$600 million stolen in 20 days, ushering in the era of AI hackers in the crypto world

How much money do you have in a DeFi protocol?

"just use Aave," this is a long-standing phrase in the crypto community, meaning: "Don't play around with those fancy small protocols, the risk is too high, just use Aave, Aave has been audited multiple times, has been running for so many years, and is an industry benchmark, it is relatively safe to deposit your funds there." However, this phrase, now, seems to have become less taken for granted. There have even been statements of the opposite nature such as "'just use Aave' is dead," "Ethereum narrative failure," and even "DeFi is dead."

The market has seen these emotional expressions, which may not be surprising in a month like April, with frequent security incidents in the crypto industry.

2026, the Year with the Most Hacks in History

Only two-thirds of the month has passed, and although the prices of BTC and ETH have been slowly rising, the number of hacks in the crypto market is still very alarming.

The total losses in less than 20 days in April exceeded $605 million, with at least 12 protocols being attacked. Some of the more notable events include:

On April 1st, the largest perpetual contract exchange on Solana, Drift Protocol, was hacked for $285 million in just 12 minutes, becoming the largest single DeFi attack of 2026 up to that point.

On April 10th, the decentralized GPU cloud infrastructure, Aethir, detected a malicious attack on its ETH cross-chain bridge contract, promptly disconnected the compromised contract, and kept the loss to less than $90,000. On the same day, Hyperbridge fell victim to a verification vulnerability attack, where the attacker forged cross-chain messages, minted and sold 1 billion bridged DOT tokens, resulting in approximately $2.5 million in losses.

In mid-April, several small protocols were hit in quick succession. Silo Finance lost $392,000 due to an oracle configuration error; the bridging aggregator Dango suffered a smart contract vulnerability attack resulting in a $410,000 loss; on the NEAR network, an attacker prepared 423 wallets and 8 fake liquidity pools two days in advance to manipulate an oracle, ultimately stealing around $18.4 million.

On April 18th, Kelp DAO was hacked for $292 million, setting a new record for DeFi hacks in 2026.

"2026 is very likely to become the year with the most hacks in history," said Ledger's Head of Security, Charles Guillemet.

This prediction is likely to come true not because DeFi is becoming more fragile, but because attackers have acquired a new weapon—AI.

Stole $290 million in the past two weeks; AI had already found vulnerabilities

Over the past year, AI-driven exploits have doubled in value roughly every 1.3 months, with the cost of scanning a single contract now down to $1.22. The collapse of the barrier to entry for attacks may be the true record-breaking reason for 2026. In April this year, Anthropic revealed that its in-house model, Claude Mythos Preview, autonomously discovered thousands of zero-day vulnerabilities in mainstream operating systems and cryptographic libraries, with a successful exploit rate of 72.4%, a feat no AI model had come close to achieving before.

Visualization: The y-axis is the simulated stolen amount (in logarithmic scale) and the x-axis is time, showing the trend of exploit revenue doubling roughly every 1.3 months on contracts of the past year after the knowledge cut-off date for 10 cutting-edge AI models. The shaded area represents the 90% confidence interval.

A typical case is this: just one day after Drift was hacked, a developer named Zengineer used Claude Code to write an open-source AI risk auditing tool called Skill, which assessed the protocol's architectural risks using public data (DeFiLlama, on-chain contracts, governance documents, Safe API) and automatically compared them against historical attack patterns on Ronin, Harmony, Euler, Beanstalk, and others.

He believes that in the case of Drift this time and most recent high-value DeFi thefts, there was no exploitation of any Solidity code vulnerabilities. The real fatal weaknesses lie in governance architecture, admin key permissions, cross-chain bridge validator configurations—security blind spots at the "non-code" level that traditional audit firms' code scanners inherently cannot see, but his tool can.

