Biggest DeFi Hacks and Exploits of 2026: $1 Billion+ Lost and Counting

DeFi protocols have already seen catastrophic breaches this year, with over $137 million lost in exploits by March 2026. Among the largest incidents were the Step Finance breach, a classic oracle overflow attack on Truebit, and a stablecoin mint exploit at Resolv Labs.

These hacks, spanning flawed smart contract logic, cross-chain bridge vulnerabilities, and compromised keys, highlight persistent risks in decentralized finance. It’s a stark reminder that users and developers must remain vigilant even as the industry grows. 

The following table summarizes each major hack: its timing, how it happened, and what was lost:

Versus Bridge Exploit: $11.8M Lost 

The Verus-Ethereum Bridge was exploited on May 18, 2026 after attackers abused a validation flaw that allowed the bridge to release assets on Ethereum without properly confirming backing on the Verus side. The attacker drained 1,625 ETH, 103.6 tBTC, and 147,000 USDC before swapping the assets into roughly 5,402 ETH.

Unlike typical DeFi hacks, the exploit targeted bridge verification logic rather than smart contract reentrancy or stolen private keys. The stolen funds reportedly remained unmoved following the attack.

• Date: May 18, 2026
• Cause: Bridge validation flaw allowing unbacked withdrawals
• Assets lost: $11.58M
• Recovery: No recovery confirmed publicly

Volo Protocol Vault Exploit: $3.5M Drained

Volo Protocol disclosed a $3.5 million exploit on April 21 and 22 after attackers gained unauthorized access to three vaults containing WBTC, XAUm, and USDC.

Investigators believe the exploit involved a private key compromise or a flaw in ownership verification that allowed the attacker to impersonate the vault owner. The attacker drained assets from only three vaults while the rest of the platform remained secure.

Volo froze all vaults immediately and coordinated with the Sui Foundation to block additional fund movement. Around $500,000 was frozen through exchange and bridge partners.

• Date: April 21, 2026
• Cause: Private key compromise or ownership validation bypass
• Assets lost: $3.5M
• Recovery: Partial funds frozen

KelpDAO LayerZero Bridge Hack: $292M Stolen

KelpDAO suffered the largest DeFi exploit of 2026 on April 18 when attackers drained approximately 116,500 rsETH worth around $292 million from its LayerZero powered bridge.

The protocol relied on a single verifier setup that approved cross chain messages. Attackers compromised the RPC infrastructure feeding data into that verifier while simultaneously disrupting external RPC services. The bridge then approved forged withdrawal messages and released funds that were never legitimately deposited.

Investigators linked the attack to the Lazarus Group. The attackers later used the stolen rsETH as collateral across lending protocols, creating massive bad debt across the ecosystem.

KelpDAO paused contracts within 46 minutes, preventing additional losses. Arbitrum’s Security Council later froze around 30,000 ETH connected to the exploit.

• Date: April 18, 2026
• Cause: Compromised RPC infrastructure and insecure single verifier bridge setup
• Assets lost: $292M
• Recovery: Partial freezes, majority unrecovered

Rhea Finance Exploit – $7.6M Oracle Attack

In April 2026, Rhea Finance was exploited for approximately $7.6M through a coordinated oracle manipulation attack.

The attacker created fake tokens, added liquidity, and manipulated price feeds used by the protocol. This allowed them to borrow and drain assets based on inflated collateral values.

A portion of funds ($3.2M USDT) was frozen, limiting total losses.

• Date: April 16, 2026
• Cause: Oracle manipulation via fake liquidity pools
• Assets lost: $7.6M
• Recovery: Partial (stablecoins frozen); majority unrecovered

Drift Protocol Mega Hack – $280M+ Lost

On April 1, 2026, Drift Protocol suffered the largest DeFi exploit of the year, with roughly $280M+ drained from its vaults.

Unlike typical exploits, this attack combined multiple failure points:

• Social engineering of multisig participants
• Governance manipulation
• Oracle abuse using artificially priced assets

Attackers introduced a fake asset, manipulated its price, and used it as collateral to withdraw real funds. The stolen assets were quickly bridged across chains, making recovery extremely difficult.

