Did hackers and regulators ruin DeFi?

Author: Gu Yu, ChainCatcher

In April 2026, a series of security disasters once again pushed DeFi to the forefront of public opinion. The attacks on Kelp DAO and Drift Protocol resulted in losses exceeding $575 million, causing the total value locked (TVL) in DeFi to plummet from approximately $172 billion to $148 billion, with the TVL in the lending sector collapsing from $53 billion to $40 billion.

In recent days, Manuel Aráoz, co-founder of the well-known security auditing company OpenZeppelin, bluntly stated on the X platform: "I believe all DeFi is unsafe." He even mentioned that he has begun privately advising friends and family to liquidate all DeFi positions, including protocols like Aave, MakerDAO, and Compound, which are recognized as "low-risk blue chips."

Although this judgment is particularly harsh, it is worth pondering. After all, OpenZeppelin has long been one of the most important builders of security infrastructure in the DeFi world, with its smart contract standards and security tools permeating the entire development history of the industry. If even those who understand smart contract security systems the best begin to question the risks of DeFi and decisively withdraw, it undoubtedly signifies that some deeper issues are surfacing.

In the past few years, whenever DeFi encountered setbacks, people could quickly find a specific reason. During market downturns, the blame would be placed on the macro environment; when hacker attacks occurred, people would attribute it to technical vulnerabilities; when regulatory agencies took action, the issues would be summarized as policy pressure.

However, if we extend the time dimension, we will find an increasingly clear fact: the predicament facing DeFi today is not caused by a single attack, a specific regulatory policy, or a failed project, but rather that the two core logics on which it was originally built are simultaneously facing challenges.

One logic comes from the technical world, namely that code can replace trust. The other logic comes from the institutional world, which posits that open networks can bypass the constraints of traditional financial systems.

And hackers and regulators have precisely struck at these two pillars.

I. The Deep Evolution of the DeFi Security Crisis

For the past decade, the core paradox in the field of DeFi security has never changed. Web3 security researchers have long identified this fatal asymmetry: the defense must plug every possible exploit, while the attacker only needs to succeed at one point.

On the surface, the attack methods are nothing more than the usual suspects: cross-chain bridge vulnerabilities, multi-signature permission hijacking, oracle manipulation, etc. However, the incidents involving Kelp DAO and Drift Protocol reveal a more brutal trend: the most fatal vulnerabilities often do not lie within the smart contract code.

On April 18, the Ethereum liquidity re-staking protocol Kelp DAO was attacked. The attacker exploited a configuration vulnerability in the DVN (Decentralized Verification Network) of the LayerZero cross-chain bridge, forging cross-chain messages and withdrawing 116,500 rsETH from the bridge within hours, amounting to approximately $293 million at the time.

The essence of this disaster is a configuration error, not a code defect. Kelp DAO chose a "1-of-1" configuration for LayerZero's cross-chain verification network—only one DVN node's confirmation is needed for cross-chain messages to be considered valid. When the attacker compromised two RPC nodes providing verification data and launched a DDoS attack, the entire bridging system became effectively non-functional.

On April 1, one of the largest perpetual contract DEXs in the Solana ecosystem, Drift Protocol, was attacked, resulting in a loss of $285 million, making it the largest single DeFi attack event of 2026 to date and the second-largest hacking incident in Solana's history.

This was also not due to a smart contract vulnerability. The attacker used social engineering to compromise at least two of the three signers of the multi-signature wallet, forcing them to pre-sign malicious transactions using Solana's durable nonce feature. Once the attacker gained administrative privileges, the theft of funds was completed in less than 12 minutes.

The root of the attack lies in a complete failure of operational security (OpSec): improper configuration of the multi-signature wallet, blind spots in key management, and a social engineering defense line that was virtually non-existent.

These two incidents reveal the deep evolution of the DeFi security crisis: the breakthrough points of attacks are systematically shifting from traditional smart contract code vulnerabilities to configuration layers and human/OpSec layers.

Manuel Aráoz pointed out the core of the problem succinctly: "Smart contract security is essentially an extremely asymmetric game—defenders must fix all vulnerabilities, while attackers only need to find one to steal funds." As AI begins to exponentially enhance attack efficiency, this asymmetry is rapidly becoming unbalanced.

