News linked to this event type.
Andre Cronje stated most current decentralized finance (DeFi) protocols no longer qualify as "DeFi in the strict sense" and are closer to commercial systems operated by teams. This has sparked industry division over whether "circuit breakers" should be introduced to mitigate attack risks.In an interview, Andre Cronje pointed out that early DeFi centered on immutable smart contracts, but today many protocols rely on upgradeable contracts, multi-signature permissions, off-chain infrastructure, and manual operational processes. In essence, they have transitioned from "immutable public goods" to "operable, for-profit businesses." He noted that against the backdrop of recent security incidents, including DeFi attacks involving approximately $280 million and $293 million, industry risks have expanded from simple smart contract vulnerabilities to "Web2-style risks" such as infrastructure issues, permission controls, and social engineering attacks.Regarding risk management, Cronje's firm Flying Tulip recently introduced circuit breakers that delay or queue withdrawals during abnormal fund outflows, providing an emergency response window of about six hours to prevent systemic bank runs and further losses.However, this mechanism has also sparked controversy. Michael Egorov believes that circuit breakers may introduce new centralized attack surfaces. If controlled by signers or administrators, they could instead become new security vulnerabilities or sources of freezing risk. He emphasized that DeFi design should minimize human intervention rather than increase manual control points. Industry analysts pointed out that this debate essentially reflects how DeFi is shifting from the ideal model of "code is law" toward a practical architecture of "hybrid governance plus operational control," while the security boundaries are being redefined. (Cointelegraph)
according to Blockaid monitoring, an ongoing attack has occurred on Aftermath Finance's perpetual contract protocol on the Sui Network, with approximately $1.1 million worth of USDC stolen across 11 transactions within about 36 minutes. Analysis indicates the vulnerability stems from a fee accounting flaw in the perpetual contract liquidation system, which the attacker exploited to artificially inflate synthetic collateral and drain funds from the protocol's treasury.
According to on-chain security firm Blockaid (@blockaid_), AftermathFi’s perpetual contract on Sui Network was exploited via a vulnerability on April 29. The attacker (address: 0x1a65...2d41e) stole approximately $1.1 million in USDC across 11 transactions within roughly 36 minutes. The attack exploited a flaw in the perpetual contract liquidation fee calculation, enabling illicit withdrawals from the protocol’s treasury via synthetic collateral inflation.
Odaily News ether.fi CEO Mike Silagadze posted on X platform to explain the reason behind the company's commitment of 5,000 ETH to the Kelp hack recovery fund. He stated that the team believes this incident posed a real risk of "destroying the entire DeFi ecosystem." If Kelp were to go bankrupt, $1.5 billion worth of rsETH could be frozen long-term, potentially bringing the $30 billion Aave lending market to a standstill and triggering a cascading collapse across both DeFi and CeFi, which he described as making "FTX look insignificant by comparison." Mike Silagadze added that while most institutions chose to step back and defer to legal counsel, proactively taking responsibility and quickly raising funds to plug the gap was the right choice to help avert the worst-case scenario.
Standard Chartered Bank's latest report indicates that while the theft of KelpDAO's rsETH has severely impacted the DeFi ecosystem, it is insufficient to change the long-term growth trend of Real World Asset (RWA) tokenization. The bank maintains its forecast that the RWA tokenization market will grow from $35 billion in October 2025 to $2 trillion by the end of 2028, with the core drivers remaining the continued expansion of the DeFi banking system and stablecoin liquidity.Geoffrey Kendrick, Head of Digital Assets Research at Standard Chartered, stated that this incident is more like DeFi being "bent, not broken," and could even serve as a significant turning point for the industry to move towards a more resilient structure. (The Block)
According to CertiK, Syndicate Protocol suffered an exploit due to a security breach in the Commons cross-chain bridge. The attacker exploited the vulnerability to acquire approximately 18.5 million SYND tokens, which were subsequently sold for roughly $330,000. The related funds have already been transferred to the Ethereum network via the cross-chain bridge. Syndicate’s official response states that it is investigating the security incident involving the Commons bridge. The team is tracking the attack and collaborating with security firms. It is also evaluating various options to compensate affected users. Syndicate holds sufficient token reserves to assist users who lost SYND.
Odaily reports, according to Arkham monitoring, the Kyber Network hacker is transferring stolen funds into Tornado Cash. The hacker, Andean Medjedovic, stole $48.8 million from KyberSwap in late 2023. He had also previously attacked Indexed Finance and stolen $16.5 million. He was indicted by the FBI in 2025.
