The State of DeFi in April 2026: Hacks, Rescues, and Where Capital Went

April 2026 was one of crypto's worst security months in recent history, and the worst in 14 months by reported losses. Attackers stole roughly $629 million across 28 to 30 separate incidents. Two attacks linked to North Korea's Lazarus Group accounted for roughly 92% of those losses. DeFi total value locked collapsed by $13 billion in a 48-hour window. Aave faced its first nine-figure bad debt scare. The Arbitrum Security Council froze $71 million in attacker funds, then spent the rest of the month defending the decision against accusations that L2s aren't actually decentralized.

The same month set records on the other side of the ledger. The stablecoin market crossed $321 billion for the first time. Bitcoin ETFs pulled in $2.44 billion, the strongest monthly figure of 2026. Aave passed a landmark governance vote redirecting 100% of Aave-branded product revenue to the DAO treasury. Uniswap expanded v4 to additional chains including Linea and Tempo. Hyperliquid kept building toward prediction markets with HIP-4. Coinbase contributed the x402 protocol to the Linux Foundation, formalizing the rails for AI agents to pay each other on-chain.

This is the State of DeFi in April 2026. If you read The State of DeFi in 2026, this is the monthly snapshot that follows. Where the capital sits now, what the hacks actually exposed, and what teams building on top of this stack should change. Every section aims for concrete numbers over abstraction.

April 2026 in Numbers

Two stories ran in parallel. Capital flooded into stablecoins, ETFs, and tokenized treasuries. Capital fled DeFi protocols the moment a single bridge configuration on a single restaking token failed catastrophically. Institutional flows treated those two categories as separately priced risks for the first time at this scale.

The Hacks: Drift, KelpDAO, and a Record Month

By incident count, April 2026 was among the busiest security months the industry has seen. Two attacks dominate everything else.

Drift Protocol: $285 Million on April 1

The largest DeFi hack of 2026 (until KelpDAO surpassed it 17 days later) drained Drift Protocol's perpetuals vaults on Solana for $285 million. There was no smart contract bug. The attackers spent months preparing.

The crew, attributed to the Lazarus Group by Elliptic, TRM Labs, and Mandiant, posed as a quantitative trading firm. They built relationships with Drift Security Council members starting in March. They exploited Solana's durable nonces feature, a usability mechanism that lets transactions be pre-signed and submitted later, to get council members to blindly authorize dormant transactions. When the attack triggered, those pre-signed transactions whitelisted a worthless token (CarbonVote, ticker CVT) as collateral. The attackers deposited 500 million CVT and borrowed $285 million in real assets (USDC, SOL, and ETH) in roughly 12 minutes.

More than half of Drift's TVL was wiped. Carrot, a Solana yield protocol with $28 million in TVL that depended on Drift markets, paused operations within 24 hours and announced permanent shutdown a week later. By month's end Carrot had $1.99 million in residual TVL.

Tether committed a $147.5 million recovery facility from Tether and ecosystem partners. Drift announced it will issue recovery tokens representing claims on a future revenue pool, targeting a Q2 2026 relaunch as a leaner perps-native exchange backed by a $20 million Tether market-making facility.

The lesson is not "audit your smart contracts." Drift's contracts were audited. The lesson is that operational security and signing infrastructure are now the dominant DeFi attack surface, and Solidity reviews don't catch them.

KelpDAO: $292 Million on April 18

The KelpDAO rsETH exploit was different in nature and worse in consequence. It was an infrastructure attack.

Kelp's cross-chain bridge between Unichain and Ethereum used LayerZero V2 with a 1-of-1 Decentralized Verifier Network (DVN) configuration. A single verifier node confirmed every cross-chain message. The attackers compromised the RPC nodes feeding that verifier with false data, then DDoS'd the external nodes Kelp had configured as fallbacks. The verifier accepted the spoofed messages as valid and authorized the minting of 116,500 rsETH on Ethereum without backing, roughly 18% of the entire circulating rsETH supply.

