DeFi is not failing at the protocol level. It is failing at the join—and the machines now testing those joins are getting cleverer and cheaper by the month.

• Why it matters — Capital, institutions and now autonomous software are flowing onchain. The losses that follow are no longer crude code breaks; they are operational failures dressed in valid transactions, which makes them harder to insure against and easier to repeat.
• How it happens — April bled roughly $650m, led by two nine-figure heists that touched no smart-contract bug at all. May fell almost 90% to $68m, yet bridges, single verifiers and stolen keys still did the damage. The attack surface has migrated from the contract to the scaffolding around it.
• What to do — Treat redundancy, key discipline and human-in-the-loop checks as the security model, not the audit certificate. For the new class of wallet-holding AI agents, assume the prompt is the new private key—and scope it accordingly.

 

A reprieve, not a reform

 

May was, by the grim arithmetic of this industry, a good month. CertiK, a security firm that keeps the running tally, counted some $68.3m lost to exploits across roughly thirty incidents—a fall of nearly 90% from April’s $650m, and the third month of 2026 to stay below the psychologically tidy $100m line. After a spring of carnage, the market exhaled.

It should not exhale for long. Strip away the headline relief and the texture of the losses tells a more stubborn story. Cross-chain bridges were again the single most-targeted venue, accounting for $28.6m, or 42% of the month’s total. The largest single incident, an $11.5m drain of the Verus Protocol bridge in mid-May, was a bridge failure; THORChain shed roughly $10m and halted trading; and the month closed, almost ritually, with two more bridge thefts on May 30th—Alephium and Gravity—both traced to compromised private keys rather than faulty logic. Of DeFiLlama’s count, seven of the month’s incidents were key compromises outright. The most expensive failures of 2026 have not been broken contracts. They have been broken assumptions about who, or what, gets to authorise a transaction.

 

The code rarely breaks. The scaffolding does.

 

Consider the year’s defining heist. On April 18th an attacker drained around $292m from Kelp DAO, a liquid-restaking protocol—the largest DeFi loss of 2026, and a near-perfect illustration of where the real fragility lies. Not one line of Kelp’s smart-contract code was broken. Chainalysis, picking through the wreckage, found that every onchain transaction looked entirely legitimate, which is precisely why conventional monitoring missed it.

The fault sat in the plumbing. Kelp’s cross-chain bridge, built atop LayerZero’s messaging infrastructure, relied on a single verifier—a 1-of-1 configuration, in which one node alone checks incoming messages before funds are released. The attackers, later linked to North Korea’s Lazarus Group, did not break the cryptography. They compromised internal node infrastructure and used a denial-of-service attack to force a failover, then fed the lone verifier a phantom message attesting to a burn that never happened. The contract did exactly what it was told. It released 116,500 rsETH—about 18% of the token’s entire supply.

What followed was the more instructive part. The loss did not stay contained. As the attacker pledged stolen rsETH as collateral, Aave’s lending markets seized; utilisation of a core pool spiked to 100%, depositors found themselves unable to withdraw, and on a net basis users yanked some $6.2bn from Aave alone within two days. SparkLend and Fluid froze their rsETH markets. A single mis-configured verifier had propagated, within hours, into a system-wide liquidity scare. Kelp has since migrated its token to a different cross-chain standard; LayerZero and Kelp spent the following weeks disputing who approved the fatal setup, with onchain data suggesting that nearly half of LayerZero’s active applications had been running the same risky single-verifier arrangement at the time.

The catastrophic failures of 2026 cluster not in the contracts but at the joins—the bridges, the verifiers, the keys and the humans holding them.

It was not an isolated lesson. Drift, a Solana-based perpetuals venue, lost roughly $285m on April 1st in another Lazarus-attributed operation; a string of smaller protocols—CoW Swap, Zerion, Rhea, Silo—were picked off in the weeks between. The pattern is consistent enough to constitute a thesis. Decentralised finance’s adversaries have largely stopped attacking the part of the stack that has been audited, formally verified and battle-tested across a decade. They attack the connective tissue instead: the off-chain relayers, the admin keys, the multisig signers, the bridge verifiers and the people who hold the credentials. The code is the fortress; the breaches come through the gates someone left propped open.

This is, oddly, a reason for measured confidence rather than despair. A protocol-level flaw is an indictment of the technology. An operational failure is a failure of discipline—and discipline is improvable. It is also, crucially, a failure that traditional finance shares; banks suffer insider thefts and credential compromises too. The difference is that DeFi’s version plays out in public, in real time, on a ledger anyone can audit—which is why Arbitrum was able to freeze some $75m of the Kelp loot before it could move. Transparency is not a vulnerability here. It is the closest thing the ecosystem has to a fire alarm.

