IOSG: DeFi đang ở thời điểm nguy hiểm nhất, lỗ hổng thực sự không nằm trong code

Original author: Darko, IOSG Ventures

April 1, 2026, UTC 16:05:18, an attacker submitted a transaction to the Drift Protocol. One second later, another transaction approved it.

Twelve minutes later, $285 million was gone. Seventeen days later, a compromised validator on the KelpDAO bridge single-handedly minted $292 million in unsupported tokens, triggering approximately $8.5 billion in outflows from Aave and another ~$4.5 billion from other DeFi protocols within 48 hours.

Twelve days after that, an attacker with a stolen deployer private key drained $4.5 million from Wasabi Protocol across four chains.

None of these incidents exploited a smart contract vulnerability.

For most of its first half-decade, DeFi has believed security is a code problem. Audits, formal verification, bug bounties—the entire industry organized itself around a premise: if the smart contract logic is sound, the protocol is secure. Math is law. April 2026 was the month this premise publicly collapsed.

Over 30 incidents in a single month resulting in over $625 million stolen—according to DefiLlama, the most hacked month in crypto history by event count—and every major loss traced back to admin keys, bridge validators, oracle blind spots, or social engineering attacks. All operational foundations that audits were never designed to cover.

This article is about that migration. We'll break down three major April hacks into three faces of the same underlying failure, recount how one protocol's misconfigured bridge triggered $13.2 billion in outflows from a protocol 25 times its size, and honestly examine what DeFi actually is today: open infrastructure with trusted operational leverage, even if the marketing says otherwise. The problem isn't the math.

The problem is the "mental model" surrounding the math.

The math didn't break. What broke was the mental model wrapped around the math—and the cost of this mismatch is forcing the industry to reconsider what "decentralization" actually means.

## The Mental Model Gap

For most of DeFi's history, mainstream security culture was Solidity-based. Audits review contract logic. Bug bounties pay for reentrancy, integer overflows, access modifier errors. Formal verification proves invariants for on-chain code. The implicit assumption: everything outside the contract—multisigs, deployer keys, bridge validators, relayer infrastructure, team communication channels—was either out of scope or someone else's problem.

This assumption held only as long as attackers were exploiting Solidity vulnerabilities.

The April 2026 hacks share a structural feature that audit reports cannot describe: the smart contracts themselves were not vulnerable. According to independent on-chain researcher post-mortems, Drift's code was audited by Trail of Bits in 2022 and by ClawSecure in February 2026—both passed.

Neither audit covered Drift's multisig configuration, durable nonce handling logic, or the social engineering attack surface surrounding its Security Council. KelpDAO's LayerZero adapter was standard OFT template code; the contracts themselves had no issues. The error was in the deployment configuration, typically outside the scope of standard Solidity audits.

Wasabi's Vault contract was upgradeable by design; the design itself was the vulnerability.

What collapsed in April wasn't the math. It was the operational foundation the math runs on.

## Three Dissections: Three Faces of One Failure

The three major April 2026 hacks—Drift, KelpDAO, Wasabi—represent three distinct types of "non-code failure."

Together, they cover most of the new attack surface and share a structural feature: in each case, one or two compromised individuals or infrastructure components triggered a domino effect across the entire protocol.

### Drift: Human Multisig ($285 million)

The Drift hack was an intelligence operation, not an exploit. Analysis by TRM Labs, Elliptic, and Drift itself with SEAL 911 assistance attributed the attack to North Korea's Lazarus Group, specifically the UNC4736 sub-cluster, previously linked by Mandiant to the October 2024 Radiant Capital attack.

The attacker spent roughly six months planning the operation. Social engineering began at industry conferences in Fall 2025; on-chain preparation started only three weeks before the event.

On March 11, 2026, the operation launched with 10 ETH from Tornado Cash. The next day, approximately 9:00 AM Pyongyang time, these funds deployed the CarbonVote Token (CVT) on Solana. The attacker created a small liquidity pool on Raydium, wash-traded CVT to anchor its market price around $1, then set up a self-controlled price oracle to feed this artificial price to Drift.

The wash trading existed to make the oracle output "look legitimate"—any spot-checker would find the market price matching the oracle quote.

Meanwhile, the attacker posed as a quantitative trading firm, spending weeks building relationships with Drift contributors. The goal wasn't information extraction, but accumulating trust in advance for a specific moment.

That moment relied on a Solana feature called durable nonces: a legitimate mechanism allowing "sign today, execute later." Between March 23 and March 30, the attacker obtained durable nonce signatures from at least two of the five members of Drift's Security Council.

From the signers' perspective, they approved routine transactions. From the network's perspective, these signatures were valid authorization credentials, dormant but valid.

On March 26, Drift made a decision that proved catastrophic in hindsight: migrating to a brand new 2-of-5 Security Council multisig with a zero timelock. This migration eliminated the delay window that might have detected or prevented the attack.

April 1, UTC 16:05:18, the attacker submitted the first pre-signed durable nonce transaction—a proposal to transfer admin control to address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. One second later, UTC 16:05:19, a second pre-signed transaction approved and executed it. The attacker took over Drift.

