TechFlow reports that, according to Forbes, the DeFi industry recently experienced its worst-loss month on record: within less than three weeks, 12 protocols suffered breaches totaling over $606 million. The Drift incident accounted for $285 million in losses, while Kelp DAO lost $292 million—these two attacks together constituted approximately 95% of the total losses.
Drift, Solana’s largest decentralized perpetuals exchange, was attacked. A post-incident review report stated the attack had been “planned for six months” and attributed it—with medium confidence—to a North Korean state-sponsored hacking group. The attackers posed as a quantitative trading firm, built trust with contributors, and then exploited Solana’s “durable nonces” feature to trick members of Drift’s security council into pre-signing seemingly routine transactions. After Drift removed its timelock and switched to a 2-of-5 multisig setup, the attackers introduced a fictitious asset—CarbonVote Token—as collateral, ultimately bypassing the protocol’s security mechanisms. Drift’s most recent audit occurred in February this year; the vulnerability exploited was not in the smart contract code itself but stemmed from compromised devices and manipulated signers—human-factor issues.
The Kelp DAO attack targeted peripheral infrastructure of the protocol. Its cross-chain bridge, built using LayerZero, employed a 1-of-1 validator configuration. Attackers compromised an RPC node, tampered with data, and caused the bridge to release 116,500 rsETH tokens—approximately 18% of the token’s circulating supply. The stolen rsETH was subsequently deposited into Aave as collateral to borrow funds, spreading associated risks to major lending markets including Compound and Euler. Within two days, DeFi’s total value locked (TVL) dropped by over $13 billion, with Aave bearing roughly $246 million in rsETH bad debt. The industry subsequently launched the coordinated initiative “DeFi United,” raising over $300 million to stabilize affected markets.
Marat Karapetian of Karapetian Private Capital commented that the situation in 2026 has shocked the market, and investors have become acutely aware of the systemic fragility inherent in DeFi architectures.
