Is it hackers and regulation that ruined DeFi?

Author: Gu Yu, ChainCatcher

In April 2026, a series of security disasters once again pushed DeFi to the forefront of public opinion. The attacks on Kelp DAO and Drift Protocol resulted in losses exceeding $575 million, causing the total value locked (TVL) in DeFi to plummet from approximately $172 billion to $148 billion, with the TVL in the lending sector collapsing from $53 billion to $40 billion.

In recent days, Manuel Aráoz, co-founder of the well-known security auditing company OpenZeppelin, bluntly stated on the X platform: "I believe all DeFi is now unsafe." He even mentioned that he has begun privately advising friends and family to liquidate all DeFi positions, including protocols like Aave, MakerDAO, and Compound, which are recognized as "low-risk blue chips."

Although this judgment is particularly harsh, it is worth pondering. After all, OpenZeppelin has long been one of the most important builders of security infrastructure in the DeFi world, with its smart contract standards and security tools permeating the entire industry's development. If even those who understand the smart contract security system the best begin to question the risks of DeFi and decisively withdraw, it undoubtedly indicates that some deeper issues are surfacing.

In the past few years, whenever DeFi faced setbacks, people could quickly find a specific reason. During market downturns, the blame would be placed on the macro environment; when hacker attacks occurred, people would attribute it to technical vulnerabilities; when regulatory agencies took action, the issues would be summarized as policy pressure.

However, if we extend the time dimension, we will find an increasingly clear fact: the predicament facing DeFi today is not caused by a single attack, a specific regulatory policy, or a failed project, but rather that the two core logics upon which it was originally built are simultaneously facing challenges.

One logic comes from the technical world, namely that code can replace trust. The other logic comes from the institutional world, which states that open networks can bypass the constraints of traditional financial systems.

And hackers and regulators have precisely struck at these two pillars.

I. The Deep Evolution of the DeFi Security Crisis

For a decade, the core paradox in the DeFi security field has never changed. Web3 security researchers have long identified this fatal asymmetry: the defender must plug every possible vulnerability, while the attacker only needs to succeed in one aspect.

On the surface, the attack methods are nothing more than the usual suspects: cross-chain bridge vulnerabilities, multi-signature permission hijacking, oracle manipulation, etc. However, the incidents involving Kelp DAO and Drift Protocol reveal a more brutal trend: the most fatal vulnerabilities often do not lie within the smart contract code.

On April 18, the Ethereum liquidity re-staking protocol Kelp DAO was attacked. The attacker exploited a configuration vulnerability in the DVN (Decentralized Validation Network) of the LayerZero cross-chain bridge, forging cross-chain messages and withdrawing 116,500 rsETH from the bridge within hours, amounting to approximately $293 million at the time.

The essence of this disaster is a configuration error, not a code defect. Kelp DAO chose a "1-of-1" configuration for LayerZero's cross-chain validation network—only one DVN node's confirmation is needed for cross-chain messages to be considered legitimate. When the attacker compromised two RPC nodes providing validation data and launched a DDoS attack, the entire bridging system became virtually non-existent.

On April 1, one of the largest perpetual contract DEXs in the Solana ecosystem, Drift Protocol, was attacked, resulting in a loss of $285 million, making it the largest single DeFi attack incident of 2026 to date and the second-largest hacking case in Solana's history.

This was also not a smart contract vulnerability. The attacker used social engineering to compromise at least two of the three signers of the multi-signature wallet, forcing them to pre-sign malicious transactions using Solana's durable nonce feature. Once the attacker gained administrative privileges, they completed the theft of funds in less than 12 minutes.

The root of the attack lies in a complete failure of operational security (OpSec): improper multi-signature wallet configuration, blind spots in key management, and a social engineering defense line that was virtually non-existent.

These two incidents reveal the deep evolution of the DeFi security crisis: the breakthrough points of attacks are systematically shifting from traditional smart contract code vulnerabilities to configuration layers and human/OpSec layers.

Manuel Aráoz pointed out the core of the problem: "Smart contract security is essentially an extremely asymmetric game—defenders must fix all vulnerabilities, while attackers only need to find one to steal funds." As AI begins to exponentially enhance attack efficiency, this asymmetry is rapidly becoming unbalanced.