 

The same engine, pointed both ways

 

Into this landscape arrives artificial intelligence, and it arrives—as these things do—on both sides of the ledger at once. For attackers, the economics have inverted. CertiK now expects AI-generated deepfakes and phishing to drive the next wave of major losses, shifting the locus of risk from the contract to the credulous human in front of it. The numbers already bend that way: phishing losses jumped more than 200% in 2026, with attackers abandoning spray-and-pray for patient “whale-hunting” of wealthier marks.

The toolkit has matured beyond clumsy emails. Generative models now produce convincing fake support agents, cloned voices, and video impersonations good enough to survive a live call; so-called agentic systems can scan smart contracts for exploitable patterns and draft working exploit code at machine speed, compressing the window between a vulnerability’s discovery and its abuse. In May, security trackers noted a rise in AI-assisted malware aimed squarely at the supply chain—compromising code repositories and attempting to dupe the AI coding assistants that developers increasingly trust. The crude tell-tales that email filters were trained to catch have, for practical purposes, been priced out of existence.

The same capability cuts the other way. Defenders deploy anomaly detection and real-time risk scoring; bug-bounty submissions have surged as researchers race the bots; and a brisk market in transaction simulators now lets users see what a signature will actually do before they authorise it. This is an arms race in the literal sense—each side compounding the other’s pace. The honest conclusion is not that AI makes DeFi unsafe, but that it raises the metabolic rate of the whole contest. Attacks get cheaper and faster; so must defences.

 

When the wallet holds the keys to itself

 

The most genuinely novel risk, though, is not AI as a weapon but AI as a principal. The agentic economy that this fund has written about before—software paying software through rails such as Coinbase’s x402 protocol—requires autonomous programs to hold funds, sign transactions and act without a human in the loop. That premise turns a language model’s input channel into something it has never been: a vector to an irreversible payment.

The proofs of concept have already become losses. On May 4th, an attacker hid an instruction in Morse code inside a reply on X; an AI agent with wallet permissions decoded it and obligingly moved roughly $200,000 of tokens on Base to the attacker’s address. No password was phished, no key stolen, no contract broken. The model was simply persuaded. Researchers have separately documented “LLM routers”—intermediaries between users and models—covertly injecting malicious tool calls, in one case draining $500,000 from a client’s wallet. At Step Finance, a compromised executive’s device fed poisoned context to connected trading agents, which then drained treasury funds through protocols that had granted them far too much latitude. 

The vocabulary is new—prompt injection, tool hijacking, privilege creep, memory poisoning, in which a dormant instruction is seeded into an agent’s long-term store and triggered weeks later—but the failure mode is the familiar one, dressed for the occasion. It is, once again, an authorisation problem at the seam, not a break in the underlying chain. The instruction is the new private key, and most systems are still treating it like idle text.

Encouragingly, the crypto-native answer is taking shape, and it is the right one: constrain the agent rather than trust it. Session keys grant scoped, temporary, revocable permissions; standards such as EIP-7702 let an agent transact without ever touching the master key; multisig thresholds reassert human approval above a set size; and a clutch of agentic-wallet frameworks now cryptographically prevent a compromised model from signing anything outside a pre-approved envelope, however sweetly it is asked. The principle is old custody wisdom rebuilt for a new kind of custodian: never give the actor more authority than the task strictly requires.

 

Discipline as the product

 

If the failures of 2026 share a root, so does the remedy, and it is unglamorous: redundancy and least privilege, applied relentlessly at every join. At the protocol level, the year’s post-mortems write the brief themselves. Single verifiers are single points of failure; the Kelp loss is what a 1-of-1 configuration costs at scale. Bridges that depend on trusted intermediaries rather than full verification will keep being the soft target they have been since 2022. Admin keys should be minimised, time-locked or decentralised, so that no compromised signer can move size unilaterally. Monitoring should watch the off-chain infrastructure—the relayers and nodes—and not merely the contracts, because that is where the valid-looking thefts originate. And insurance or recovery mechanisms should be assumed necessary, not optional.

From a sufficient altitude, the shape of the year is reassuring. The protocol layer that critics have spent a decade predicting would collapse has, on the whole, not collapsed; the worst losses of 2026 came not from broken cryptography but from single verifiers, stolen credentials and—increasingly—machines talked into doing the wrong thing. These are operational problems, and operational problems yield to discipline in a way that fundamental ones do not. The fall from $650m in April to $68m in May is not a fluke; it is what happens when an industry is forced, expensively, to learn.

The harder truth sits alongside it. Each layer the ecosystem adds—bridges to connect chains, agents to automate them, AI to accelerate everything—adds a new seam, and the seams are where value leaks. The maturation now under way is not the elimination of risk but its migration up the stack, from the contract to the configuration to the conversation. Whoever secures the newest join fastest will define the next era of onchain finance. On the evidence of 2026, the technology is sound, the transparency is a genuine edge, and the remaining work is the kind that gets done by people who have stopped mistaking the audit for the answer. Safer finance, in the end, will be the most disciplined.