Hackers and surveillance destroyed DeFi
Author: ChainCatcher
In April 2026, successive security disasters brought DeFi back to the forefront of public opinion. Kelp DAO and Drift Protocol combined caused losses of more than $575 million, the total value of DeFi locking down (TVL) fell sharply from approximately $172 billion to $148 billion, and the value of the TVL on board alone collapsed from $53 billion to $40 billion。
In the last few days, known security auditing companiesOpenZeppelinThe co-founder, Manuel Aráoz, put it bluntly on platform X: "I think all DeFi is not safe." He has even indicated that he has begun privately to advise his relatives and friends to clear all DeFi positions, including the agreements widely recognized as “low-risk blues”。
This judgement, although particularly poignant, is worth considering. After all, OpenZeppelin has long been one of DeFi's world's most important security infrastructure builders, with smart contract standards and safety tools running through almost the entire industry. If even those who know the smart contract security system begin to question the risks of DeFi and to withdraw decisively, this undoubtedly means that some deeper problem is emerging。
In the past few years, every time DeFi suffered a setback, one quickly found a specific cause. When markets are depressed, responsibility is attributed to the macro-environment; when hacker attacks occur, they are considered to be the result of a technical loophole; and when regulators act, they are relegated to policy pressure。
However, if time is lengthened, one finds it increasingly clear that the dilemma that DeFi faces today is not caused by a single attack, by a regulatory policy or by a failed project, but by the fact that the two core logics on which it was originally built are being challenged simultaneously。
A set of logic comes from the technological world, where codes can replace trust. Another set of logic comes from the systemic world, where open networks can circumvent traditional financial systems。
Hackers and regulators have struck the two pillars separately。
I. Deep-seated evolution of the DeFi security crisis
The core paradox in the area of DeFi security has remained unchanged for 10 years. Web3 safety researchers have identified this deadly asymmetry: The defensive must close every possible gap, and the attackers need only one link。
On the face of it, the means of attack are nothing other than the usual pattern of cross-chain breach, multiple-signature hijacking, prophecies, etc. But the two incidents of Kelp DAO and Drift Protocol revealed a more brutal trend: the most deadly loophole, often outside the code of smart contracts。
On 18 April, Kelp DAO was attacked by a heavy pledge agreement on the mobility of the Taifaf. Using the DVN of the LayerZero Trans-Cyber Bridge (decentralized authentication network), the attackers forged cross-Cyclical information and removed 116,500 rsETHs from the Trans-Cyber Bridge within hours, amounting to approximately $293 million at the time。
The nature of the disaster is an error of configuration, not a code defect. Kelp DAO has chosen “1-of-1” for the LayerZero cross-link authentication network - only one DVN node is required to confirm that the cross-chain message is considered legal. The entire bridge system was defunct when the attackers attacked two RPC nodes that provided validation data and launched DDoS attacks
On 1 April, Drift Protocol, one of Solana ' s largest ecological lasting contracts, was attacked, with a loss of $285 million, the largest single DeFi attack to date in 2026 and the second largest hacker case in Solana ' s history。
It's also not an intelligent contractual gap. Through social engineering, the attackers captured at least two of the three signatories who had signed the wallets and used Solana ' s durable nonce function to force them to sign a malicious deal in advance. The theft of funds was completed in less than 12 minutes when the attackers were granted administrator authority。
The root causes of the attack were the total failure of OpSec to operate: the inappropriate configuration of multiple wallets, the existence of blind areas for key management and the absence of social engineering lines。
These two incidents reveal the deep evolution of the DeFi security crisis: the breakthrough of the attack is a systematic shift from the traditional smart contract code breach to the configuration and human/OpSec layers。
Manuel Aráoz points to the very heart of the problem: “Intellectual contract security is essentially a highly asymmetric game — the defensive party must repair all the loopholes, and the attacking party needs to find only one to steal the money.” This asymmetry is rapidly disequilibriuming after AI began to enhance the efficiency of the attacks at the index level。
AI coding agents are able to compress problems that used to require top white hat teams for several weeks to automatically complete within a few minutes, and can even generate attack scripts autonomously based on open protocol codes. The co-founders of OpenZeppelin, one of the most dominant security auditing companies in the industry, made such a pessimistic judgement, more like a signal — the security industry itself is aware that the existing defence framework is facing systemic failure。