The attackers immediately deposited the unbacked rsETH on Aave V3 as collateral, while the rsETH oracle still reflected pre-exploit prices, and borrowed $190.86 million in wETH plus other assets before Aave's Guardian system caught the anomaly and froze rsETH markets at 18:52 UTC.

LayerZero blamed Kelp's 1-of-1 DVN configuration. Kelp pointed out that LayerZero's own default GitHub configuration ships with a 1-of-1 setup and that roughly 40% of LayerZero protocols use the same configuration. Both are correct. Kelp announced a migration to Chainlink CCIP, which uses multi-validator consensus by default.

The fallout cascaded:

• DeFi TVL dropped $13.2 billion in the 48 hours following the exploit, largely from Aave withdrawals
• Aave's initial modeled bad debt ranged from ~$124 million to ~$230 million depending on how rsETH losses were socialized, before later recovery actions reduced the projected shortfall
• Several protocols froze rsETH exposure within hours. SparkLend, Fluid, and Aave V3/V4 across Core, Prime, Arbitrum, Base, Mantle, and Linea
• Lido suspended its EarnETH vault to assess exposure (core stETH was unaffected)
• Bitcoin held above $76,000 despite the chaos, suggesting the contagion stayed contained to DeFi

Both Drift and KelpDAO are attributed to Lazarus Group. The two attacks together account for roughly 92% of April's $629 million in losses.

The Smaller Incidents

The headline numbers hide a longer tail. April was the most-incident-heavy month on record specifically because so many smaller protocols were hit:

Volo's incident is the most instructive of the small set. A single compromised admin key drained vaults on Sui despite no smart contract flaw. Same root cause as Drift, scaled down. Volo froze remaining vaults and committed to absorbing the losses. Roughly $500K was frozen with ecosystem help.

The Response: DeFi United and the Arbitrum Freeze

How Aave Survived

The most interesting story of April was not the attack itself. It was the response. Aave's initial exposure was modeled in a broad ~$124 million to ~$230 million range depending on how rsETH losses would ultimately be allocated. By April 24, Aave's governance forum described DeFi United as an in-progress coalition effort with 14,570 ETH in contributions identified so far, Mantle offering up to 30,000 ETH as a credit facility, and an Aave DAO request for 25,000 ETH from treasury. By April 28, public trackers and media coverage were reporting commitments above $300 million, though not all of that capital had been deployed onchain yet.

The episode still demonstrated something important: the largest DeFi protocols can coordinate a rescue effort without a central clearinghouse. Whether that should reassure or alarm you depends on which side of the decentralization debate you sit on, which is exactly the question Arbitrum's Security Council action raised next.

The Arbitrum Freeze

On April 21, the Arbitrum Security Council executed an emergency action to freeze 30,765.67 ETH (~$71 million) belonging to the KelpDAO attacker on Arbitrum One. The funds had bridged to Arbitrum and the Council used its emergency powers to immobilize them pending a later governance decision on release.

The action recovered real money. It also forced an uncomfortable conversation. If 9 of 12 council members can freeze any address on the chain, what exactly is the trust model? CoinDesk's follow-up coverage, Inside the $71 Million Freeze, captured the unease. Every defender of L2 decentralization spent the next week explaining why a security council vote did not contradict their prior statements. The technical answer (the council exists for emergencies, was disclosed at L2 launch, and is itself decentralized) is correct. The political answer is harder. Builders on L2s should map exactly what their host chain's security council can do before launching anything that holds significant value.

The Other April: Records, Not Hacks

If you only read the security coverage, you'd think April was a write-off for DeFi. The capital flows say the opposite.

Stablecoins Crossed $321 Billion

Total stablecoin supply hit a new all-time high of $321 billion on April 21, growing roughly $6 billion from the Q1 close. USDT held its 58% share at $188 billion, but USDC grew 73% year-over-year versus USDT's 36%, a meaningful share shift driven by institutional and DeFi-native demand.

