Author: Gu Yu, ChainCatcher
In April 2026, a series of security disasters once again pushed DeFi to the forefront of public opinion. Two attacks on Kelp DAO and Drift Protocol resulted in total losses exceeding $575 million, with the total locked value (TVL) of DeFi plummeting from about $172 billion to $148 billion; the TVL of the lending sector alone collapsed from $53 billion to $40 billion.
In recent days, renowned security auditing firm OpenZeppelin's co-founder Manuel Aráoz bluntly stated on the X platform: "I think all DeFi is now unsafe." He even mentioned that he has started privately advising friends and family to withdraw all DeFi positions, including protocols like Aave, MakerDAO, and Compound, which are generally considered "low-risk blue chips."
Although this judgment is particularly harsh, it is worth pondering. After all, OpenZeppelin has long been one of the most important builders of security infrastructure in the DeFi world, with its smart contract standards and security tools fundamentally shaping the industry's development. If even the most knowledgeable individuals about smart contract security systems begin to question the risks of DeFi and withdraw decisively, it undoubtedly signifies that deeper issues are surfacing.
In the past few years, whenever DeFi faced setbacks, people could always quickly find a specific reason. During market downturns, blame would be placed on the macro environment; during hacking events, people believed it was due to technical vulnerabilities; when regulators took action, the issues would be attributed to policy pressures.
However, if we extend the time dimension, we will discover an increasingly clear fact: the predicament facing DeFi today is not caused by a single attack, a specific regulatory policy, or one failed project, but rather that the two core logics on which it was originally established are simultaneously facing challenges.
One logic comes from the technical world, that code can replace trust. The other logic comes from the institutional world, that open networks can circumvent the constraints of the traditional financial system.
And hackers and regulators precisely hit these two pillars.
1. The Deep Evolution of the DeFi Security Crisis
For the past decade, the core paradox in the DeFi security field has never changed. Web3 security researchers have long identified this fatal asymmetry: the defense must plug every potential exploit, while the attacker needs to succeed in just one breach.
On the surface, the attack methods are nothing more than commonly discussed tactics like cross-chain bridge vulnerabilities, multi-signature permission hijacking, and oracle manipulation. However, the incidents involving Kelp DAO and Drift Protocol reveal a more brutal trend: the most fatal vulnerabilities often do not lie within the code of the smart contracts.
On April 18, the Ethereum liquidity re-staking protocol Kelp DAO was attacked. The attacker exploited a configuration vulnerability in the DVN (Decentralized Validation Network) of the LayerZero cross-chain bridge, spoofing cross-chain messages and withdrawing 116,500 rsETH from the bridge within hours, amounting to about $293 million at the time.
The essence of this disaster lies in configuration errors rather than code defects. Kelp DAO chose a "1-of-1" configuration for LayerZero's cross-chain validation network—where just one DVN node's confirmation is deemed sufficient for a cross-chain message to be considered legitimate. Once the attacker compromised two RPC nodes providing verification data and launched a DDoS attack, the entire bridging system became ineffective.
On April 1, Drift Protocol, one of the largest perpetual contract DEXs in the Solana ecosystem, faced an attack, resulting in $285 million in losses, becoming the largest single DeFi attack event of 2026 so far and the second largest hacking incident in Solana's history.
This was also not a vulnerability in the smart contract. The attacker used social engineering to compromise at least two of the three signers in the multi-signature wallet, forcing them to pre-sign malicious transactions using Solana's durable nonce feature. Once the attacker acquired admin privileges, they completed the theft of funds in less than 12 minutes.
The root of the attack lies in a complete failure of operational security (OpSec): improper multi-signature wallet configuration, blind spots in key management, and a virtually nonexistent social engineering defense.
These two incidents reveal the deep evolution of the DeFi security crisis: the breakthrough point of attacks is systematically shifting from traditional smart contract code vulnerabilities to configuration and human/OpSec layers.
Manuel Aráoz succinctly pointed out the core issue: "Smart contract security is essentially an extremely asymmetric game—defenders must fix all vulnerabilities, while attackers only need to find one, sufficient to steal funds." After AI began to exponentially enhance attack efficiency, this asymmetry is rapidly destabilizing.