II. Continuing spread of regulatory pressure
While the security crisis is deepening, the regulatory power continues to exert pressure at two dimensions below the chain。
On 26 May, the British Government added the encrypted currency exchange HTX to the Russian sanctions list, first using regulation 17A to impose sanctions on the encrypted asset exchange. The United Kingdom accused HTX of handling $3.3 trillion in transactions in 2025, suspected of providing financial services to the sanctioned A7 payment network and the Russian exchange Garantex。
THE RIPPLE EFFECT OF THE SANCTIONS HAS SPREAD RAPIDLY, WITH MULTIPLE MAINSTREAM AML COMPANIES PLACING HTX EXCHANGE ADDRESSES ON THE LIST OF DANGEROUS ADDRESSES, SEVERAL EXCHANGES USING THEIR AML SYSTEM THEN TIGHTENING THEIR TRANSACTIONS REVIEWS RELATED TO HTX ADDRESSES, AND A LARGE NUMBER OF HTX USERS BEING UNABLE TO ACCOUNT FOR THEIR ASSETS ON OTHER EXCHANGES。
THE HTX INCIDENT REVEALED A DEEPER DILEMMA: IN A COMPLEX GEOPOLITICAL CONTEXT, A REGULATORY-INITIATED SANCTION ORDER COULD TRIGGER AN EVER-INCREASING RIPPLE EFFECT ON THE CHAIN, ULTIMATELY AFFECTING THE TRANSFER OF FUNDS TO COUNTLESS ORDINARY USERS. ONE HTX USER HOLDS ASSETS ENTIRELY INNOCENTLY, BUT BECAUSE OF THE POTENTIAL COMPLIANCE RISKS OF THE PLATFORM, IT MAY BE SUBJECT TO AN AML-WIDE “FIREWALL” INTERCEPTION, FREEZING OR INDEFINITE DELAY WHEN PRESENTED TO ANOTHER EXCHANGE。
Indeed, the HTX incident was only the tip of the iceberg of regulatory pressure. What really constrains DeFi innovation is the legal characterization of the bottom operating model of the agreement by the regulator。
Over the past two years, the United States SEC has launched a series of surveys on the “Blue Chip” DeFi agreements of Compund, Uniswap and Curve, focusing on whether governance tokens constitute unregistered securities. A more direct strike from the revenue-based field of tokens — SEC enforcement action against products such as Gemini Earn shows that, as long as the agreement pays the user passive interest based on deposits, it is very easy to be recognized as an investment contract, thus triggering the registration and disclosure obligations of the Securities Act。
This legal characterization of ambiguity and pressure directly stifles DeFi’s most imaginative and innovative direction: From liquid mining to structurally profitable products, developers have to worry at all times about whether their own currency economic model is stepping on the red line。
In a sense, DeFi's initial emphasis on “no need for permission” is evolving into another form of “licence system”. This “licence” does not come from a company or agreement, but from every link in the chain of regulatory compliance: the AML list, the exchange's wind-control engine, the long arm jurisdiction of securities law, etc。
III. DeFi Towards Realism
Looking back at DeFi’s sinking over the past few years, DeFi’s security dilemma and regulatory pressure are not independent. The lack of a clear regulatory framework makes it difficult to build industry consensus on safety standards; the frequency of security incidents, in turn, provides the most direct justification for tight enforcement by global regulatory bodies; and the accelerating security asymmetries of the AI era, coupled with progressively tightening compliance thresholds, ultimately pushes countless ordinary users to the centre of the storm。
In essence, the rigidity of the boundaries of security audits and regulatory compliance is continuing to erode the two core assumptions on which DeFi is based — “codes, i.e. laws” and “freedom without permission”。
Today, users take on more technological risks than traditional finance, but do not necessarily have more freedom than traditional finance. That is why many market participants today are confused. They found that DeFi was neither safe as a bank nor completely open as initially promised。
And when a system loses both the security premium and the free premium, its growth logic is naturally challenged. The question, therefore, should perhaps not be “whether hacking and regulation destroyed DeFi”。
More precisely, hackers and regulation simply make the industry face reality. Hackers make people realize that codes do not create trust in nature; regulation makes people realize that the chain world has never been a parallel universe operating out of the real world。
That doesn't mean DeFi failed. On the contrary, it means that the experiment is moving from idealism to realism。
DeFi did not destroy the hands of hackers or the web of regulation. It is being redefined by the law of survival, which is being shaped by both: The future DeFi is either moving towards a more stringent industrial safety self-regulation and compliance framework, forcing a compromise on the principle of de-centreization; or a gradual loss of market confidence and long-term marginalization in an ongoing fight against imbalances。