AI coding agents can compress issues that previously took top white-hat teams weeks to discover into automatic completion within minutes, and can even autonomously generate attack scripts based on publicly available protocol code. As one of the most mainstream security auditing companies in the industry, OpenZeppelin's co-founder's pessimistic judgment serves as a signal— the security industry itself is becoming aware that the existing defense framework is facing systemic failure.

II. The Ongoing Spread of Regulatory Pressure

As the security crisis deepens, regulatory forces are also exerting pressure on both on-chain and off-chain dimensions.

On May 26, the UK government placed the cryptocurrency exchange HTX on its sanctions list against Russia, marking the first time it has used Regulation 17A to impose sanctions on cryptocurrency exchanges. The UK accused HTX of handling $3.3 trillion in transactions in 2025, allegedly providing financial services to the sanctioned A7 payment network and the Russian exchange Garantex.

The chain reaction triggered by the sanctions quickly spread. As several mainstream AML companies listed HTX's exchange address as a dangerous address, many exchanges using its AML system tightened their transaction reviews for addresses associated with HTX, leading to numerous HTX users experiencing issues with asset withdrawals to other exchanges.

The HTX incident reveals a deeper dilemma: under a complex geopolitical landscape, a single sanction initiated by regulators can trigger an expanding chain effect on-chain, ultimately affecting the funds of countless ordinary users. An HTX user may completely innocently hold assets, but due to the platform's potential compliance risks, they may encounter the entire AML system's "firewall" when attempting to withdraw to other exchanges, resulting in funds being frozen or indefinitely delayed.

In reality, the HTX incident is just the tip of the iceberg of regulatory pressure. What truly constrains DeFi innovation at a deeper level is the legal qualification of the underlying business models of protocols by regulatory agencies.

In the past two years, the US SEC has launched investigations into "blue chip" DeFi protocols such as Compound, Uniswap, and Curve, focusing on whether governance tokens constitute unregistered securities. More direct blows have come from the yield-bearing token sector—the SEC's enforcement actions against products like Gemini Earn indicate that as long as a protocol pays users passive interest based on deposits, it is easily deemed an investment contract, triggering registration and disclosure obligations under the Securities Act.

This legal ambiguity and high pressure directly stifle the most imaginative directions of DeFi innovation: from liquidity mining to structured yield products, developers must constantly worry about whether their token economic models cross regulatory red lines.

In a sense, the "permissionless" nature that DeFi initially emphasized is gradually evolving into another form of "permission system." This "permission" does not come from a specific company or protocol, but from every link in the regulatory compliance chain: AML lists, exchange risk control engines, the long-arm jurisdiction of securities laws, and so on.

III. DeFi Enters a Realist Phase

Looking back at the ups and downs of DeFi over the past few years, the security dilemmas and regulatory pressures of DeFi do not exist independently. The lack of a clear regulatory framework makes it difficult to establish industry consensus on security standards; the frequent occurrence of security incidents, in turn, provides the most direct reason for global regulatory agencies to tighten enforcement; and the accelerating security asymmetry and gradually tightening compliance thresholds in the AI era ultimately intertwine, pushing countless ordinary users to the center of the storm.

Essentially, the boundaries of security auditing and the rigidity of regulatory compliance are continuously eroding the two core assumptions on which DeFi stands—"code is law" and "permissionless freedom."

Today, users bear higher technical risks than in traditional finance but may not gain more freedom than in traditional finance. This is precisely why many market participants are confused today. They find that DeFi is neither as secure as banks nor as completely open as initially promised.

When a system simultaneously loses both security premiums and freedom premiums, its growth logic will naturally be challenged. Therefore, the question may not be "Did hackers and regulators destroy DeFi?"

More accurately, hackers and regulators have simply forced the industry to confront reality. Hackers have made people realize that code does not inherently create trust; regulators have made people aware that the on-chain world has never operated as a parallel universe detached from the real world.

This does not mean the failure of DeFi. On the contrary, it signifies that this experiment is transitioning from an idealistic phase to a realist phase.

DeFi is not being destroyed by hackers, nor by the net of regulation. It is being redefined by the survival laws shaped by both: in the future, DeFi must either move towards stricter industry self-regulation and compliance frameworks, forced to compromise on decentralization principles; or gradually lose market confidence in the ongoing imbalance of offense and defense, leading to long-term marginalization.