What followed took only twelve minutes. The attacker deposited the worthless CVT as collateral, with near-unlimited borrowing capacity based on the manipulated oracle price, deposited 500 million CVT, and withdrew $285 million in real assets—JLP, USDC, SOL, cbBTC, wBTC, ETH—from three core Vaults. Drift's TVL collapsed from $550 million to roughly $250 million. Two signers, one protocol, smart contracts operating exactly as designed. The vulnerability was "human."

One aspect of Drift's post-incident response deserves specific mention because it sets a standard for subsequent victim protocols: Drift's own disclosure was exceptionally candid.

Within five days of the exploit, the team published a detailed social engineering post-mortem—including the fact that contributors were contacted multiple times over six months; two contributors were likely compromised via a code repository clone and a TestFlight wallet beta; Telegram chats with the attacker were deleted before and after the attack; and the decision six days prior to migrate to a zero-timelock multisig eliminated the final detection window.

The team also publicly attributed the attack with medium confidence (UNC4736 / Citrine Sleet), coordinated with SEAL 911, and shared operational details to help other protocols identify the same playbook.

Victim protocols often retreat into legal caution and vague language; Drift chose to publish the kind of forensically detailed narrative that turns a single incident into industry-wide threat intelligence. The event itself remains a hack, the underlying governance vulnerability remains a vulnerability. But the willingness to publicly articulate "how the social engineering worked" is precisely what distinguishes protocols that contribute to collective industry learning from those that silently absorb their losses.

### KelpDAO: Single Validator ($292 million)

Seventeen days later, on April 18, the same threat actor profile produced a structurally different attack. KelpDAO is a liquid restaking protocol issuing rsETH—tokens representing user deposits routed through EigenLayer for additional yield.

By April 2026, rsETH's TVL exceeded $1 billion, deployed across over 20 chains via LayerZero's OFT (Omnichain Fungible Token) standard.

Contracts were fine. Configuration was the problem.

KelpDAO's bridge ran on a 1-of-1 DVN (Decentralized Verifier Network)—meaning only one validator. A single node was sufficient to approve a cross-chain message. "Decentralization" was vocabulary, not architecture.

The attack unfolded in stages. The attacker first compromised the internal RPC node the validator relied on to read the source chain state, then launched a coordinated DDoS attack on external nodes, forcing the system to fall back to the compromised infrastructure. With the data source under control, they forged a cross-chain message instructing KelpDAO's Ethereum mainnet contract to mint rsETH based on a burn that "never happened on any source chain."

UTC 17:35, the contract released 116,500 rsETH—worth approximately $292 million, roughly 18% of the token's circulating supply—to attacker-controlled addresses. Within minutes, these rsETH were deposited as collateral on Aave, valued at roughly $2,500 each.

The attacker borrowed real WETH, USDC, and wBTC against the unsupported collateral, ultimately withdrawing over 82,600 ETH (~$191 million) before KelpDAO paused the contract at UTC 18:21.

Two subsequent attempts at UTC 18:26 and 18:28, each trying to extract another 40,000 rsETH, were reverted. The pause stopped further losses but not the initial blow.

No reentrancy bug, no missing access check, no oracle manipulation within Kelp's own logic. The accounting invariant defining the bridge—assets released on the destination chain must equal assets burned on the source chain—was violated at the system level, not the transaction level. One node, hundreds of millions in losses.

What followed was a public dispute over where responsibility lay. LayerZero's initial post-mortem squarely blamed Kelp for choosing the 1-of-1 DVN configuration against guidance. Kelp's rebuttal memorandum on May 5 painted a different picture: at the time, 47% of active LayerZero OApp contracts—approximately 1,250 applications with a combined market cap exceeding $4.5 billion—ran on the same single-validator configuration.

Kelp argued that LayerZero's own OFT Quickstart, GitHub examples, and developer templates shipped with LayerZero Labs' own DVN as the mandatory verifier and no second option; and presented Telegram screenshots from LayerZero staff telling the Kelp team during 2.5 years and eight integration discussions that "using the defaults is fine."

Security researcher Sujith Somraaj (former LayerZero auditor) had submitted a bug bounty report to Immunefi precisely describing this attack pattern, which LayerZero rejected on the grounds that "verifier network selection is an application-layer configuration."

LayerZero's response to Kelp's memorandum stated this characterization was misleading. The bug bounty exclusion of "application-layer configuration" is a standard platform/application boundary (a LayerZero spokesperson noted that otherwise "any app could set itself as the sole DVN and maliciously claim rewards"); protocol defaults for most paths were actually multi-DVN; and for templates where 1-of-1 appeared, that single DVN pointed to a placeholder contract called "DeadDVN" that rejects all messages, forcing developers to configure their security stack before launch.

Regarding Kelp specifically, LayerZero stated that Kelp initially deployed with multi-DVN and manually downgraded to 1-of-1 later—not "used the defaults."

The platform vs. application boundary is indeed a genuine point of contention; rational engineers can disagree on whether a platform whose templates *can* be configured into a dangerous state bears responsibility for the configuration its users actually deploy.

