Month in Review: Top DeFi Hacks of April 2026

The fourteen hacks in April 2026 that exceeded $1 million in losses include:

• Drift Protocol: Drift lost an estimated $285 million to a social engineering attack attributed to the Lazarus Group. The attackers launched a fake token and tricked Drift Security Council members into pre-signing transactions that allowed the attackers to take privileged actions and deposit a fake token as collateral to drain the protocol.

• BSC/TMM: The TMM trading pair on BSC was targeted in a reserve manipulation attack. The attacker stole an estimated $1.6 million by burning tokens to inflate the perceived value of the TMM tokens.

• Dango: Dango suffered a $1.9 million hack due to the fact that its smart contracts didn’t verify that donation amounts to the contract were positive. The attackers were able to cash out approximately $410,000 (which was later returned), and $1.49 million was stuck on the platform and recovered.

• Hyperbridge: The Hyperbridge attacker forged a transaction to modify the admin rights for the protocol’s Polkadot/Ethereum bridge contract. They minted about 1 billion DOT tokens and were able to cash out approximately $2.5 million.

• CoW Swap: The CoW Swap DEX aggregator’s DNS registrar was social engineered to redirect visitors to a malicious site. In total, users lost an estimated $1.2 million.

• Grinex: Grinex, a Russian cryptocurrency exchange, suffered a hack attributed to “foreign special services.” The exchange lost an estimated $13 million.

• Rhea Finance: Rhea Finance was exploited in April 2026 due to a bug in its slippage protection feature. The attacker stole an estimated $18.4 million, of which about $10 million was later recovered.

• KelpDAO: KelpDAO was the victim of the biggest hack of 2026 to-date. The attackers stole an estimated $292 million by performing a DDoS attack that forced the protocol to use two compromised RPC nodes for data on cross-chain transfers. The protocol’s sole verifier then accepted a fake transaction to release $292 million.

• Volo Protocol: Volo Protocol was hacked for $3.5 million. The attacker likely stole a private key, allowing them to steal Bitcoin and stablecoin deposits.

• GiddyDeFi: GiddyDeFi suffered a $1.3 million hack in April 2026. The attacker exploited flaws in authorization verification, where the attacker was able to replay a legitimate transaction while changing parameters that weren’t covered by its digital signature.

• Purrlend: A suspicious multisig transaction granted unauthorized access to the cross-chain bridge. After this occurred, attackers stole about $1.5 million from the protocol.

• Aftermath Finance: Aftermath Finance suffered an estimated $1.14 million hack in April 2026. The attacker exploited a flaw in the protocol’s fee system for builders, using negative fees to increase the USDC fees that they received.

• Sweat Foundation: The Sweat Foundation also suffered a hack due to a smart contract vulnerability. A custom drainer contract was used to steal about 13.71 billion SWEAT tokens worth approximately $2.5 million from accounts belonging to the foundation and some of its top holders.

• Wasabi Protocol: The Wasabi Protocol suffered an estimated $5 million in losses due to a compromised deployer admin key. The attacker performed a malicious upgrade to the protocol’s vault contract, allowing them to drain various assets from the contract.

April 2026 had a large number of major hacks with a variety of root causes. However, a few things stand out.

One is the fact that the two biggest hacks of the month involved social engineering attacks carried out over months (and attributed to the Lazarus Group). These targeted, off-chain attacks are effective and don’t require on-chain vulnerabilities.

However, smart contract vulnerabilities are still a major problem. Many protocols suffered over $1 million in losses due to common, known threats.

Halborn offers security advisory and smart contract auditing services to help protect companies against top threats. Get in touch.