The DAI-to-USDS migration completed during April. Binance auto-converted all DAI balances to USDS at 1:1 on April 7, with USDS pairs going live April 9. By month-end, USDS supply had reached $8.7 billion, surpassing DAI ($4.66 billion). Sky's Q1 2026 results, released early April, showed a record $124 million in gross revenue and $61 million in net revenue. More than 60% of that now comes from real-world asset yield. Bitget delisted DAI from its P2P service on April 29, accelerating the sunset.

Tether also launched tether.wallet on April 14 across Plasma, Ethereum, and Arbitrum. The Plasma launch drove an 80% monthly TVL surge for the chain, which crossed $2 billion and became the seventh-largest blockchain by TVL.

Bitcoin and Ethereum ETF Flows

Spot Bitcoin ETFs pulled in $2.44 billion in April, the strongest month of 2026. BlackRock IBIT captured $1.71 billion (70% share). Spot Ethereum ETFs broke a five-month negative streak with $356 million in net inflows, including a 10-day streak that totaled $633 million. Year-to-date Ethereum ETF flows remain net negative around -$413 million through April.

Tokenized real-world assets reached $27.6 billion on-chain (+4% MoM during a volatile market), and BlackRock's BUIDL fund crossed $2 billion across Ethereum, Solana, and Polygon. Larry Fink's 2026 Chairman's Letter put it bluntly. "We believe that tokenization today may be roughly where the internet was in 1996."

Aave Will Win

On April 13, Aave's "Aave Will Win" governance proposal passed with 52.58% Snapshot support and roughly 75% on the final vote. The proposal redirects 100% of gross revenue from Aave-branded products (the Aave App, Aave Pro, Aave V4, Aave Kit, and Horizon) to the DAO treasury, with fees routed to DAO-controlled collector addresses rather than directly to token holders. The vote ended a months-long dispute over swap fees from CoWSwap integration that had been quietly routed away from the treasury. Aave Labs received $25 million in stablecoins and 75,000 AAVE tokens (48-month vest) in return.

Combined with Uniswap's UNIfication fee switch activated last December, Aave's vote means the fee-switch era is mature. DeFi protocols are no longer "governance tokens with no cash flow." They are productive assets with transparent revenue accrual. For investors evaluating DeFi protocols, the question has shifted from "does this protocol have a fee switch?" to "what is the real revenue and how is it distributed?"

Uniswap v4 Hooks

April was still an important month for Uniswap v4, even without a single headline product launch to point to. The protocol expanded to Linea on April 2 and to Tempo on March 18, giving v2, v3, and v4 broader chain coverage while continuing to push hooks into production use. v4 hooks let liquidity pools embed custom logic (dynamic fees, KYC gates, MEV protection, oracle integration) without forking the AMM. The significance is architectural: Uniswap is becoming more of a liquidity platform than a single app surface.

The governance fee-switch for v4 pools is scheduled for a mid-2026 vote.

Morpho Midnight

Morpho launched Morpho Midnight on April 14, a fixed-rate, fixed-term lending protocol distinct from Morpho Blue. Users specify a desired rate and duration. Counterparties match through intent-based peer-to-peer matching. CEO Paul Frambot framed it as "a completely new paradigm for onchain lending, not a V2." The product targets TradFi institutions that need predictable cash flows, the demographic that Apollo Global Management is courting through its 48-month cooperation agreement to acquire up to 9% of MORPHO supply.

By mid-April, Morpho's TVL reached $7.48 billion, surpassing Compound and making Morpho the second-largest DeFi lending protocol. Morpho's KelpDAO exposure was approximately $1 million across two isolated markets, a pointed contrast with Aave's much larger nine-figure rsETH exposure and a useful data point for the isolated-vs-shared-pool architectural debate.

Hyperliquid HIP-4 and Prediction Markets

Hyperliquid spent April pushing HIP-4 toward production, extending its move into binary outcome markets. Through late April, HIP-4 was still discussed primarily as a testnet-era prediction market primitive rather than a fully established April mainnet launch.

Combined with Hyperliquid's 44% share of decentralized perpetual volume ($178 billion in April alone), HIP-4 positions Hyperliquid as a direct competitor to Polymarket and Kalshi. Polymarket itself rolled out a major exchange upgrade on April 28 (CTF V2 with EIP-1271 smart-wallet support and a new pUSD collateral token), processing $9 billion in April volume. Kalshi continues to dominate the US regulated prediction market with $13.4 billion notional.

