The recent wave of DeFi hacks in early 2026—particularly the surge exceeding $600 million in April alone—stems primarily from vulnerabilities in cross-chain infrastructure, especially bridges and messaging protocols, rather than classic on-chain smart contract bugs like reentrancy or integer overflows though those still occur.
The most prominent example is the Kelp DAO exploit on April 19, 2026, where attackers drained roughly $292–293 million in rsETH. This became the largest single DeFi hack of the year so far and triggered a broader liquidity crisis, with over $13 billion in DeFi TVL evaporating in days due to panic withdrawals including billions from Aave.
The attack did not exploit a core bug in the underlying smart contracts of LayerZero; the messaging protocol used or Kelp’s main code. Instead, it targeted a misconfigured cross-chain verification setup in the LayerZero-based bridge infrastructure.
LayerZero V2 relies on a modular security model with Decentralized Verifier Networks (DVNs)—independent entities or nodes that validate and attest to messages sent between blockchains e.g., confirming a burn on one chain allows a mint on another. In this case, Kelp’s bridge route was set up with insufficient redundancy; reports indicate configurations approaching a single point of failure, such as a 1/1 DVN or a single-entity verifier.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
Attackers spoofed or tricked the messaging layer into accepting a forged valid instruction from another network. This allowed the bridge to release ~116,500 unbacked rsETH to an attacker-controlled address without corresponding collateral or burn on the source chain. The attacker then used this fake rsETH as collateral on lending platforms like Aave, borrowing real assets against it.
Since the rsETH was unbacked, the positions created bad debt that couldn’t be easily liquidated, amplifying contagion: Aave saw massive outflows, utilization spiked to near 100% in ETH pools, and lending rates jumped as users fled. Similar patterns appear in other April incidents, including the Drift Protocol hack ~$285 million on Solana which involved social engineering and compromised admin and operational access rather than pure code flaws—highlighting how off-chain infrastructure has become a prime vector.
Bridges as single points of failure: They lock or wrap massive value across chains; TVL in bridges has hovered in the tens of billions. A compromise in one can cascade because DeFi is highly composable—tokens like rsETH are used as collateral, liquidity, or primitives in dozens of protocols across 20+ chains.
LayerZero and similar protocols like Wormhole, and Axelar emphasize customization for speed and cost. Without enforced minimum security floors requiring multiple independent DVNs or mandatory timelocks, projects can deploy weak configurations that look secure on paper but fail under targeted attacks.
2025–2026 trends show a pivot from pure smart contract exploits toward infrastructure attacks—compromised private keys, supply-chain and social engineering on devs and admins, oracle misconfigurations, and verification layer manipulation. Audits often miss these because they focus on on-chain code, not operational setup or off-chain components.
Fake and unbacked assets propagate quickly through integrated lending, DEXes, and restaking. This creates liquidity drain tests where one hack sparks bank-run-style withdrawals, freezing markets and amplifying losses far beyond the initial drain. April 2026 saw at least 12 incidents totaling over $600 million; ome reports put early-year losses near $770 million+, dwarfing Q1 figures.
Cross-chain bridges have cumulatively lost billions since 2022 ~40% of all Web3 hack value in some analyses due to their honeypot nature and verification complexity. Other recurring issues include: Privileged key risks. Oracle and access control flaws. Human and operational errors e.g., removing timelocks, phishing devs, or weak multisig setups.
North Korea-linked groups like Lazarus have been linked to some high-profile cases via sophisticated social engineering.Ongoing ImplicationsDeFi remains resilient in some views with protocols quickly freezing markets and users monitoring on-chain signals. However, the incidents underscore systemic risks in interoperability infrastructure.
Fixes being discussed include stricter configuration standards, better redundancy in verifiers, enhanced operational security (MPC wallets, timelocks, role-based controls), deeper audits covering off-chain components, and improved bug bounties. No single glitch affects all DeFi uniformly—it’s a class of related vulnerabilities in cross-chain and operational layers that sophisticated actors are actively probing.
Projects using bridges or wrapped assets should review their DVN setups, security modules, and dependencies immediately. The space continues to evolve, but these events highlight that decentralization doesn’t automatically equal security when infrastructure has centralized trust points or poor defaults.