Key facts
- Gravity Bridge protocol lost approximately $5.4 million in assets due to a security breach.
- Circle froze $12.6 million in Confidential USDC (cUSDC) funds associated with the Zama privacy protocol.
- Aave is overhauling its listing standards and risk management after a $292 million exploit.
- A coalition of DeFi protocols contributed $300 million to restore liquidity after the Aave exploit.
- Arbitrum froze 30,766 ETH linked to an attacker involved in the Aave exploit.
- North Korean hackers are laundering approximately $220 million from the Kelp DAO exploit.
- Fluid lost $215,000 due to an attacker gaining control of its signing keys.
- An attacker stole $7.3 million from DxSale lockers on BNB Chain.
- A cryptocurrency platform shut down after a $50 million hack.
- Nearly $600 million was lost in DeFi exploits during April.
Decentralized finance (DeFi) protocols are grappling with a series of significant security breaches, leading to substantial financial losses and prompting major overhauls in risk management and asset listing standards. The Gravity Bridge protocol, a cross-chain bridge connecting Ethereum and Cosmos, suffered a security breach resulting in the theft of approximately $5.4 million in assets, including USDC, wrapped Ether, USDT, and PAXG. The protocol has been halted for an investigation into a suspected compromise of its signing keys.
In a separate incident, Circle has blacklisted a smart contract associated with the Zama privacy protocol, freezing approximately $12.6 million in user funds. The affected contract was for Confidential USDC (cUSDC) deployed on Ethereum. This freeze may be indirectly linked to legal issues surrounding Overnight Finance, and the Zama team reportedly received no prior notice.
Aave is undertaking a significant overhaul of its asset listing standards and risk management protocols following a $292 million exploit. This exploit involved a forged cross-chain message on LayerZero's bridge, which allowed an attacker to use unbacked rsETH as collateral. To address the fallout, a coalition of DeFi protocols contributed $300 million to restore backing for exploited assets. Concurrently, Arbitrum froze 30,766 ETH linked to the attacker involved in the Aave exploit.
Further complicating the security landscape, North Korean hackers are reportedly laundering nearly all $220 million in unfrozen funds from the Kelp DAO exploit. Only $1.7 million remains traceable in original wallets, with $71 million frozen by Arbitrum's Security Council representing the primary recoverable amount. The Kelp DAO exploit, linked to the TraderTraitor group, resulted in total losses of approximately $292-293 million.
Other notable exploits include Fluid, which lost $215,000 after an attacker gained control of both operational signing keys for its Merkle distributors on Ethereum, Base, and Arbitrum. The attacker utilized a single-entry reward list with an empty Merkle proof to claim tokens, routing proceeds through Tornado Cash. Additionally, an attacker drained $7.3 million from over 1,400 legacy liquidity-provider positions on BNB Chain by targeting old DxSale locker contracts through a silent ownership transfer. Gnosis Pay also experienced an exploit via its Zodiac delay module, enabling unauthorized transactions from Safe wallets, though details are still under investigation. A popular cryptocurrency platform has also ceased operations after a $50 million hack.
These persistent security breaches are raising concerns among banking executives, who state that decentralized finance cannot attract institutional investment until these issues are resolved. April alone saw breaches on 27 out of 30 days, with nearly $600 million lost in exploits. Institutions, they note, prefer regulated banks and custodians over non-custodial DeFi platforms.