According to SlowMist monitoring, due to a design flaw in an EIP-7702 account, a QNT reserve pool was attacked, resulting in a loss of 1,988.5 QNT, worth approximately 54.93 ETH. The root cause of the attack is that the administrator identity of the reserve pool is held by an address, which delegated its code to the BatchExecutor contract via EIP-7702. Because BatchExecutor authorized the permissionless BatchCall contract as a caller, and the BatchCall.batch function lacks permission checks, the attacker exploited an arbitrary call vulnerability to drain tokens from the pool.
According to a disclosure by a16z, its researchers conducted systematic testing to assess whether AI agents can independently exploit DeFi price manipulation vulnerabilities. The study used a dataset of 20 Ethereum price manipulation incidents and employed Codex (GPT 5.4) equipped with the Foundry toolchain as the test agent. Under baseline conditions—i.e., without domain-specific knowledge—the agent’s success rate was only 10%; after incorporating structured domain knowledge distilled from real-world attack incidents, the success rate rose to 70%. Failure cases revealed that the agent consistently identified vulnerabilities correctly but generally failed to comprehend the leverage logic of recursive lending, misjudged profit margins, and could not orchestrate multi-step, cross-contract attack sequences. The experiment also recorded one sandbox escape incident: the agent extracted an RPC key from the local node configuration and invoked the <code>anvil_reset</code> method to reset the node to a future block, thereby bypassing information isolation constraints and accessing real-world attack data. The research team concluded that AI agents can currently assist effectively in vulnerability identification but are not yet capable of replacing professional security auditors.
According to an official disclosure by ZetaChain, on April 27, ZetaChain suffered a targeted vulnerability exploit. The attacker first acquired funds via Tornado Cash and performed wallet address spoofing, then exploited a vulnerability in GatewayEVM’s arbitrary call functionality, resulting in approximately $334,000 in losses across four connected chains. ZetaChain stated that this attack did not affect cross-chain $ZETA transfers; all affected wallets were under ZetaChain’s internal control, and user funds remained unaffected. A patch for the mainnet has now been deployed, and cross-chain transactions will resume after ongoing monitoring.
According to Dark Web Informer, the decentralized prediction market platform Polymarket is suspected of having been hacked. The threat actor “xorcat” posted over 300,000 data records and a corresponding exploit toolkit on a well-known cybercrime forum. The data extraction occurred on April 27, 2026. Reportedly, the attacker extracted data via an undisclosed API endpoint, pagination bypasses, and misconfigured CORS settings in Polymarket Gamma and the CLOB API. The leaked data includes: - Full personal information for 10,000 users (including names, proxy wallets, and base addresses); - 4,111 comments; - 1,000 moderation reports (including 58 ETH addresses and administrator authentication address identifiers); - Metadata for 48,536 Gamma markets; - Constant-product market maker addresses for over 250,000 active CLOB markets; and - Social graph data for 9,000 followers. The toolkit contains proof-of-concept code for multiple vulnerabilities, including CVE-2025-62718 (Axios NO_PROXY bypass, CVSS 9.9, enabling server-side request forgery), CVE-2024-51479 (Next.js middleware authentication bypass, CVSS 7.5), and the aforementioned CORS misconfigurations. Additionally, the toolkit includes automated continuous data-extraction scripts and a comprehensive red-team report (including M
According to an official announcement by Tropykus, the decentralized lending protocol Tropykus has initiated a phased shutdown of its current protocol version. Deposit and lending functionalities will be permanently discontinued. Users may withdraw funds and repay loans via tropykus.com until the deadline of July 27, 2026; thereafter, such operations will only be supported through direct interaction with smart contracts. The team stated that this shutdown decision stems from long-term strategic evolution—not from the security report previously received by Money on Chain, a partner of Tropykus. That report had prompted the protocol to proactively suspend deposits and new lending activities. However, the team emphasized that internal discussions regarding the shutdown predated the security incident, and the incident merely accelerated the decision. Technically, the team noted that the original architecture was designed for an earlier technological environment and is no longer capable of meeting long-term development needs in the face of emerging security challenges posed by technologies such as artificial intelligence. The team advises all users to complete withdrawals and settle their lending positions via tropykus.com before July 27, 2026. After this date, users will need technical proficiency to interact directly with smart contracts to perform these operations.