AI coding agents can compress issues that previously required top white-hat teams weeks to discover into a matter of minutes, even autonomously generating attack scripts based on publicly available protocol code. As one of the most mainstream security auditing companies in the industry, the co-founder's pessimistic judgment serves as a signal— the security industry itself is becoming aware that the existing defense framework is facing systemic failure.

II. The Ongoing Spread of Regulatory Pressure

As the security crisis deepens, regulatory forces are also continuously exerting pressure on both on-chain and off-chain dimensions.

On May 26, the UK government placed the cryptocurrency exchange HTX on its sanctions list against Russia, marking the first time it has used Regulation 17A to impose sanctions on a cryptocurrency exchange. The UK accused HTX of handling $3.3 trillion in transactions in 2025, allegedly providing financial services to the sanctioned A7 payment network and the Russian exchange Garantex.

The chain reaction triggered by the sanctions quickly spread. As several mainstream AML companies listed HTX's exchange address as a high-risk address, many exchanges using its AML system tightened their transaction reviews related to HTX-associated addresses, leading to numerous HTX users experiencing issues with asset withdrawals to other exchanges.

The HTX incident reveals a deeper dilemma: under a complex geopolitical landscape, a single sanction initiated by regulators can trigger an expanding chain effect on-chain, ultimately affecting the funds of countless ordinary users. An HTX user may be completely innocent in holding assets, but due to the platform's potential compliance risks, they may encounter the entire AML system's "firewall" when attempting to withdraw to other exchanges, resulting in funds being frozen or indefinitely delayed.

In fact, the HTX incident is just the tip of the iceberg of regulatory pressure. What truly constrains DeFi innovation at a deeper level is the legal characterization of the underlying business models of protocols by regulatory agencies.

Over the past two years, the U.S. SEC has launched investigations into "blue chip" DeFi protocols such as Compound, Uniswap, and Curve, focusing on whether governance tokens constitute unregistered securities. More direct blows come from the yield-bearing token sector—the SEC's enforcement actions against products like Gemini Earn indicate that as long as a protocol pays users passive interest based on deposits, it is easily classified as an investment contract, triggering registration and disclosure obligations under the Securities Act.

This legal ambiguity and high-pressure environment directly stifle the most imaginative directions of DeFi innovation: from liquidity mining to structured yield products, developers must constantly worry about whether their token economic models cross regulatory red lines.

In a sense, the "permissionless" nature that DeFi initially emphasized is gradually evolving into another form of "permission system." This "permission" does not come from a specific company or protocol, but from every link in the regulatory compliance chain: AML lists, exchange risk control engines, the long-arm jurisdiction of securities laws, and so on.

III. DeFi Enters a Realist Phase

Looking back at the ups and downs of DeFi over the past few years, the security dilemmas and regulatory pressures of DeFi do not exist independently. The lack of a clear regulatory framework makes it difficult to establish industry consensus on security standards; the frequent occurrence of security incidents, in turn, provides the most direct justification for global regulatory agencies to tighten enforcement; and the accelerating security asymmetry in the AI era, combined with gradually tightening compliance thresholds, ultimately intertwines to push countless ordinary users to the center of the storm.

Essentially, the boundaries of security auditing and the rigidity of regulatory compliance are continuously eroding the two core assumptions upon which DeFi stands—"code is law" and "permissionless freedom."

Today, users bear higher technical risks than in traditional finance, yet may not gain more freedom than in traditional finance. This is precisely why many market participants are confused. They find that DeFi is neither as safe as banks nor as completely open as initially promised.

When a system simultaneously loses both security premiums and freedom premiums, its growth logic will naturally be challenged. Therefore, the question may not be "Did hackers and regulators destroy DeFi?"

More accurately, hackers and regulators have simply forced the industry to confront reality. Hackers have made people realize that code does not inherently create trust; regulators have made people aware that the on-chain world has never operated as a parallel universe detached from the real world.

This does not mean the failure of DeFi. On the contrary, it signifies that this experiment is transitioning from an idealistic phase to a realist phase.

DeFi is not being destroyed by hackers or regulators. It is being redefined by the survival laws shaped by both: the future of DeFi must either move towards stricter industry self-regulation and compliance frameworks, forced to compromise on decentralization principles; or gradually lose market confidence in the ongoing imbalance of offense and defense, leading to long-term marginalization.