DeFi Has Lost More Than $620 Million in April 2026. Here Is the Full Picture.

More than $620 million has left DeFi protocols in April 2026. Not to returns. Not to yield. To hacks. The number includes $285 million from Drift Protocol on April 1, $292 million from KelpDAO on April 19, $3.5 million from Volo on April 21, and a series of smaller exploits that together add up to the worst single month for DeFi security since the Ronin bridge hack in March 2022.

Key Highlights

• DeFi protocols have lost more than $620 million to exploits in April 2026, making it the worst month for DeFi security since the Ronin bridge hack in March 2022 ($625 million)
• The three largest attacks: Drift Protocol ($285 million, April 1, social engineering), KelpDAO ($292 million, April 19, bridge DVN manipulation), Volo Protocol ($3.5 million, April 21, admin key compromise)
• Drift and KelpDAO are attributed to Lazarus Group. Volo appears unrelated, an admin key breach with no state-sponsored attribution
• DeFi TVL dropped from $99 billion to $85 billion in 48 hours after the KelpDAO exploit, the lowest level in a year
• Q1 2026 DeFi losses totaled $168.6 million across 34 incidents. April’s first three weeks alone have more than tripled that figure.
• AI-powered vulnerability scanning is being flagged by Cyvers and Blockaid as a growing component of the attacker toolkit, automating the process of identifying exploitable configurations across publicly readable on chain code

A month that changed the risk calculus

DeFi’s Q1 2026 was bad by historical standards: $168.6 million in losses across 34 hacks. April has taken more than three times that in three weeks. The acceleration happened because of Lazarus Group, which accounted for $577 million of the April total across two separate operations using completely different methods. But the smaller protocols hit in the weeks since Drift and KelpDAO show the threat is not limited to state-sponsored actors.

CoW Swap, Zerion, Rhea Finance, and Silo Finance have all reported exploits in April in the $2 million to $15 million range. None made major headlines individually. Together they add up. The pattern across the smaller incidents is consistent: outdated dependencies, misconfigured oracle integrations, or admin privilege structures that were not time locked or protected by multisig. These are not sophisticated attacks. They are opportunistic ones hitting protocols that did not close known vulnerability types.

What the TVL drop actually means

DeFi TVL fell from $99 billion to $85 billion in 48 hours after KelpDAO. About $1.2 billion of that represents stolen funds. The remaining $12.8 billion represents withdrawals by users who could still exit and chose to. That behavioral response matters as much as the theft itself. When confidence in a protocol’s underlying assets breaks, rational users exit before the protocol freezes them out. The fastest users lose nothing. The slowest lose everything.

Aave’s TVL fell roughly $10 billion in the week after KelpDAO, not because Aave was hacked, but because rsETH’s uncertain backing made it unsafe to hold rsETH collateral positions. SparkLend and Fluid froze entirely. The contagion mechanism in DeFi is a rational race to exit before the freeze happens. Protocols responding by freezing earlier is the right operational call. It also breaks user trust in ways that take months to rebuild once stability returns.

AI-powered exploit tooling: what the forensics firms are seeing

Cyvers and Blockaid both flagged in April 2026 reports that automated vulnerability scanning tools are increasingly being used to identify exploit opportunities across DeFi code bases before teams can patch them. The tooling works by analyzing on chain call patterns, identifying unusual function call sequences that might indicate a vulnerability, and flagging protocols running known dependency versions with unpatched issues.

This is not new in concept. Automated vulnerability scanning has existed in traditional software security for decades. What is new is the speed at which these tools now operate against on chain code that is publicly readable and permanently deployed. A smart contract cannot be patched the way a web application can. Once deployed, the vulnerable code is live until the protocol’s governance approves a migration. ERC 8004’s on chain traceability infrastructure could theoretically be used defensively to monitor unusual agent behavior before it becomes an exploit. That defensive application requires protocols to actually integrate the standard. Nobody has built that monitoring pipeline at scale yet.

The Ronin comparison

Ronin Network lost $625 million in March 2022. That hack triggered the first serious industry conversation about bridge security, multisig configuration, and concentration of risk in cross chain infrastructure. Reports were written. Recommendations were published. Standards were updated.

KelpDAO lost $292 million in April 2026 through a bridge exploit because its team used a configuration that LayerZero’s documentation explicitly warned against. Four years after Ronin, the same category of failure, with documented prevention available, cost the industry hundreds of millions again.

That is not evidence the industry failed to learn. It is evidence that learning and implementing are different activities. The specific failure modes in KelpDAO and Volo were both described in existing security guidance before the attacks. Existing guidance is only useful if teams apply it before the exploit. The industry coalition pushing for CLARITY Act passage argues regulation would accelerate security standard adoption. It would also create enforcement mechanisms for noncompliance. Whether the industry prefers those enforcement mechanisms to the current self-regulation model is a question nobody is asking loudly yet.

What recovers from here and what does not

TVL bouncing back from $85 billion requires something other than time passing. Bitcoin ETF inflows at $996 million per week show institutional capital moving into regulated Bitcoin exposure while avoiding DeFi. That rotation is not permanent. It does not reverse until confidence in DeFi’s security posture improves through observable behavior, not statements. Confidence improves through six to twelve consecutive months of zero major exploits. April 2026 restarted that clock at zero.

The TCB View

$620 million lost in one month. Large enough to absorb as an abstract number. The actual situation is specific: Drift lost because a key holder clicked a malware link. KelpDAO lost because the team used a bridge configuration LayerZero said not to use. Volo lost because an admin key had no meaningful access controls protecting it. Three protocols. Three different failure modes. All three preventable with published standards that already existed. April 2026 is not a sign that DeFi is broken. It is a sign that the industry is still choosing operational convenience over security rigor at the exact points where that choice is most expensive.