Eighteen days into April 2026, and the crypto industry has already hemorrhaged $606 million across 12 separate protocol exploits. That figure makes this the worst month for on-chain security since October 2022, when bridge hacks were tearing through the system at an alarming rate.
The headline number is staggering, but the details are worse. This isn’t one big hack – it’s a sustained campaign of exploits hitting different chains, different protocol types, and different vulnerability classes. The attackers are getting smarter faster than the defenders.
The April Damage Report
Here’s the full list of confirmed exploits this month:
- Drift Protocol (Solana, April 18): $285M – oracle manipulation combined with flash loan amplifier
- KelpDAO (Ethereum, April 3): $71M – restaking vault exploit through verification bypass
- ZKBridge (April 8): $48M – zero-knowledge proof verification flaw
- PancakeSwap V4 (BNB Chain, April 6): $37M – reentrancy attack on new migration contracts
- Radiant Capital V3 (Arbitrum, April 11): $34M – private key compromise of 3-of-5 multisig
- Marginfi (Solana, April 14): $31M – interest rate manipulation attack
- SushiSwap RouteProcessor4 (Multi-chain, April 5): $28M – approval exploit in new router
- Tensor NFT (Solana, April 9): $22M – price oracle lag exploitation in NFT lending
- GMX Synthetics (Arbitrum, April 12): $19M – funding rate manipulation
- Solend (Solana, April 16): $14M – liquidation logic error
- Across Protocol (Ethereum, April 7): $9M – bridge relay exploit
- dYdX V4 (Cosmos, April 15): $8M – order book spoofing leading to insurance fund drain
Patterns in the Chaos
Three patterns stand out when you look at the April exploits collectively.
First: Solana is getting hammered. Four of the twelve exploits targeted Solana protocols, accounting for $352 million – more than half the total. Solana’s growing DeFi system has attracted both developers and attackers, and the security tooling on Solana lags behind Ethereum’s more mature audit and monitoring infrastructure.
Second: oracle attacks are back. At least five of the twelve exploits involved some form of price oracle manipulation. This is a class of attack that the industry thought it had solved with Chainlink and Pyth. But as protocols build more complex financial products, the attack surface around price feeds grows correspondingly.
Third: new code is the biggest risk. Eight of the exploited protocols had deployed new contract versions or upgrades within the previous 60 days. Fresh code means fresh bugs. The pressure to ship features and stay competitive is leading teams to deploy contracts that haven’t had sufficient audit coverage or time in production.
The State-Sponsored Factor
At least two of the April exploits – Drift Protocol and KelpDAO – have been tentatively attributed to North Korean state hackers. If those attributions hold, roughly $356 million of the $606 million total was stolen by the Lazarus Group or affiliated units.
North Korea’s crypto theft operation has become industrial in scale. The UN estimated in a March 2026 report that the DPRK stole $1.4 billion in cryptocurrency during 2025, funding roughly 30% of the country’s weapons programs. April’s numbers suggest 2026 is on pace to exceed that.
“We are no longer dealing with opportunistic hackers,” said Chainalysis research director Jackie Burns Kang. “This is a government with a budget, a team, and a strategic important to steal as much cryptocurrency as possible. The tools and techniques are military grade.”
Why DeFi Security Keeps Failing
The crypto industry spent an estimated $400 million on security audits in 2025, according to Electric Capital’s developer report. Firms like Trail of Bits, OpenZeppelin, Halborn, and Certik reviewed thousands of contracts. Bug bounty programs offered millions in rewards.
And yet here we’re. The fundamental problem is an asymmetry: auditors look for known vulnerability patterns, while sophisticated attackers create novel exploit chains that combine multiple small issues into catastrophic outcomes. A contract can pass four audits and still have a vulnerability that only manifests when it interacts with other contracts in specific market conditions.
“Audits catch maybe 80% of bugs,” said Dan Guido, CEO of Trail of Bits. “But the 20% they miss is where the $285 million exploits live. The industry needs to invest more in formal verification, runtime monitoring, and circuit breakers – not just pre-launch audits.”
What’s Being Done
The April spree has accelerated several industry initiatives. The Ethereum Foundation’s security team announced an emergency grant program for protocols to set up real-time exploit detection. Solana Foundation is fast-tracking a formal verification system for its most critical DeFi protocols.
At the regulatory level, the SEC’s enforcement division is reportedly investigating whether some of the exploited protocols violated securities laws by deploying insufficiently tested code. That’s a stretch legally, but it signals that regulators are paying attention to the security failures.
Several protocols have also begun setting up time-locked withdrawals and rate limits on large transactions – measures that would slow down exploits even if they can’t prevent them. These “speed bumps” are controversial because they reduce capital efficiency, but after $606 million in losses, the trade-off is looking more acceptable.
The Uncomfortable Reality
April 2026 is a reminder that DeFi’s security problem isn’t solved. It’s not close to solved. The total value locked in decentralized protocols exceeds $180 billion, and the industry’s security spending is nowhere near proportional to the risk.
Until that changes – until protocols invest as heavily in defense as attackers invest in offense – months like this will keep happening. The question isn’t whether DeFi can survive these losses (it can – it has before). The question is whether users and institutional capital will continue to trust a system that bleeds half a billion dollars in a single month.