• Date: April 1, 2026
• Cause: Social engineering + governance manipulation + oracle abuse
• Assets lost: $280M+
• Recovery: None confirmed

Step Finance Breach – $27.3M Lost

Step Finance (a leading Solana analytics platform) confirmed on Jan. 31, 2026 that it suffered a $27.3 million treasury theft. Attackers compromised an executive’s device (likely via phishing/social engineering) and used stolen private keys to drain the protocol’s wallets. 

Specifically, the hacker unstaked and transferred 261,854 SOL (worth roughly $27–30M) out of Step’s multisig. This was not a smart contract bug but a key compromise. The team later leveraged partnership tools (Token22/Remora) to claw back about $4.7M in assets. 

Nonetheless, the bulk of the SOL was sent to unknown addresses and sold off, triggering an abrupt shutdown of Step’s services.

• Date: Jan 31, 2026
• Cause: Compromised executive wallet (private key theft via phishing)
• Assets lost: 261,854 SOL ($27.3M) from treasury
• Recovery:  $4.7M clawed back (Remora/Token22); majority remains stolen

Truebit Exploit – $26.2M Ether Stolen

On January 8, 2026 the Truebit oracle protocol was hit by a $26.4 million attack. A flaw in Truebit’s legacy smart contract allowed an integer overflow in its token-purchase math. An attacker passed an enormous input into the pricing function, causing the computed mint price of TRU tokens to wrap to nearly zero.

The hacker then minted massive TRU and sold them for 8,535 ETH ($26.2M). This drained the contract’s Ether reserves and obliterated the token’s price. Truebit’s team and security partners quickly alerted authorities and engaged forensic efforts, but no significant funds have been recovered to date. The TRU token crash wiped out liquidity, underscoring dangers of outdated code.

• Date: Jan 8, 2026
• Cause: Integer overflow in Truebit’s Purchase contract (legacy code flaw)
• Assets lost: 8,535 ETH ($26M) from mint-and-burn exploit
• Recovery: None reported (protocol is working with law enforcement)

Resolv Labs Stablecoin Exploit – $25M Stolen

In the early hours of March 22, 2026, Resolv Labs was exploited via a flaw in its delta-neutral stablecoin system. The attacker deposited $200K in USDC and was able to mint 80 million USR tokens (worth $80M at peg) by abusing a gap in the minting logic. They then dumped those USR on DEXes, causing the price to crash and allowing them to siphon off roughly $25M in value.

On-chain analysis shows about 11,437 ETH ($23.8M) was extracted, and another $2M remains stuck in USR token dumps. Resolv’s team quickly paused the protocol and assured users collateral pools were solvent (since the breach only impacted token issuance).

They’re pursuing recovery via contractual controls (freezing stablecoins) and audits. This attack highlights risks of complex oracle/off-chain signer setups in stablecoins.

• Date: Mar 22, 2026
• Cause: Vulnerability in Resolv’s USR stablecoin minting (missing validation/oracle/signature)
• Assets lost: 80M USR minted; $25M cashed out (converted to ETH, per on-chain data)
• Recovery: Protocol paused; collateral intact; stablecoins can be blacklisted, but ETH loot largely untraceable

SwapNet Allowance Attack – $13.4M Drained

On Jan. 25, 2026 around 5:10pm UTC a hacker exploited SwapNet, a DEX aggregator integrated into the Matcha Meta platform. By abusing SwapNet’s code, the attacker gained an arbitrary-call ability to drain user-approved tokens from wallets. Essentially, unlimited token approvals given to SwapNet allowed the hacker to siphon off funds.

In total about $13.4M was stolen from Matcha Meta users who had used SwapNet (PeckShield noted it was “the largest approval attack ever seen” outside of phishing). The project warned users to revoke dangerous allowances immediately. SwapNet has not reported any fund recovery; the incident underscores the perils of broad token approvals.

• Date: Jan 25, 2026
• Cause: SwapNet smart-contract flaw let attacker invoke arbitrary calls and drain unlimited token approvals
• Assets lost: $13.4M from affected wallets on Matcha Meta (via stolen allowances)
• Recovery: None (attackers laundered funds); users were advised to revoke unused approvals immediately

YieldBlox Oracle Manipulation – $11M Loss

On Feb. 22, 2026 YieldBlox’s Stellar-based lending pool (using the Blend protocol) lost roughly $10.2M in an oracle attack. The USTRY/USDC market on the Stellar DEX had virtually no liquidity, so a malicious trader pumped USTRY’s price with a huge sell order, causing the VWAP oracle (Reflector) to report an inflated price. This mispriced collateral let the attacker borrow far more than they should, draining the entire pool and leaving $10.2M in bad debt.

