Month in Review: Top DeFi Hacks of April 2026

The fourteen hacks in April 2026 that exceeded $1 million in losses include:

• Drift Protocol: Drift lost an estimated $285 million to a social engineering attack attributed to the Lazarus Group. The attackers launched a fake token and tricked Drift Security Council members into pre-signing transactions that allowed the attackers to take privileged actions and deposit a fake token as collateral to drain the protocol.

• BSC/TMM: The TMM trading pair on BSC was targeted in a reserve manipulation attack. The attacker stole an estimated $1.6 million by burning tokens to inflate the perceived value of the TMM tokens.

• Dango: Dango suffered a $1.9 million hack due to the fact that its smart contracts didn’t verify that donation amounts to the contract were positive. The attackers were able to cash out approximately $410,000 (which was later returned), and $1.49 million was stuck on the platform and recovered.

• Hyperbridge: The Hyperbridge attacker forged a transaction to modify the admin rights for the protocol’s Polkadot/Ethereum bridge contract. They minted about 1 billion DOT tokens and were able to cash out approximately $2.5 million.

• CoW Swap: The CoW Swap DEX aggregator’s DNS registrar was social engineered to redirect visitors to a malicious site. In total, users lost an estimated $1.2 million.

• Grinex: Grinex, a Russian cryptocurrency exchange, suffered a hack attributed to “foreign special services.” The exchange lost an estimated $13 million.

• Rhea Finance: Rhea Finance was exploited in April 2026 due to a bug in its slippage protection feature. The attacker stole an estimated $18.4 million, of which about $10 million was later recovered.

• KelpDAO: KelpDAO was the victim of the biggest hack of 2026 to-date. The attackers stole an estimated $292 million by performing a DDoS attack that forced the protocol to use two compromised RPC nodes for data on cross-chain transfers. The protocol’s sole verifier then accepted a fake transaction to release $292 million.

• Volo Protocol: Volo Protocol was hacked for $3.5 million. The attacker likely stole a private key, allowing them to steal Bitcoin and stablecoin deposits.

• GiddyDeFi: GiddyDeFi suffered a $1.3 million hack in April 2026. The attacker exploited flaws in authorization verification, where the attacker was able to replay a legitimate transaction while changing parameters that weren’t covered by its digital signature.

• Purrlend: A suspicious multisig transaction granted unauthorized access to the cross-chain bridge. After this occurred, attackers stole about $1.5 million from the protocol.

• Aftermath Finance: Aftermath Finance suffered an estimated $1.14 million hack in April 2026. The attacker exploited a flaw in the protocol’s fee system for builders, using negative fees to increase the USDC fees that they received.

• Sweat Foundation: The Sweat Foundation also suffered a hack due to a smart contract vulnerability. A custom drainer contract was used to steal about 13.71 billion SWEAT tokens worth approximately $2.5 million from accounts belonging to the foundation and some of its top holders.

• Wasabi Protocol: The Wasabi Protocol suffered an estimated $5 million in losses due to a compromised deployer admin key. The attacker performed a malicious upgrade to the protocol’s vault contract, allowing them to drain various assets from the contract.

April 2026 had a large number of major hacks with a variety of root causes. However, a few things stand out.

One is the fact that the two biggest hacks of the month involved off-chain attack methods and were attributed to the Lazarus Group. These targeted, off-chain attacks are effective and don’t require on-chain vulnerabilities.

However, smart contract vulnerabilities are still a major problem. Many protocols suffered over $1 million in losses due to common, known threats.

Halborn offers security advisory and smart contract auditing services to help protect companies against top threats. Get in touch.