The combined prediction market sector hit ~$25.2 billion in April across the top five platforms.

AI Agents Hit the On-Chain Rails

April was the month AI agents stopped being a slide and became a payments layer.

On April 2, Coinbase contributed the x402 protocol to the Linux Foundation at the MCP Dev Summit in New York. The newly formed x402 Foundation has backing from Google, Stripe, Amazon Web Services, Visa, Mastercard, Microsoft, Cloudflare, Shopify, and 15+ other members. By late April, Coinbase's own launch materials for Agentic.Market cited 165 million+ transactions, $50 million+ in volume, and 480,000+ agents transacting across the x402 ecosystem.

The companion product, Coinbase Payments MCP, gives AI agents direct wallet access through natural language. It works with Claude Desktop, Claude Code, OpenAI's Codex, Google's Gemini, and Cherry Studio. This is the rail through which agents will increasingly transact on-chain.

The ERC-8004 standard for trustless AI agent identity (launched on Ethereum mainnet in January) reached multi-chain deployment in April with Avalanche and BNB Chain support. Tracked Ethereum-based agent identities exceed 24,000 as of early May, with projections of approximately 130,000 ERC-8004 agents across multiple chains by year-end.

The infrastructure consequence is the same as it was in February, only larger. Agents generate sustained, machine-rate RPC traffic. 165 million transactions in 19 days is the kind of load that turns compute-unit billing into a budgeting nightmare. Flat-rate RPC pricing is no longer a nice-to-have for agent infrastructure. It's a precondition for cost predictability.

Regulatory Calendar Hardens

The MiCA and GENIUS Act deadlines that "take effect within months" in the original State of DeFi piece are now weeks away.

ESMA issued a formal statement on April 17 (document ESMA75-113276571-1679) confirming that all MiCA transitional periods expire across the EU on July 1, 2026. After that date, any entity providing crypto-asset services to EU clients without a MiCA license is in breach of EU law. ESMA explicitly directed unauthorized CASPs to have wind-down plans operational immediately, and instructed licensed CASPs to migrate clients proactively. If you have EU users and no MiCA path, this is not a future problem.

FinCEN and OFAC jointly published a Notice of Proposed Rulemaking on April 8 implementing the GENIUS Act's anti-money laundering and sanctions compliance provisions for Permitted Payment Stablecoin Issuers. The proposed rule treats PPSIs as "financial institutions" under the Bank Secrecy Act. Comment period closes June 9, 2026. Federal and state regulators have a July 18, 2026 deadline to issue full implementing regulations.

The SEC's Division of Trading and Markets issued staff guidance on April 13 creating a temporary five-year safe harbor for "Covered User Interface Providers" (websites, browser extensions, and software interfaces that let users submit transactions in crypto asset securities using self-custodial wallets) without registering as broker-dealers. The guidance sunsets in April 2031 unless formalized through rulemaking. Conditions: interfaces cannot recommend specific tokens, route orders through proprietary liquidity for fees, or hold user funds at any point.

For US-based DeFi front-end developers, this is the most concrete piece of regulatory clarity since the GENIUS Act passed. For protocols building tokens that may be classified as securities, it's a usable path, provided you stay inside the conditions.

Japan's cabinet approved an FSA-backed bill on April 10 to reclassify crypto assets as financial products under the Financial Instruments and Exchange Act, bringing insider trading rules into scope if enacted. Reporting around the bill also pointed to a proposed shift toward a flat 20% tax regime for eligible crypto assets, but that change was not activated in April and is expected to take effect later if the legislation clears the full process.

Multi-Chain Snapshot

Capital movement during April reshuffled the multi-chain landscape.

Two structural points stand out.

First, the Move-based chains continued the trajectory the original State of DeFi piece flagged. Sui crossed $2 billion in TVL with 954 monthly active developers (twice Aptos's 465). Aptos crossed the $1 billion TVL threshold on the back of 700% YTD growth, led by Aries Markets, Amnis Finance, and Echelon. CME Group announced cash-settled SUI futures launching May 4, 2026.

