Top 3 DeFi Incidents in April
KelpDAO: ~$290M
On April 18, 2026, KelpDAO’s rsETH LayerZero OFT bridge was exploited for approximately $290M.
The root cause was KelpDAO’s insecure 1-of-1 DVN configuration, which reduced cross-chain message verification to a single point of failure. After compromising RPC infrastructure trusted by the LayerZero Labs DVN, the attacker forced the sole verifier to attest to a fabricated cross-chain message. As a result, 116,500 rsETH were released on Ethereum without any corresponding source-side event on Unichain.
This incident was not caused by a flaw in the LayerZero protocol itself, but by a broader operational security failure spanning bridge configuration and infrastructure trust assumptions. Because KelpDAO relied on only one DVN, there was no independent verifier to challenge the forged message. At the same time, the attacker poisoned the RPC nodes used by that DVN and DDoS’d the remaining healthy nodes, forcing the verifier into a failover state where it depended entirely on attacker-controlled data. Once the fake message was attested, the Ethereum-side rsETH adapter executed as designed and released the funds, which were then quickly dispersed and laundered across multiple wallets and chains.
This incident highlights that bridge security cannot rely solely on protocol correctness. Projects should adopt multi-DVN configurations with independent verifiers, treat sudden RPC node outages during verification as attack signals rather than routine availability issues, and harden the infrastructure that feeds source-chain data to verifier networks.
For a detailed analysis, read our deep-dive post:
Drift Protocol: ~$285M
On April 1, 2026, Drift Protocol on Solana was exploited for approximately $285M.
The root cause was not a smart contract vulnerability, but a failure in the protocol’s governance and authorization process. At the time, Drift used a 2-of-5 multisig setup for high-privilege actions, meaning any two of five authorized signers could approve critical administrative changes. These actions were also not subject to any timelock. Once enough approvals were collected, they could be executed immediately. Compounding this risk was Solana’s durable nonce mechanism, which allowed pre-signed transactions to remain valid for a long time instead of expiring quickly like ordinary transactions. This gave the attacker time to collect malicious signatures in advance and wait for the right moment to use them. After inducing two of the five signers to approve malicious governance transactions, the attacker later submitted those transactions to take over admin control of the protocol. With that access, the attacker listed a fake collateral asset called CarbonVote Token (CVT), manipulated its Oracle price, loosened withdrawal restrictions, and used the fake collateral to drain large amounts of real assets through the Drift Vault.
This incident exposed three major weaknesses in Drift’s governance design. First, the attacker was able to separate signature collection from execution because the stolen approvals did not expire quickly. Second, the lack of a timelock meant the admin takeover became effective immediately, leaving almost no time for detection or intervention. Third, the admin role was too powerful: once compromised, it allowed the attacker to create a new collateral market, change oracle settings, and relax withdrawal controls, all of which directly enabled the theft.
This incident shows that governance security is not just about protecting private keys. Protocols also need to secure the full signing and approval process, add delays to high-privilege actions, limit the use of long-lived pre-signed transactions, and reduce the scope of what a single admin takeover can do.
For a detailed analysis, read our deep-dive post:
Rhea Finance: ~$18.4M
On April 16, 2026, the Burrowland protocol of Rhea Finance on NEAR was exploited for approximately $18.4M due to a business logic flaw in its margin-trading module. Notably, as of April 23, 2026, all stolen funds had been recovered.
The root cause was that the protocol treated a user-supplied swap output declaration as if it accurately represented the amount that would actually be returned by the DEX. However, a malicious user could construct a circular swap path that recycled intermediate outputs within the route, artificially inflating the declared final output and manipulating the protocol’s accounting. As a result, the protocol’s solvency and leverage checks relied on a fabricated value rather than the real amount received. This flaw was rooted in the verify_token_out() function, which incorrectly counted certain intermediate outputs as part of the final result even though they were later reused within the swap path.
After circumventing these checks, the attacker routed borrowed assets out of the protocol through attacker-controlled fake pools, while the protocol received only a negligible amount of value in return. The attacker then withdrew liquidity from these pools to extract the funds. By repeating this process, the attacker ultimately drained approximately $18.4M from Burrowland.
This incident shows that margin-trading protocols should not treat user-declared swap outputs as trusted input. Protocols need to ensure that solvency checks are based on the actual received value, reject swap paths that can recycle intermediate assets, and prevent accounting logic from being manipulated by circular routing.
The information above is based on data as of 00:00 UTC, April 29, 2026.
This concludes the April security incidents brief. For more in-depth analysis of blockchain security incidents and Web3 security trends, you can explore our resources.
You can learn more in our Security Incidents Library.
Stay informed and stay secure!