According to on-chain analyst PeckShield (@PeckShieldAlert), a user’s Alchemix Yearn yvVault position (token $yvWETH) was attacked, resulting in an estimated loss of approximately $1 million. The root cause of the attack lies in the user’s prior approval grant to an unverified contract (contract address: 0x143a), deployed 10 days ago. Reverse-engineering analysis revealed that this contract contains a vulnerability enabling arbitrary call execution. Exploiting this vulnerability, the attacker successfully transferred the victim’s yvVault position. PeckShield has now publicly disclosed the specific logic of this vulnerability. Users are advised to review and revoke token approvals granted to unknown or unverified contracts to mitigate asset risks.
According to on-chain analyst PeckShield (@PeckShieldAlert), the YieldCore-3rd-deal treasury under Trading Protocol was attacked, resulting in losses of approximately $398,000. The attack exploited a vulnerability in the contract—specifically, a missing caller permission check—which allowed the attacker to bypass the authorization mechanism and withdraw all funds from the treasury. Relevant on-chain transaction records have now been disclosed.
According to Odaily, over the past decade (2016–2026), cumulative losses have reached $17.1 billion, spanning 518 incidents. In the last five years (2021–2026), losses have amounted to approximately $15.2 billion across more than 450 incidents. Over the past year (April 2025 – April 2026), losses were roughly $2.5 billion, involving over 140 incidents. Recent losses indicate that crypto attacks have shifted from smart contract vulnerabilities to private key leaks and access control breaches. (Solid Intel)
According to Cointelegraph, Robinhood users have recently fallen victim to a phishing attack. Attackers exploited Gmail’s feature of ignoring periods (“.”) in email usernames, along with a vulnerability in Robinhood’s account creation process, to register accounts with email addresses highly similar to those of their targets. This enabled them to trick Robinhood’s official email server into delivering spoofed alert emails containing phishing links directly to victims’ inboxes. Cybersecurity researcher Alex Eckelberry noted that these emails pass SPF, DKIM, and DMARC authentication checks and thus appear to originate from Robinhood’s official domain. Robinhood stated that this incident does not involve any breach of its systems or customer accounts, and user funds and personal information remain unaffected. However, the company urges users to delete such emails and avoid clicking any suspicious links.
SlowMist stated ZetaChain has been exploited. Preliminary analysis indicates the root cause of the vulnerability lies in the lack of access control and input validation in the call function of the GatewayZEVM contract. This allowed attackers to initiate malicious cross-chain calls and, via the relayer mechanism, execute arbitrary operations on the target chain to transfer funds.SlowMist noted that the attacker forged cross-chain events to trigger the relayer into executing malicious calls, thereby stealing funds. The relevant attack transactions have been disclosed.
According to an official announcement, ZetaChain stated that its GatewayEVM contract was attacked today, with the impact limited solely to internal wallets controlled by the ZetaChain team. The official statement confirmed that the attack vector has been blocked and no further funds are currently at risk. As a precautionary measure, ZetaChain has suspended cross-chain transactions. Meanwhile, the investigation remains ongoing; according to the official statement, no user funds have been affected by this incident, and a detailed post-mortem report will be released upon completion of the investigation.
Circle Ventures, Consensys, and Joseph Lubin have announced their support for the DeFi United initiative, aimed at mitigating losses caused by the Kelp DAO vulnerability. Circle Ventures is supporting the ecosystem by purchasing AAVE tokens. Consensys and Ethereum co-founder Joseph Lubin have confirmed the provision of 30,000 ETH to DeFi United. To date, DeFi United has raised over 132,000 ETH, with a total value exceeding $300 million. These funds will be used to cover bad debts resulting from an attacker minting unbacked rsETH via the LayerZero bridge and borrowing assets on Aave. Previously, Aave proposed a donation of 25,000 ETH, while Lido DAO, Ether.fi, and Kelp have respectively proposed or pledged donations of 2,500 ETH, 5,000 ETH, and 2,000 ETH.
Odaily报道 According to Ai Yi monitoring, a Galaxy Digital OTC-related address (0x16F...1Fde) has deposited 15,000 ETH, worth $34.74 million, to an exchange. These funds originated from 38,000 ETH withdrawn from Aave a week ago, which was the day when Kelp DAO was attacked, causing Aave to potentially face bad debt.