Second, stablecoin-native L1s emerged as a real category. Plasma's 80% monthly TVL surge driven by tether.wallet integration is not a one-off. It's the early signal of a chain class designed around stablecoin issuance and settlement rather than general-purpose smart contracts.

For BTCFi specifically, Babylon now has 56,853 BTC staked (~$5.64 billion), approximately 38% of the total WBTC supply. The Babylon-Aave V4 partnership announced in December targeted April 2026 for the mainnet launch of native Bitcoin-backed lending. Babylon co-founder David Tse confirmed the target during the month, though final go-live timing was pulled into the recovery effort after Babylon Foundation contributed $3 million to the DeFi United relief fund. Stacks closed Q1 with $437 million in sBTC TVL, and Hermetica launched its Bitcoin Yield Vault (hBTC) on April 21.

What April Exposed About Infrastructure

Three patterns from April change how DeFi teams should think about infrastructure for the rest of 2026.

1. RPC Nodes Are Now an Attack Surface

The KelpDAO exploit was, at its root, an RPC-layer infrastructure attack. Attackers compromised the RPC nodes feeding Kelp's LayerZero verifier and DDoS'd the external nodes Kelp had configured as fallbacks. The result was a verifier that confirmed false cross-chain messages because every input it could see had been corrupted.

This matters even if you are not running a bridge:

• Any protocol making automated decisions based on RPC responses (oracle updates, liquidation engines, MEV protection) is exposed to RPC poisoning if the upstream nodes can be compromised or DDoS'd
• Single-RPC-provider configurations create the same single-point-of-failure risk that 1-of-1 DVNs have for bridges
• Public endpoints are the most exposed because they have no rate-limiting on attackers and no SLA when they're under load

The defensive pattern is the same one production trading desks have used for years. Use multiple independent RPC providers, automated health-check failover, and circuit breakers that pause protocol-critical operations when responses diverge across providers. Dwellir operates dedicated infrastructure across 140+ blockchain networks with 99.9%+ uptime SLAs and dedicated nodes that don't share capacity with anonymous public traffic. For DeFi protocols where a poisoned RPC response can become a $290 million event, that isolation is not a luxury.

2. Operational Security Is the Real Smart Contract

Drift's $285 million loss did not exploit a smart contract bug. It exploited the gap between contract logic and the humans and signing infrastructure that authorize contract upgrades and parameter changes. Whitelisting CVT as collateral was a parameter change. The smart contract executed correctly. The signing infrastructure was the vulnerability.

For builders, the implication is that multi-sig hygiene, signing-device security, and adversarial threat modeling matter as much as Solidity correctness. If your security council can be social-engineered into pre-signing transactions for a fake quant firm, no audit will save you. The 2025 Bybit hack made this point at $1.5 billion. Drift made it again at $285 million on April 1.

3. Multi-Chain DeFi Needs Unified Infrastructure

April highlighted how fragmented DeFi capital actually is. Aave operates V3 and V4 in parallel. Lending markets froze across Core, Prime, Arbitrum, Base, Mantle, and Linea. Hyperliquid runs both HyperCore and HyperEVM. BTCFi spans Babylon, Stacks, Merlin, Core, and Rootstock. Plasma is now top-10 for stablecoin TVL. The original State of DeFi piece counted 68% Ethereum dominance. April's data shows that's still roughly accurate, but the other 32% is more chains than ever.

Building across all of those chains means either picking favorites or running unified infrastructure. Dwellir covers 140+ networks from a single platform, including Ethereum, Arbitrum, Base, Optimism, BNB Chain, Polygon, Avalanche, and the EVM chains where the bulk of DeFi TVL sits, through a consistent URL pattern (api-{network}-{variant}.n.dwellir.com) and a single API key. For multi-chain DeFi teams managing AI agent traffic on x402, recovering trust after April's incidents, or evaluating a Plasma deployment, that consolidation reduces operational overhead. The flat-rate pricing model removes the unpredictability that compute-unit billing inflicts on any workload that can spike, and DeFi workloads spike hard under stress.

