IOSG：DeFi到了最危險的時刻，真正的漏洞不在程式碼裡

Original Author: Darko, IOSG Ventures

On April 1, 2026, at 16:05:18 UTC, an attacker submitted a transaction to the Drift Protocol. One second later, another transaction approved it.

Twelve minutes later, $285 million was gone. Seventeen days later, a compromised validator on the KelpDAO cross-chain bridge single-handedly minted $292 million in unsupported tokens, triggering approximately $8.5 billion in outflows from Aave and about $4.5 billion from other DeFi protocols within 48 hours.

Twelve days after that, an attacker with a stolen deployer private key drained $4.5 million from the Wasabi Protocol across four chains.

None of these incidents involved exploiting smart contract vulnerabilities.

For most of its half-decade existence, DeFi has believed that security is a code problem. Audits, formal verification, bug bounties—the entire industry organized itself around a premise: as long as smart contract logic is sound, the protocol is secure. Math is law. April 2026 was the month this premise publicly crumbled.

Accumulating over 30 incidents, a total of over $625 million was stolen in a single month—according to DefiLlama data, making it the worst month in crypto history by number of hacks. Yet every major loss traced back to admin keys, bridge validators, oracle blind spots, or social engineering attacks—the operational bedrock that audits were never designed to cover.

This article is about that shift. We will dissect three severe hacks from April as three faces of the same underlying failure, review how a protocol's misconfigured cross-chain bridge triggered $13.2 billion in outflows from a protocol 25 times its size, and candidly examine what DeFi actually is today—essentially, open infrastructure with trusted operational leverage, regardless of marketing rhetoric. The problem is not the math.

The problem lies in the 'mental model' surrounding the math.

The math isn't broken. What's broken is the mental model built around it, and the cost of this misalignment is forcing the industry to re-evaluate what 'decentralization' actually means.

The Mental Model Gap

For most of DeFi's history, the mainstream security culture has been Solidity-based. Audits review contract logic. Bug bounties pay for reentrancy, integer overflows, and access modifier errors. Formal verification proves invariants for on-chain code. The implicit assumption is that everything outside the contract—multisigs, deployer keys, bridge validators, relayer infrastructure, team communication channels—is either out of scope or someone else's problem.

This assumption holds only as long as attackers are exploiting Solidity vulnerabilities.

The hacks of April 2026 share a structural characteristic that audit reports cannot describe: the smart contracts themselves had no vulnerabilities. According to independent on-chain researchers' post-mortems, Drift's code was audited by Trail of Bits in 2022 and by ClawSecure in February 2026, both passing.

Neither audit covered Drift's multisig configuration, its durable nonce handling logic, or the social engineering attack surface surrounding its Security Council. KelpDAO's LayerZero adapter was standard OFT template code; the contract itself had no issues. The error was in the deployment configuration, typically outside the scope of standard Solidity audits.

Wasabi's Vault contract was upgradeable by design; the design itself was the vulnerability.

What collapsed in April wasn't the math. It was the operational foundation upon which the math relied.

Three Dissections: Three Faces of the Same Failure

The three severe hacks of April 2026—Drift, KelpDAO, Wasabi—represent three distinct types of 'non-code failures'.

Together, they cover most of the new attack surfaces and share a structural characteristic: in each event, one or two compromised individuals or infrastructure components triggered a domino effect across the entire protocol.

Drift: Human Multisig ($285M)

The Drift hack was an intelligence operation, not an exploit. Analysis by TRM Labs, Elliptic, and Drift itself with assistance from SEAL 911 attributed the attack to North Korea's Lazarus Group, specifically the UNC4736 sub-group, previously linked by Mandiant to the October 2024 Radiant Capital attack.

The attacker spent about six months planning the operation. Social engineering began at industry conferences in the fall of 2025, while on-chain preparation started only three weeks before the event.

On March 11, 2026, the operation launched with 10 ETH from Tornado Cash. The next day, around 9:00 AM Pyongyang time, these funds deployed the CarbonVote Token (CVT) on Solana. The attacker created a small liquidity pool on Raydium, wash-trading CVT to peg its market price around $1. They then set up a price oracle under their control, feeding this artificial price to Drift.

The wash trading existed to make the oracle output 'look legitimate'—anyone spot-checking would find the market price consistent with the oracle quote.

Simultaneously, the attacker posed as a quantitative trading firm, spending weeks building relationships with Drift contributors. The goal wasn't to extract information, but to accumulate trust in advance for a specific moment.

That moment relied on a Solana feature called 'durable nonces': a legitimate mechanism allowing 'sign today, execute later'. Between March 23 and March 30, the attacker obtained durable nonce signatures from at least two of Drift's five-person Security Council members.

From the signers' perspective, they were approving routine transactions. From the network's perspective, these signatures were valid authorization credentials, dormant but effective.

On March 26, Drift made a decision that proved catastrophic in hindsight: migrating to a new 2-of-5 Security Council multisig with zero timelock. This migration eliminated the delay window that might have detected or prevented the attack.