Almost $7.2M of the stolen funds were later frozen by Stellar validators, and YieldBlox offered a 10% bounty (some victims will be made whole). The incident was not a coding bug but economic manipulation; security teams stress that single-source oracle feeds need safeguards like liquidity checks.

• Date: Feb 22, 2026
• Cause: Price-oracle attack on illiquid pool (large trade skewed VWAP price)
• Assets lost: $10.2M drained (attacker borrowed all pool reserves)
• Recovery: $7.2M frozen on Stellar; protocol offered compensation to victims (post-attack governance)

SagaEVM Smart-Contract Breach – $7M Lost

On Jan. 21, 2026 the Saga blockchain paused its EVM chain after discovering a $7M exploit. Attackers used newly deployed smart contracts and cross-chain transactions to manipulate Saga’s inter-blockchain bridge, withdrawing tokens (USDC, stablecoins and wrapped BTC) without proper backing. The stolen assets (nearly $7M worth) were bridged out to Ethereum and converted to ETH.

Saga’s mainnet and validators were not compromised, only the SagaEVM subchain. Saga confirmed there was no key leak or consensus failure; it is now working with exchanges and bridge partners to blacklist the attacker’s address and recover funds. The team is investigating the root cause (reports suggest abuse of Saga’s stablecoin contracts).

• Date: Jan 21, 2026
• Cause: Exploit of SagaEVM’s bridge contracts (suspected stablecoin minting vulnerability)
• Assets lost: $7M in bridged tokens (USDC, yUSD, tBTC, etc.)
• Recovery: SagaEVM paused; working with exchanges to freeze funds; full post-mortem pending

Makina Finance Flash Loan Hack – $5M Stolen

Makina Finance, a DeFi yield protocol, was hit Jan. 20, 2026 by a flash-loan exploit. Using a $280M USDC loan, the attacker manipulated the DUSD/USDC Curve pool’s oracle pricing (machineShareOracle), causing it to deviate from true value.

This let the hacker drain the entire Curve pool, extracting about $5.1M. CertiK reported $4.14M of the loot ended up at an MEV address (likely front-running the transaction).

Makina immediately put its system in safe mode and urged all users to withdraw funds from the affected DUSD pool. The team has since confirmed only that pool was impacted; other assets remained secure. As of now no funds have been recovered.

• Date: Jan 20, 2026
• Cause: Flash-loan and oracle-manipulation attack on DUSD/USDC pool (MachineShareOracle)
• Assets lost: $5.1M total (over 1,299 ETH worth) drained from the pool
• Recovery: None reported; protocol paused relevant pools and investigating (affected only DUSD LP positions)

IoTeX ioTube Bridge Exploit – $4.4M Loss

On Feb. 21, 2026 the IoTeX team disclosed a compromise of its cross-chain bridge (ioTube) that drained $4.4M. Attackers gained full control of a validator’s private key on the Ethereum side. They upgraded the bridge’s validator contract with a malicious version that bypassed signature checks.

With that power, the hacker took over minting and funds in the bridge’s TokenSafe contract. In one go they minted 410 million CIOTX (counterfeit tokens) and withdrew $4.4M in real tokens from the reserves. IoTeX offered a 10% “white hat” bounty ($440K) for the return of funds within 48 hours.

It also blacklisted suspect addresses and rolled out a chain upgrade (v2.3.4) to revoke the compromised keys. The remaining stolen assets (mostly laundered into ETH/BTC) remain largely unrecovered.

• Date: Feb 21, 2026
• Cause: Compromised validator key on ioTube bridge; malicious contract upgrade on Ethereum side
• Assets lost: $4.4M (token reserves) plus 410M CIOTX minted
• Recovery: 10% bounty offered; blockchain update to blacklist attacker; no funds yet retrieved (assets moved through THORChain)

Aperture Finance Exploit – $3.67M Stolen

Aperture Finance (a multi-chain liquidity protocol) announced on Feb. 5, 2026 that it had lost $3.67M in a January 25 exploit. The attack targeted specific versions of Aperture’s smart contracts (v3 and v4).

