering of its Security Council. KelpDAO lost $292 million on April 18 via a LayerZero cross-chain bridge flaw. Together, these two incidents have already shattered the total DeFi exploit losses for all of Q1 2026, which stood at $169 million across 34 separate incidents according to DefiLlama. April alone has reset the standard for what a bad month in DeFi security looks like.

Key Highlights

• Drift Protocol lost $285 million on April 1, 2026 in a social engineering attack on its Security Council
• KelpDAO lost $292 million on April 18, 2026 via a LayerZero cross-chain bridge exploit
• Combined losses: $577 million in 18 days, surpassing all Q1 2026 DeFi losses of $169 million by a factor of 3.4
• Tether announced a $150 million recovery program for Drift on April 16, with up to $127.5 million from Tether directly
• Aave is carrying an estimated $177 million to $196 million in bad debt from rsETH collateral following the KelpDAO hack
• Both attacks exploited fundamentally different failure modes: human trust systems versus bridge architecture

Two Hacks, Two Different Failure Modes

What makes April 2026 particularly instructive for DeFi security researchers is that Drift and KelpDAO were not variations of the same attack. They were exploits of two fundamentally different failure categories.

The Drift Protocol hack on April 1 was not a code vulnerability. An attacker identified the individuals who controlled the keys in Drift’s Security Council, the multi-sig committee responsible for protocol upgrades and emergency actions, and used social engineering to compromise enough of them to execute a malicious transaction. USDC and SOL were drained in 12 minutes using Solana durable nonces that were signed by Security Council members who believed they were approving routine protocol maintenance. On-chain investigators with ties to North Korea’s Lazarus Group were later identified as potential actors based on fund movement patterns. No amount of smart contract auditing protects a protocol if the humans holding the keys are compromised.

The KelpDAO hack on April 18 was the opposite category of failure: a code vulnerability in a cross-chain bridge message verification system. The KelpDAO attacker found a minting flaw in the LayerZero bridge that allowed rsETH to be created on receiving chains without a corresponding ETH deposit on the source chain. No human was deceived. A contract behaved incorrectly under conditions the audit did not anticipate.

The Tether Backstop: A New Template

One of the most consequential developments in the aftermath of these exploits is Tether’s decision to establish a $150 million recovery program for Drift Protocol victims, with up to $127.5 million coming from Tether directly. This represents a new model of backstop behaviour in DeFi that has no direct precedent. Tether is not a Drift investor. It is not a protocol governance participant. It is a stablecoin issuer acting as a voluntary lender of last resort to a DeFi protocol that it had no formal obligation to support.

The motivations are mixed. Tether’s USDC competitor lost significant standing after the Drift hack because USDC was the stablecoin drained in the attack, and Circle’s response was slower than Tether’s. Tether’s recovery commitment positioned it as the responsible actor in a crisis it did not cause. The optics benefit Tether’s competitive standing, particularly in institutional contexts where counterparty reliability matters. The GENIUS Act’s stablecoin framework is being drafted in the same environment where this precedent is being established, which will likely influence how the bill addresses stablecoin issuer obligations during systemic events.

Aave as Collateral Damage

KelpDAO’s exploit has produced a contagion effect that the Drift hack did not. Aave’s $177 million to $196 million in bad debt is a direct consequence of the decision to list rsETH as collateral on a lending protocol with cross-chain liquidity. Lending protocols accept collateral based on audited token contracts and liquidity assumptions. Neither of those safeguards protected Aave from a scenario where the collateral’s entire supply integrity was compromised at the bridge level. Aave V4 launched on Ethereum mainnet on March 30, and the protocol is now managing its largest-ever bad debt event while simultaneously onboarding users to a new architecture.

The specific risk class here is collateral oracle lag: the time between when a token’s underlying backing is compromised and when that compromise is reflected in the price oracle that lending protocols use to evaluate collateral. In both cases, the attacker was able to use compromised assets as collateral for loans before the oracle or the market repriced the token. This is a known risk vector, but the speed of cross-chain exploits makes it increasingly difficult to close the window between attack and liquidation. Bitcoin held above $77,000 through the KelpDAO shock, suggesting spot markets are treating DeFi security incidents as contained rather than systemic.

The Bridge Problem Has No Quick Fix

Both Drift and KelpDAO used cross-chain infrastructure: Drift’s Security Council held keys across multiple chains, and KelpDAO’s rsETH supply integrity depended on a LayerZero bridge. Cross-chain bridges remain the category with the worst security track record in all of DeFi, responsible for more than 60 percent of historical losses since 2022. The attacks on the Ronin bridge, Wormhole, and Nomad were each followed by years of improved auditing standards. Those improvements have not prevented KelpDAO.

The fundamental problem is that bridges create trusted intermediary layers in a system designed around trustlessness. Every bridge introduces a set of assumptions about message validity, key security, and oracle reliability. When those assumptions fail, the consequences propagate across every chain the bridge connects. Q1 2026’s $169 million in losses appeared manageable. April has made it look like a quiet preview of what a bad month actually looks like. The DeFi security question is not whether solutions exist. It is whether adoption of those solutions is keeping pace with the capital flowing into bridge-dependent infrastructure.

The TCB View

Two exploits, $577 million, 18 days. The numbers are hard to read without reaching for the obvious conclusion that DeFi has a security problem it cannot solve. But the more precise conclusion is narrower and more actionable: DeFi has two security problems it has not solved. The first is the bridge architecture problem. The second is the human trust layer problem. Both were already known. Both have been analysed extensively. Both just cost nearly $600 million in a single month. The question is not whether solutions exist. They do. The question is whether the pace at which DeFi protocols are deploying new bridge-dependent, cross-chain infrastructure is faster than the pace at which those security solutions are being implemented. In April 2026, it clearly still is.