In June 2026, eleven DeFi protocols suffered hacks resulting in losses of at least $1 million each. Together, these incidents caused more than $74 million in losses.
Biggest DeFi Hacks of June 2026
Eleven DeFi protocols suffered hacks with losses of over $1 million each. These include:
TesseraDAO: TesseraDAO was the victim of an approximately $2.4 million hack in June 2026. The attackers gained control over the protocol’s primary contract and used this to mint an estimated 99 million TSR tokens, which they sold on PancakeSwap.
- Syscoin Bridge: The Syscoin cross-chain bridge had a vulnerability in its relay proof validation code, allowing the attacker to submit a malformed proof that was accepted as valid. As a result, the attacker was able to mint 5 billion SYS tokens worth about $10 million without a corresponding burn transaction.
- Humanity Protocol: The Humanity Protocol was the victim of an attack where a compromised employee laptop granted access to private keys for a hot wallet and two sets of bridge admin keys (Gnosis Safe multisig accounts). As a result, the attacker was able to steal an estimated $36 million via stolen tokens and malicious mints.
- Secret Network/Axelar Bridge: The attacker took advantage of the fact that Secret Network commented out critical verification checks when modifying a CW20-ICS20 contract for use with Axelar Bridge. The attacker was able to mint an estimated $4.67 million in unbacked assets using forged IBC deposit packets.
- Raydium: Raydium’s deprecated AMM V3 program contained a vulnerability involving insufficient validation of LP mint addresses. The attacker was able to create a fake LP token and bypass checks to steal about $1.34 million from the protocol.
- Aztec Connect: Aztec Connect was the victim of two hacks in June 2026, each with a value of about $2.1 million. The first exploited incomplete proof validation in the deprecated Aztec Connect Router contract, and the second used an immutable escape-hatch function with poor access control within the Private Rollup Bridge (2021-2022).
- Thetanuts Finance: A legacy Thetanuts Finance vault was exploited for about $2.1 million on Ethereum. The root cause was issues in redemption math and integer calculations in the mint/claim functions.
- LABUBU/OLPC: The LABUBU/OLPC liquidity pool on PancakeSwap on BNB Chain lost an estimated $1.1 million in a June 2026 hack. The attacker took advantage of a malicious change to the decimals parameter by the OLPC owner before they renounced ownership over a month previously.
- jaredfromsubway.eth MEV Bot: The MEV bot operated by jaredfromsubway.eth lost an estimated $7.5 million. The attackers used fake token wrappers and liquidity pools to trick the bot into giving approvals to attacker-controlled contracts.
- SecondFi Cardano Wallet: Users of the SecondFi wallet on Cardano lost about $2.4 million in June 2026. The attacker used a vulnerability in the wallet generation code to access wallets and steal assets.
- Polymarket: Polymarket users were the victims of a supply chain hack in June 2026. Attackers compromised a third-party vendor to introduce malicious code into the Polymarket frontend, allowing them to steal an estimated $3 million from users who visited the site.
Lessons Learned from the Attacks
The root causes of the top DeFi hacks of June 2026 were largely a mix of smart contract vulnerabilities and compromised private keys. This demonstrates that both on-chain and off-chain threats pose a serious risk to modern DeFi protocols.
Halborn offers both security advisory services and smart contract auditing to help ensure that projects are developed in line with security best practices and reviewed for potential vulnerabilities before being launched on-chain. To learn more about protecting your project against attack, get in touch with Halborn.