The exploiter found a weakness in how the contracts handled token approvals and function calls, allowing them to siphon off funds from the contracts. On-chain monitoring showed the hacker then funneled 1,242.7 ETH ($2.4M) into Tornado Cash to launder it.

Aperture quickly halted all affected services, released an incident report, and advised users to revoke risky allowances immediately. There has been no public recovery of the funds (the stolen ETH is hidden in mixers), but Aperture’s fix closed the exploited contract paths.

• Date: Jan 25, 2026
• Cause: Contract logic flaw in Aperture’s V3/V4 contracts (improper approval/function-call handling)
• Assets lost: $3.67M (hacker drained multiple Aperture contracts)
• Recovery: None (1,242 ETH sent to Tornado Cash)

Venus Protocol Supply-Cap Exploit – $3.7M Lost

Around March 15, 2026 the Venus Protocol (on BNB Chain) disclosed a $3.7M exploit. The attacker bypassed the platform’s “supply cap” on its THENA (THE) token. By rapidly acquiring a large volume of THE (suspected via flash loans or oracle tricks), they were able to ignore the normal cap and borrow multiple assets (stablecoins and BNB) against that collaterals.

This drain was made possible by manipulating price or flash borrowing. Venus responded by suspending THE market and borrowing functions. Other markets were unaffected. The attack reveals how failing to enforce minting caps can let a flash actor decimate a lending platform.

• Date: Mar 15, 2026 (reported)
• Cause: Supply-cap logic bypass on Venus (using THENA tokens in a flash/price attack)
• Assets lost: $3.7M (various borrowed assets extracted)
• Recovery: Protocol paused THE markets; no funds returned yet

CrossCurve Bridge Attack – $2.8M Drained

In early February 2026 CrossCurve (formerly EYWA) fell victim to a cross-chain bridge exploit. Security audits found weak access controls in its Axelar-based bridge contract. An attacker was able to craft fake Axelar messages that passed validation and tricked CrossCurve’s Receiver contract into releasing funds without a matching deposit.

The exploit spanned multiple chains; in total about $3M worth of tokens were drained. Once detected, CrossCurve immediately shut down its platform to stop further losses. The team worked with security partners to diagnose and patch the bridge.

• Date: Feb 1, 2026 (first signs), analysis reported Feb 9, 2026
• Cause: Missing access control in CrossCurve’s Axelar receiver (malicious cross-chain messages allowed fund release)
• Assets lost: $3M across chains (tokens unlocked by fake messages)
• Recovery: Platform halted; working on fix (no stolen assets recovered as of report)

Solv Protocol Vault Exploit – $2.7M Lost

In late January 2026 Solv Protocol (a Bitcoin yield platform) confirmed that a bug in one of its Bitcoin Reserve Offering (BRO) vaults had been exploited. Using a reentrancy double-mint technique, the attacker repeatedly minted Massively inflated BRO tokens. By executing the exploit 22 times, they converted 135 legitimate BRO into about 567 million counterfeit BRO, then redeemed those for roughly 38.05 SolvBTC (about $2.7M).

Solv pledged to fully cover the loss out of protocol reserves and offered a 10% bounty (around $270K) to the exploiter if they return the funds. The stolen SolvBTC has not been returned. Solv is auditing and upgrading its contracts to prevent such double-mint loopholes.

• Date: Jan 2026
• Cause: Reentrancy/double-mint vulnerability in a BRO vault contract (logic flaw in balance updates)
• Assets lost: $2.7M (38.05 SolvBTC stolen)
• Recovery: None yet; 10% bounty offered for return of funds

Foom Cash ZK-Proof Hack – $2.3M Stolen

On March 2, 2026 Foom Cash (a zk-SNARK-based DeFi protocol) was exploited for $2.3M. Attackers exploited a verifier misconfiguration in Foom Cash’s zero-knowledge proof logic, allowing unauthorized loan withdrawals.

The hack was quickly traced and a white-hat Ethereum address recovered about $1.8M (78%) of the funds by coordinating with exchanges and front-running the money flow. The remaining $500K is still unrecovered. Foom Cash’s developers patched the vulnerability post-attack. The incident is a case study in the emergent risks of faulty zk-snark implementations.