AI coding agents can compress problems that previously required top white hat teams weeks to discover into a few minutes of automated completion, and can even autonomously generate attack scripts based on publicly available protocol code. OpenZeppelin's co-founder making such a pessimistic judgment, as one of the most mainstream security auditing companies in the industry, serves more as a signal—it reveals that the security industry itself is beginning to realize that the existing defense framework is facing systemic failure.
2. The Ongoing Spread of Regulatory Pressure
As the security crisis deepens, regulatory forces continue to exert pressure both on-chain and off-chain.
On May 26, the UK government placed cryptocurrency exchange HTX on a sanctions list against Russia, the first time employing Article 17A to impose sanctions on cryptocurrency exchanges. The UK accused HTX of handling $3.3 trillion in transaction volume in 2025, allegedly providing financial services to the sanctioned A7 payment network and Russian exchange Garantex.
The chain reaction triggered by the sanctions quickly spread; multiple mainstream AML companies listed HTX's exchange addresses as dangerous addresses, causing several exchanges using their AML systems to tighten transaction reviews involving HTX-associated addresses, resulting in numerous HTX users encountering issues receiving their assets when withdrawing to other exchanges.
The HTX incident reveals a deeper dilemma: under a complex geopolitical landscape, a sanction issued by regulators can trigger an expanding chain reaction on-chain, ultimately affecting the fund transfers of countless ordinary users. An HTX user may be completely innocent in holding assets, but due to the platform's potential compliance risks, they may face the entire AML system's "firewall" when trying to withdraw to other exchanges, leading to their funds being frozen or indefinitely delayed.
In fact, the HTX incident is just the tip of the iceberg of regulatory pressure. What truly constitutes deep constraints on DeFi innovation is the regulatory agencies' legal definitions of the protocol's underlying business models.
In the past two years, the U.S. SEC has launched investigations against "blue-chip" DeFi protocols such as Compound, Uniswap, and Curve, focusing on whether governance tokens constitute unregistered securities. A more direct blow comes from the yield-bearing token sector—the SEC's enforcement actions against products like Gemini Earn indicate that as long as a protocol pays users passive interest based on deposits, it is easily classified as an investment contract, triggering registration and disclosure obligations under the Securities Act.
This legal ambiguity and high pressure directly stifle the most imaginative directions of DeFi innovation: from liquidity mining to structured yield products, developers must constantly worry whether their token economics models will cross regulatory red lines.
In a sense, the "permissionless" emphasis initially highlighted by DeFi is gradually evolving into another form of "permission system." This "permission" does not arise from a specific company or protocol, but from every link in the regulatory compliance chain: AML lists, exchange risk control engines, the extended jurisdiction of securities laws, etc.
3. DeFi Enters a Realist Phase
Looking back at the ups and downs of DeFi in the past few years, the security dilemma and regulatory pressure of DeFi do not exist independently. The lack of a clear regulatory framework leads to the difficulty of establishing industry consensus on security standards; the frequent occurrence of security events, in turn, provides the most direct reasoning for global regulatory agencies to tighten enforcement; and the asymmetric security accelerated by the AI era combined with the gradually tightening compliance thresholds ultimately intertwine, pushing countless ordinary users to the eye of the storm.
Essentially, the boundaries of security audits and the rigidity of regulatory compliance are continuously eroding the two core assumptions upon which DeFi stands—"code is law" and "permissionless freedom."
Today, users bear higher technical risks than in traditional finance, yet may not gain more freedom than in traditional finance. This is precisely why many market participants are confused today. They find that DeFi is neither as secure as banks nor as completely open as initially promised.
When a system loses both its security premium and freedom premium, its growth logic is naturally challenged. Therefore, the question may not be "did hackers and regulators destroy DeFi."
More accurately, hackers and regulators are simply forcing the industry to confront reality. Hackers have made people realize that code does not inherently create trust; regulation has made people aware that the on-chain world has never functioned as a parallel universe divorced from the real world.
This does not mean the failure of DeFi. On the contrary, it signifies that this experiment is progressing from an idealistic phase to a realist phase.
DeFi has not been destroyed by hackers, nor has it been destroyed by regulatory nets. It is being redefined by the survival rules shaped by both: the future of DeFi will either move towards stricter industry self-discipline and compliance frameworks, forced to compromise on decentralization principles, or gradually lose market confidence in a continued imbalance between offense and defense, leading to long-term marginalization.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