On April 1 at 16:05:18 UTC, the attacker submitted the first pre-signed durable nonce transaction—a proposal to transfer admin control to address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. One second later, at 16:05:19 UTC, a second pre-signed transaction approved and executed it. The attacker took control of Drift.

What followed took only twelve minutes. The attacker listed the worthless CVT as collateral, receiving nearly unlimited borrowing power. They deposited 500 million CVT at the manipulated oracle price, then drained $285 million in real assets—JLP, USDC, SOL, cbBTC, wBTC, ETH—from three core Vaults. Drift's TVL collapsed from $550 million to about $250 million. Two signers, one protocol, smart contracts functioning exactly as designed. The vulnerability was in the 'people'.

One aspect of Drift's post-incident response is worth highlighting, as it sets a standard for protocols that are next victimized: Drift's own post-disclosure was unusually candid.

Within five days of the exploit, the team published a detailed post-mortem of the social engineering attack—including the facts that: contributors were approached multiple times over six months; two contributors were likely compromised via a code repository clone and a TestFlight wallet beta version; Telegram chats with the attacker were deleted around the time of the attack; and the decision six days prior to migrate to a zero-timelock multisig eliminated the final detection window.

The team also publicly attributed the attack with medium confidence (UNC4736 / Citrine Sleet), coordinated with SEAL 911, and shared operational details that could help other protocols identify the same tactics.

Victims often retreat into legal caution and vague language; Drift chose to release a forensically detailed narrative capable of turning a single incident into industry-wide threat intelligence. The event itself remains a hack, and the underlying governance vulnerability remains a vulnerability. But the willingness to publicly explain 'how social engineering worked' is precisely what distinguishes protocols that contribute to collective industry learning from those that silently absorb losses.

KelpDAO: Single Validator ($292M)

Seventeen days later, on April 18, the same threat actor profile produced a structurally different attack. KelpDAO is a liquid restaking protocol issuing rsETH—a token representing user deposits routed through EigenLayer for additional yield.

By April 2026, rsETH's TVL exceeded $1 billion, deployed across over 20 chains via LayerZero's OFT (Omnichain Fungible Token) standard.

The contract wasn't the problem. The configuration was.

KelpDAO's cross-chain bridge ran on a 1-of-1 DVN (Decentralized Verifier Network)—meaning only one validator. A single node sufficed to approve a cross-chain message. 'Decentralization' was vocabulary, not architecture.

The attack proceeded in stages. First, the attacker compromised the internal RPC node the validator relied upon to read the source chain state. They then launched a coordinated DDoS attack on external nodes, forcing the system to fall back to the compromised infrastructure. With the data source under their control, they forged a cross-chain message instructing KelpDAO's Ethereum mainnet contract to mint rsETH based on a burn that 'never occurred on any source chain'.

At 17:35 UTC, the contract released 116,500 rsETH—worth approximately $292 million, roughly 18% of the token's circulating supply—to an attacker-controlled address. Within minutes, these rsETH were deposited as collateral on Aave, each valued at around $2,500.

Using the unsupported collateral, the attacker borrowed real WETH, USDC, and wBTC, ultimately withdrawing over 82,600 ETH (about $191 million) before KelpDAO paused the contract at 18:21 UTC.

Two subsequent attempts at 18:26 and 18:28 UTC, each seeking to withdraw another 40,000 rsETH, were reverted. The pause stopped further losses, but not the initial one.

No reentrancy bug, no missing access control, no oracle manipulation within Kelp's own logic. The accounting invariant defining the bridge—assets released on the destination chain must equal assets burned on the source chain—was violated at the system level, not the transaction level. One node, hundreds of millions in losses.

What followed was a public dispute: where did the responsibility lie? LayerZero's initial post-mortem squarely blamed Kelp, citing Kelp's choice of a 1-of-1 DVN against guidelines. Kelp's rebuttal memo on May 5 painted a different picture: at the time, 47% of active LayerZero OApp contracts—approximately 1,250 applications with a combined market cap exceeding $4.5 billion—were running on the same single-validator configuration.

Kelp argued: LayerZero's own OFT Quickstart, GitHub examples, and developer templates shipped with LayerZero Labs' own DVN as a mandatory verifier, without a second one; and offered Telegram screenshots from LayerZero staff telling the Kelp team over two and a half years and eight integration discussions that 'using the defaults is fine'.

Security researcher Sujith Somraaj (former LayerZero auditor) had submitted a bug bounty report on Immunefi precisely describing this attack vector, which LayerZero rejected on the grounds that 'verifier network selection is application-layer configuration'.

LayerZero's response to Kelp's memo was that this characterization was misleading. The bug bounty's exclusion of 'application-layer configuration' is a standard platform/app boundary (a LayerZero spokesperson argued, otherwise 'any app could set itself as the sole DVN, maliciously claim rewards'); the protocol's defaults across almost all paths are actually multi-DVN; and regarding the templates with 1-of-1, the single DVN pointed to a placeholder contract called 'DeadDVN' that rejects all messages, forcing developers to configure a security stack before launch.

Regarding Kelp specifically, LayerZero stated that Kelp initially deployed with multi-DVN and later manually downgraded to 1-of-1—not 'using the defaults'.