• Date: Mar 2, 2026
• Cause: Misconfigured zk-SNARK verifier allowed forged proofs in Foom Cash smart contract
• Assets lost: $2.3M in loans; $1.8M (78%) of that was later recovered by a white-hat hacker
• Recovery: $1.8M clawed back via ethical hacker/front-running;  $500K still missing; vulnerability patched

Moonwell Oracle Glitch – $1.8M Bad Debt

Moonwell (a DeFi lending protocol on Base/Optimism) suffered a configuration error on Feb. 15, 2026 that briefly mispriced wrapped staked Ether (cbETH). The protocol’s MIP-X43 update linked the cbETH/USD price only to cbETH/ETH, omitting the ETH/USD component.

This meant cbETH was priced $1.12 (instead of $2,200). Automated liquidation bots took advantage, liquidating cbETH collateral en masse and saddling Moonwell with $1.8M of bad debt.

Essentially, nearly $1.8M of user collateral was liquidated at a price thousands of times too low. Moonwell has since corrected the oracle feed. No funds were externally stolen, but the accounting shortfall remained a protocol loss until absorbed by liquidity reserves.

• Date: Feb 15, 2026
• Cause: Oracle misconfiguration (forgot to multiply cbETH/ETH rate by ETH/USD)
• Assets lost: $1.8M in bad debt (collateral liquidated at wrong price)
• Recovery: None (protocol debt taken by reserve liquidity; bug fixed immediately)

TMXTribe Logic Exploit – $1.4M Lost

TMXTribe (an Arbitrum-based exchange) saw $1.4M drained in early January 2026 via a logic flaw. The attacker exploited an unverified contract by looping a “mint-and-stake” action. They repeatedly minted TMX LP tokens with USDT, swapped USDT to USDG (the internal stablecoin), unstaked the LP tokens, and drained USDG, over and over for 36 hours. This simple loop had no checks or circuit breakers in code.

TMXTribe’s team watched while asking for help and deploying patches, but critically failed to pause the contracts in time. The stolen funds ($1.4M) were eventually bridged out to Ethereum and into Tornado Cash. TMXTribe has not made a full public post-mortem or compensation plan.

• Date: Jan 3–5, 2026 (exploit observed over 36 hours)
• Cause: Contract logic bug (unverified code allowed a mint/stake loop with no safeguards)
• Assets lost: $1.4M drained from liquidity (converted to ETH and laundered)
• Recovery: None (attacker’s transactions went through bridges/mixers); protocol never paused in time

Protecting Yourself: DeFi Security Tips

These hacks highlight common pitfalls. To safeguard your crypto:

• Limit token approvals: Use one-time or minimal approvals for DeFi apps. Avoid unlimited permissions (SwapNet exploit). Revoke unused approvals (via wallet settings or tools like Revoke.cash).
• Choose audited platforms: Prefer projects with recent third-party audits and active security teams. Unverified contracts (TMX, Aperture) are high risk.
• Watch contract versions: Make sure you’re using the latest version of a dApp and that bridging contracts are verified. Pause/unpause history can hint at an incident.
• Use bug bounties and insurance: Look for protocols with bounty programs. Insurance vaults or coverage can reimburse losses from certain exploits.
• Stay Informed: Follow project announcements on social media and security alert channels. React quickly if a warning emerges (like pausing trades or transferring out funds).
• Protect your keys: Always use hardware wallets or secure software wallets. Phishing or device malware can leak keys (as with Step Finance). Never click unknown links.
• Multi-sig and safeguards: For large deposits or treasury funds, require multi-signature wallets and time locks. Consider using rugged liquidation alerts to get warnings on unusual activity.

By keeping approvals tight, vetting protocols, and monitoring the news, users can reduce exposure to these DeFi risks. Vigilance and good security hygiene remain the best defense against the next hack.

FAQs

About the Author

Onkar Singh

Onkar Singh has three years of experience as a digital finance content creator. Throughout his career, he has collaborated with various DeFi projects and crypto media outlets. In his leisure time, he enjoys fitness activities at the gym and watching movies across different genres. Balancing his professional and personal interests, Onkar continues to contribute to the digital finance landscape while pursuing his hobbies.

[email protected]