Here is a defensive pattern useful for monitoring positions during volatility: read multiple Aave reserve states in parallel through Dwellir's Ethereum endpoint using ethers.js.

import { ethers } from "ethers";

const provider = new ethers.JsonRpcProvider(
  "https://api-ethereum-mainnet.n.dwellir.com/<YOUR-API-KEY>"
);

// Aave V3 Pool ABI (simplified)
const poolABI = [
  "function getReserveData(address asset) view returns (tuple(uint256 configuration, uint128 liquidityIndex, uint128 currentLiquidityRate, uint128 variableBorrowIndex, uint128 currentVariableBorrowRate, uint128 currentStableBorrowRate, uint40 lastUpdateTimestamp, uint16 id, address aTokenAddress, address stableDebtTokenAddress, address variableDebtTokenAddress, address interestRateStrategyAddress, uint128 accruedToTreasury, uint128 unbacked, uint128 isolationModeTotalDebt))",
];

const POOL = "0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2"; // Aave V3 Ethereum
const aave = new ethers.Contract(POOL, poolABI, provider);

const ASSETS = {
  WETH: "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
  USDC: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
  // Add additional reserves for monitoring
};

async function snapshotReserves() {
  const results = await Promise.all(
    Object.entries(ASSETS).map(async ([name, addr]) => {
      const data = await aave.getReserveData(addr);
      // Rates are in ray (1e27) and represent the APR. Divide by 1e25 to express as a percent.
      return {
        name,
        supplyAPR: Number(data.currentLiquidityRate) / 1e25,
        borrowAPR: Number(data.currentVariableBorrowRate) / 1e25,
        unbacked: data.unbacked.toString(),
      };
    })
  );
  console.table(results);
}

snapshotReserves();

A production monitoring system runs this loop across multiple RPC providers in parallel and alerts when their responses disagree by more than a small tolerance. That diff is the early warning signal that one of your providers is compromised. It's the exact pattern that would have caught the Kelp verifier feed before it minted 116,500 rsETH.

What April Means for the Rest of 2026

Three things changed in April that will shape the rest of the year.

The fee-switch era is locked in. Aave joining Uniswap on the productive-asset side of the ledger means DeFi governance tokens are now valued as cash-flow assets. Protocols that have not figured out their revenue distribution model are going to look increasingly anomalous.

Operational security is the dominant attack vector. Drift, Bybit (2025), and the long tail of admin-key compromises this year all share the same root cause. Smart contract auditing is necessary but not sufficient. Threat modeling, signing infrastructure, and adversarial UX are the new audit boundary.

Bridge configuration is now a public liability. The KelpDAO 1-of-1 DVN debate forced every bridge user to look at their actual configuration. Multi-validator default configurations, transparent verifier sets, and circuit breakers tied to anomaly detection are the minimum bar going into the second half of 2026.

For teams running DeFi protocols, the takeaways are practical. Audit your operational security with the same rigor as your smart contracts. Map every bridge you depend on by its actual verifier configuration, not its marketing. Run multi-RPC redundancy with disagreement-based circuit breakers. Plan for MiCA in July if you have any EU exposure. Decide whether your treasury has enough liquidity to participate in a Lehman-style coordinated rescue if your peer protocols call one.

For investors, the divergence is the signal. Stablecoins, ETFs, and tokenized RWAs grew during the worst security month in crypto history. That's the institutional pipeline. The DeFi protocols that absorbed the volatility (Aave, EtherFi, Lido, Mantle, Babylon, Sky) demonstrated something institutions have always demanded from financial markets: a coordinated, capitalized rescue inside seven days, with named contributors and a public ledger of pledges.

For teams building DeFi applications that need reliable multi-chain RPC infrastructure (especially infrastructure that can absorb the kind of sustained agent traffic that x402 is now generating, or the load spikes that follow events like KelpDAO), explore Dwellir's supported networks or contact the Dwellir team to discuss your requirements.