The platform vs. app boundary is a genuine point of contention, where reasonable engineers may disagree on whether a platform whose templates can be configured into a dangerous state bears responsibility for the configuration its users actually deploy.

Less contentious was the second part of LayerZero's final response. On May 8, three weeks after the initial post-mortem, LayerZero reversed course and apologized: 'We made a mistake by allowing our DVN to operate as a 1-of-1 DVN for high-value transactions. We failed to constrain our own DVN regarding what protection it provides.'

The protocol ceased supporting 1-of-1 within the DVN system, migrated defaults to 5-of-5, raised its own multisig threshold from 3-of-5 to 7-of-10, and announced a new issuer monitoring platform (Console).

Whether the underlying configuration was Kelp's fault, LayerZero's fault, or—most likely—a shared failure between a platform that ship configurations capable of being dangerous and an integrator that actively downgraded, both parties' final responses converged on the same answer: 1-of-1 verification is unsafe at scale, and the industry shouldn't have needed to spend $292 million to learn this lesson.

Wasabi: Admin Private Key ($4.5M)

Wasabi on April 30 was an order of magnitude smaller than the other two, and thus more embarrassing. It was a 'boring hack'.

A deployer EOA—address 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8—held the ADMIN_ROLE in Wasabi's perpetual contract manager deployed across Ethereum, Base, Blast, and Bera chains. No multisig. The contract framework supported a timelock, but the configured value was zero.

The attacker obtained that private key—phishing, device compromise, or supply chain attack are all possibilities; Wasabi hasn't provided a final conclusion. With the ADMIN_ROLE, they granted the same role to a malicious helper contract, performed a UUPS proxy upgrade on the Vault contract, and swept away collateral and pool balances. Total cross-chain losses were $4.5-5.5 million.

Wasabi didn't use any new technology. This type of vulnerability has been warned about as a DeFi anti-pattern for years: excessive administrative control, lack of separation of powers, no delay window. It's the same flaw DeFi has been hitting, writing post-mortems about, and failing to fix in practice since 2020.

Tying the three together: fundamentally, they are the same hack. Whether privileged access was obtained by manipulating signers, compromising a validator node, or stealing a deployer private key, the attack surface is identical—concentrated power with inadequate protection outside the smart contract layer. This pattern is also a warning: in each event, one or two compromised entities triggered a domino chain that no amount of Solidity hardening could prevent.

Asymmetric Dominoes

The significance of the KelpDAO incident extends beyond its dollar amount because of what happened next—it was DeFi's first real stress test of composability under operational failure, and the most compelling case study of how absurdly asymmetric 'contagion math' can be.

Scale matters: at the time of the incident, KelpDAO's rsETH TVL was approximately $1 billion; Aave's AUM across all chains exceeded $25 billion. A protocol roughly 4% of Aave's size, via a single incident, pulled $8.45 billion out of Aave alone within 48 hours—a figure that grew to $15.1 billion over three and a half days—while total DeFi TVL declined by $13.21 billion during that 48-hour window. The asymmetry is the real story.

A small protocol with a misconfigured cross-chain bridge triggered a bank run on a much larger protocol that, by all its own contract metrics, was 'operating by the book'.

When the attacker minted unsupported rsETH and deposited it into Aave, Aave's contracts executed perfectly according to specification. Its oracle still read rsETH near 1:1 during the brief window the attacker was borrowing. The lending pool released real WETH against collateral that appeared 'valid' to all on-chain systems.

The market reaction was immediate. rsETH traded at a deep discount on DEXs within hours, reflecting genuine uncertainty about whether the remaining 82% of the supply was still fully backed. Aave V3 and V4 froze the rsETH market; Fluid, Compound, Euler, and Morpho followed within hours (SparkLend had already delisted rsETH in January).

Holders of rsETH on Arbitrum, Base, Mantle, Linea, Blast, and Scroll suddenly couldn't be sure their tokens were redeemable 1:1 for Ethereum mainnet custody.

The subsequent outflows weren't because Aave was hacked, but because depositors couldn't be certain about the solvency of the collateral backing their loans.

In the weeks before the incident, Aave had accumulated a significant rsETH position as users leveraged restaking strategies; the protocol earned fees from this without setting a limit on the exposure. So this contagion wasn't purely 'innocent bystander' logic—Aave voluntarily took on counterparty risk—but the trigger event was outside its own contracts and beyond the detectable scope of its own governance.

Aave's response to the incident deserves separate mention, as it set a benchmark against which other large lending protocols will be measured. Within hours of the exploit, the protocol's emergency admin froze the rsETH market on V3 and V4 across all affected chains, setting LTV to zero and sealing off further losses.

Within 48 hours, Aave's service providers posted a detailed incident report on the governance forum, publicly modeling two different bad debt scenarios—$123.7 million if Kelp socialized losses across all rsETH holders, or $230.1 million if losses were isolated to L2 deployments—alongside a chain-by-chain breakdown of which markets would bear which shortfalls.

Aave founder Stani Kulechov personally committed 5,000 ETH for recovery efforts