• DeFiLlama tracked 28 crypto hacks in April 2026, with complete losses reaching US$635.2 million by month-end.
  • KelpDAO and Drift Commerce accounted for US$578 million, or roughly 91% of April’s tracked losses.
  • Chainalysis mentioned the KelpDAO bridge exploit uncovered off-chain verification threat slightly than a traditional smart-contract failure.

April grew to become essentially the most hack-filled month in crypto by incident rely, with DeFiLlama monitoring 28 exploits and US$635.2 million (AU$882.0 million) in losses as two infrastructure failures dominated the harm.

DeFiLlama’s hack database confirmed KelpDAO as April’s largest incident at US$293 million (AU$407.3 million), adopted by Drift Protocol at US$285 million (AU$396.2 million). Collectively, the 2 assaults accounted for US$578 million (AU$803.4 million), or roughly 91% of all April losses tracked by the database.

The remainder of the month was smaller however broader. DeFiLlama listed Rhea Lend at US$18.4 million (AU$25.6 million), Grinex at US$15 million (AU$20.9 million), Wasabi Perps at US$5.5 million (AU$7.6 million) and greater than 20 further incidents throughout DeFi, wallets and infrastructure.

Associated: Strategy’s High-Yield Stock Will Continue to Fuel Bitcoin Surge, Says Bitwise CIO

KelpDAO Bridge Failure

Chainalysis mentioned attackers linked to North Korea’s Lazarus Group stole about US$292 million (AU$405.9 million), or 116,500 rsETH, from KelpDAO’s LayerZero bridge on April 18. The blockchain evaluation agency mentioned the incident was “not a wise contract vulnerability” however an assault on off-chain infrastructure.

Based on Chainalysis, compromised RPC nodes and denial-of-service stress in opposition to exterior nodes fed false knowledge to a 1-of-1 verifier setup. The end result was a transaction that appeared legitimate to the system regardless that the underlying state was falsified.

KelpDAO paused contracts after the exploit and blocked a second tried theft of 40,000 rsETH, price about US$95 million (AU$132.1 million), Chainalysis mentioned. The Arbitrum Safety Council additionally froze 30,766 ETH of downstream attacker funds, limiting a part of the follow-on motion.

Aave Liquidity Shock

The KelpDAO bridge adapter launched 116,500 rsETH in a single block, after which the attacker looped collateral throughout Aave, Compound and Euler for about US$236 million (AU$328.0 million) in WETH and wstETH inside 46 minutes.

Aave V3 Ethereum Core obtainable liquidity fell from US$9.77 billion (AU$13.58 billion) to US$5.75 billion (AU$7.99 billion) inside 29 hours, in accordance with Glassnode. 

WETH obtainable liquidity dropped from US$689 million (AU$957.7 million) at 5:00 p.m. UTC to US$1.5 million (AU$2.1 million) by 7:00 p.m. UTC on April 18 as utilisation reached 100%.

Glassnode mentioned protocol contracts, oracles and liquidation engines labored as specified, however the episode nonetheless uncovered how bridge verification failures can cascade into lending-market liquidity stress.

The publish April Sets Record for Crypto Hacks as Exploits Surge Past 20 Incidents appeared first on Crypto News Australia.