Less contested was the second part of LayerZero's final response. On May 8, three weeks after the initial post-mortem, LayerZero reversed course and apologized: "We made a mistake by allowing our DVN to operate as a 1-of-1 DVN for high-value transactions. We did not constrain what our own DVN was providing protection for."

The protocol stopped supporting 1-of-1 within the DVN system, migrated defaults to 5-of-5, raised its own multisig threshold from 3-of-5 to 7-of-10, and announced a new issuer monitoring platform (Console).

Whether blame lies with Kelp, LayerZero, or—most likely—a shared failure between a platform shipping templates configurable into a dangerous state and an integrator that actively downgraded, both parties' ultimate responses converged on the same answer: 1-of-1 verification is unsafe at scale, and the industry should not have needed $292 million to learn this.

### Wasabi: Admin Private Key ($4.5 million)

April 30's Wasabi hack was an order of magnitude smaller than the other two, and for that reason most embarrassing. It was a "boring hack."

A deployer EOA—address 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8—held ADMIN_ROLE in Wasabi's perpetual contract manager deployed on Ethereum, Base, Blast, and Berachain. No multisig. The contract framework supported a timelock, but the configuration value was zero.

The attacker obtained that private key—phishing, device compromise, supply chain attack are all possible; Wasabi didn't provide a final determination. With ADMIN_ROLE, they granted the same role to a malicious helper contract, performed a UUPS proxy upgrade on the Vault contract, and swept collateral and pool balances. Total cross-chain loss: $4.5–5.5 million.

Wasabi employed no new technology. This vulnerability has been warned about as a DeFi anti-pattern for years: excessive admin privilege, lack of separation of powers, no delay window. It's the same vulnerability DeFi has been hitting, writing post-mortems about, and failing to fix in practice since 2020.

Stringing the three together: they are ultimately the same hack. Whether privileged access is obtained by manipulating signers, compromising validator nodes, or stealing a deployer key, the attack surface is identical—power concentration outside the smart contract layer, inadequately protected. This pattern is also a warning: in each case, one or two compromised entities triggered a domino chain that no amount of Solidity hardening could stop.

## Asymmetric Dominoes

The significance of the KelpDAO event extends beyond its dollar amount because of what happened next—DeFi's first true stress test of composability under operational failure, and the best illustration to date of how "asymmetric contagion math" can be.

Consider the scale: at the time of the incident, KelpDAO's rsETH TVL was ~$1 billion; Aave's AUM across all chains exceeded $25 billion. A protocol roughly 4% of Aave's size, via a single event, drained $8.45 billion from Aave alone within 48 hours—growing to $15.1 billion over three and a half days—while total DeFi TVL dropped by $13.21 billion over that 48-hour window. The asymmetry is the real story.

A small protocol with a misconfigured bridge triggered a bank run on a vastly larger protocol that, by all its own contract metrics, was "operating by the book."

When the attacker minted unsupported rsETH and deposited it into Aave, Aave's contracts executed perfectly according to specification. Its oracle continued to read rsETH at nearly 1:1 during the brief window the attacker was borrowing. The lending pool disbursed real WETH against collateral that appeared "valid" to every system on-chain.

The market reaction was instantaneous. rsETH traded at deep discounts on DEXs within hours, reflecting genuine uncertainty about whether the remaining 82% of supply was still fully backed. Aave V3 and V4 froze rsETH markets; Fluid, Compound, Euler, and Morpho followed within hours (SparkLend had already delisted rsETH in January).

rsETH holders on Arbitrum, Base, Mantle, Linea, Blast, and Scroll suddenly held tokens whose ability to be redeemed 1:1 for Ethereum mainnet custody was uncertain.

The subsequent capital outflows occurred not because Aave was hacked, but because depositors could not be sure the collateral backing their loans was solvent.

In the weeks before the incident, Aave had accumulated a significant rsETH position as users levered up on restaking trades; the protocol earned fees from this without setting a cap on the exposure. So this wasn't a case of a purely "innocent bystander"—Aave voluntarily took on counterparty risk—but the trigger event lay outside its contracts and beyond the reach of its own governance.

Aave's response to the incident warrants separate mention, as it sets a benchmark against which other large lending protocols will be measured. Within hours of the incident, the protocol's emergency admin froze rsETH markets on V3 and V4 across all affected chains, setting LTV to zero and capping further losses.

Within 48 hours, Aave's service providers posted a detailed incident report on the governance forum, publicly modeling two different bad debt scenarios—$123.7 million if Kelp socialized losses across all rsETH holders, $230.1 million if losses were isolated to L2 deployments—with per-chain breakdowns of which markets would bear which shortfalls.

Aave founder Stani Kulechov personally pledged 5,000 ETH for recovery; the DeFi United coalition formed by Aave's service providers—bringing in Lido, EtherFi, LayerZero, Mantle, and others—raised over $300 million in commitments to cover the rsETH shortfall. This was the largest cross-protocol rescue in the industry's history.

The critical part is narrower and should be read separately from the response: Aave's posture shifted as the bad debt range became clearer. Initial claims that its Umbrella reserve would cover the shortfall softened within days to "exploring paths to cover the shortfall." The narrative drift was small but notable