Twelve days before the theft of Kelp DAO, he ran this tool on Kelp DAO for a full audit, giving it a score of 72 (medium risk), flagging five major issues, including "Opaque DVN Configuration: LayerZero verification node count and threshold not publicly disclosed," "16-chain single point of failure: Once DVN fails, all on-chain rsETH simultaneously lose collateral," "Strong similarity to the Ronin and Harmony attack scenarios where $600 million and $100 million were stolen in 2022," "Uncertain governance coverage," "No insurance fund: The protocol has no mechanism to absorb losses, so downstream protocols bear the burden in case of incidents," and more.

Issue with Kelp DVN Configuration Mentioned in Zengineer's Report

12 days later, on April 18, Kelp was hacked, with the root cause being that 1-of-1 DVN configuration, a risk highlighted in the first item of the report.

DeFi news outlet BlockBeats found that Zengineer's AI-driven risk assessment tool, Skill, has now completed a full audit on 56 of the top 100 TVL protocols on DeFiLlama. Apart from Kelp DAO, several other protocols with high-risk issues were identified, including: the outdated audit of JustLend (TVL $3.3 billion); DWF Labs-affiliated, with an insurance fund covering only 0.6% of Falcon Finance (TVL $1.6 billion); undisclosed governance structure, with the parent company previously experiencing DNS hijacking, Grove Finance (TVL $2.87 billion); and Camelot, with a 2/3 multisig, zero-time lock, and an anonymous team.

The fact that these protocols have not been exploited today does not mean they are entirely safe; it is highly likely that attackers have simply not found an entry point yet.

Cost of Attacking a Contract as Low as $1.22?

“The frequency of crypto hacks has reached an all-time high. I think AI is the reason for this. AI is giving hackers 'dark superpowers.' Defense must catch up quickly as we are running out of time,” warned Ryan Sean Adams, co-founder of Bankless.

In October last year, Anthropic researchers conducted a series of experiments, where Sonnet 4.5 and GPT-5 scanned 2849 newly deployed real-world smart contracts with no known vulnerabilities. The two models independently discovered 2 previously unknown zero-day vulnerabilities each and generated corresponding attack scenarios, simulating a profit of $3694. The API cost for GPT-5 to accomplish all this was approximately $3476. With less than $3500 in computational power, new vulnerabilities can be uncovered in contracts deployed in the real world.

Of particular concern is the cost curve, as mentioned earlier: over the past year, the exploitability of AI simulated attacks has roughly doubled every 1.3 months, while the token cost required to generate effective attack code has sharply decreased with each new model iteration. With an equivalent budget, attackers can get more and more effective attacks. The scanning cost for a single contract has now dropped to $1.22.

What does this mean? Anyone with a few thousand dollars in computational power budget can theoretically point an AI agent at thousands of smart contracts, automatically scan for vulnerabilities, generate attack code, all without writing any code manually, and without requiring a deep background in security research.

The barrier for entry for the average person to become a hacker has been significantly lowered.

In April of this year, Anthropic disclosed its internally developed model, Claude Mythos Preview, currently limited to 40 carefully selected enterprise and government partners. It autonomously discovered thousands of zero-day vulnerabilities in mainstream operating systems, browsers, and cryptographic libraries, including critical infrastructure relied upon by DeFi protocols. One vulnerability had lurked in the OpenBSD system for 27 years, present in global critical financial infrastructure until this model uncovered it. Mythos Preview has a 72.4% success rate in exploiting vulnerabilities, whereas any previous AI model was close to zero.

However, Anthropic currently refuses to release this model to the public, citing, among other reasons: if released, the balance of power between attackers and defenders could be disrupted, leading the industry towards an abyss.

Another real-world example comes from the AI security company Cecuro. They analyzed 90 DeFi smart contracts that were exploited between October 2024 and early 2026, involving a total loss of $228 million. Their dedicated AI security agent successfully identified vulnerabilities in 92% of the contracts, while a generic AI programming agent running the same underlying model only identified 34%. Crucially, several contracts in this batch had undergone professional manual audits before being exploited, yet the AI found vulnerabilities missed by human auditors.

