May 2026 was only a small month for major DeFi hacks in comparison to the previous month. While May saw twelve hacks with losses exceeding $1 million each for a total of about $68.44 million lost, April’s fourteen major hacks totaling over $630 million dwarfed it.
Biggest DeFi Hacks of May 2026
The twelve DeFi hacks of May 2026 with losses exceeding $1 million each include:
- Ekubo Protocol: In May 2026, the Ekubo Protocol suffered a $1.4 million hack. The protocol’s custom extension smart contract contained a verification error that allowed the attacker to drain funds via existing ERC-20 approvals.
- TrustedVolumes: TrustedVolumes was the victim of a $6.7 million hack due to missing access controls for its allowlist. The attacker added themself to the list of approved trade order signers, allowing them to approve orders on behalf of the protocol.
- TAC Protocol: TAC Protocol lost an estimated $2.8 million to a hack targeting its TON/EVM cross-chain bridge. The root cause was logical errors in the TON Jetton bridge path.
- Transit Finance: Transit Finance was exploited via a deprecated, legacy smart contract. The contract, which was still active and callable, had weak input validation, allowing the attacker to drain an estimated $1.88 million.
- THORChain: THORChain’s validator network was infiltrated by a malicious node that acted benignly for two days before launching an attack. The node exploited a progressive key material leak to collect pieces of a multi-party key and reconstruct the full key to drain about $10.7 million from the compromised vault.
- Verus-Ethereum Bridge: The Verus-Ethereum bridge was exploited due to the fact that neither end of the bridge validated that transaction inputs matched outputs. While both sides performed their required verification, this oversight resulted in an estimated $11.58 million in losses.
- RetoSwap: RetoSwap relies on Haveno’s trade protocol to create temporary multisig wallets to secure Monero trades. A vulnerability in how Haveno managed out-of-order ACK messages allowed the attacker to be named arbitrator for their trades and unilaterally drain assets from the associated wallet. In total, an estimated $2.7 million was lost.
- StablR: StablR had a 1-of-3 multisig wallet for its mint contract, and one of these keys was compromised. The attacker used their key to lock out the other keys and mint about $10.4 million in USDR and EURR, extracting about $2.8 million after dumping these tokens on DEXes.
- SquidRouterModule: A third-party Gnosis Safe module used a fixed string visible in its source code to authenticate message validity. An attacker learned this string and used it to drain about $3.2 million from 86 wallets that used the module.
- SUPERFORTUNE AI: SUPERFORTUNE AI lost an estimated $15.18 million in GUA tokens allocated to an airdrop. While the multisig transaction was being executed to send the tokens to the airdrop claim contract address, the destination was changed to an attacker-controlled address.
- DxSale: Legacy DxSale liquidity locker contracts were exploited via an ownership override attack, where the contracts’ unlock times were backdated to 1970 before they were drained. The incident, believed to be an insider attack, resulted in about $7.3 million in losses across 1,400 LPs that were locked since 2021.
- Gravity Bridge: In May 2026, Gravity Bridge was the victim of an estimated $5.4 million hack. The likely cause of this incident was a compromised private key.
Lessons Learned from the Attacks
May 2026 saw a large number of high-value DeFi hacks with various causes. Unusually for 2026, many of these hacks involved exploits of vulnerable smart contracts.
This indicates that, while private key leakages are the cause of many DeFi hacks, vulnerable code also poses a significant risk to DeFi project security. For help with protecting your code against exploitable flaws, get in touch.