The attackers' arsenal is growing exponentially stronger, while the defense infrastructure is clearly lagging behind.

Ethereum, Potentially the Biggest Victim

Returning to the Kelp DAO hack.

Kelp's rsETH is a product of the Ethereum re-staking ecosystem. Users deposit stETH and receive rsETH, which can be used as collateral to borrow WETH on Aave, as well as transferred across chains, circulating on over 20 networks, demonstrating the DeFi composability magic.

However, the double-edged nature is that the attacker only needs to tear open a vulnerability at the weakest point. The entire Lego-like composite structure will then conduct in reverse: fake rsETH turns into real collateral, real WETH is borrowed, bad debt remains in Aave, panic spreads to all protocols integrating rsETH, and SparkLend, Fluid, and earnETH under Lido are all urgently paused.

Aave's founder Stani Kulechov immediately stated: Aave's contract itself was not breached; this was an external event. This is the truth. However, the truth is that Aave's WETH lending pool utilization rate skyrocketed to 100%, ordinary depositors found themselves unable to withdraw, TVL plummeted from $26.4 billion to $17 billion in four days, nearly $10 billion flowed out, and the AAVE token also dropped by about 18%.

Data Source: DefiLama

Data Source: TradingView

However, the phrase "Aave's contracts were not exploited" offers no comfort to those trapped inside as liquidity providers. Just as Cyvers CEO Deddy Lavid pointed out: "This is a manifestation of DeFi's composability risk, where a single protocol's token integrated across multiple platforms can cascade through the entire ecosystem due to a single vulnerability."

Perhaps this is also the structural paradox of the Ethereum DeFi narrative.

One of Ethereum's proudest achievements is its "composability," its financial Lego, where any protocol can be stacked like building blocks. This is both its core value and its core vulnerability. Each new protocol layer, each new bridge, each new collateral type, all expand the system's attack surface. And this expansion cannot be covered by any single auditing entity.

"The attacker of Kelp did not break the cryptography, nor did they find a zero-day vulnerability in the smart contract. They exploited a configuration choice of the cross-chain validator, deceived the LayerZero message layer, and fictitiously minted 116,500 rsETH on the Ethereum mainnet. The contract wasn't bad; it was the validation layer that was bad. This difference is crucial because the next wave of attackers won't need to wait for configuration errors. They will have AI." Wrote Brave New Coin analyst Jason Jones.

In this cycle, Ethereum has two main value narratives. One is the institutional narrative of RWAs and ETFs, with BlackRock and Morgan Stanley's tokenized assets still running on Ethereum and ETF funds slowly flowing in. This narrative is still largely intact. However, the narrative that "Ethereum is the foundational settlement layer for DeFi," which forms the fundamental belief of many retail holders of ETH, is currently undergoing its most severe trust test.

From the market's reaction, it is evident that the panic has indeed extended beyond the Kelp exploit incident itself and is beginning to spread across the entire DeFi ecosystem. Morpho, Sky, JupLend have all experienced a run on their funds, even though they have absolutely no connection to Kelp.

Evidently, this is a trust crisis rather than a technical crisis.

Let's revisit the initial question. How much money have you put into a DeFi protocol?

Think carefully about this. If your answer is "not much, just for fun," then you can treat it as nothing serious. But if your position is significant, you may need to reassess the DeFi industry: the security model of DeFi projects is "audit once before deployment," but now AI can continuously scan and find new vulnerabilities after deployment, and it's becoming cheaper.

After clarifying this point, you will understand that I am not saying Ethereum has no future, given that the Ethereum chain has not been compromised, Aave's code has no vulnerabilities, and Uniswap is still operating normally today.

What you and I need to rethink today is not Ethereum itself, but the assumption that "just using Aave is secure enough." In an AI-driven, composable, and overlapping attack environment, any such assumption no longer holds. After all, the security of the LEGO blocks in the upstream and downstream is transitive, and no one can guarantee that all blocks are absolutely secure.