12 DeFi Protocols Hit After $280M Drift Exploit
At least 12 DeFi protocols and exchanges were attacked in two weeks after the $280 million Drift Protocol exploit, including Rhea Finance ($7.6M) and Grinex ($13.7M).
At least 12 decentralized finance protocols and crypto businesses were targeted in just over two weeks after the April 1 exploit of Drift Protocol, which lost about $280 million. Recent victims include Rhea Finance, the Grinex exchange, CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, the Binance Smart Chain TMM pool, Aethir, MONA and Zerion.
Rhea Finance reported that an attacker “leveraged a vulnerability in Rhea’s Margin Trading feature to execute a coordinated pool manipulation attack,” affecting the Rhea Lend smart contract. Blockchain security firm CertiK estimated the loss at about $7.6 million and noted, “The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer.”
The Grinex exchange suspended operations after reporting a $13.7 million theft and blamed “unfriendly states” for the incursion.
Other specific incidents in early April include about $1.67 million taken from a BSC TMM/USDT liquidity pool in a reserve manipulation attack; Dango losing $410,000 from a smart contract bug on April 13; Silo Finance losing $392,000 on April 3 through a misconfigured oracle exploit; and Aethir suffering a $423,000 loss on April 9 due to an access control exploit. Industry data show attackers took more than $168.6 million from 34 DeFi protocols in the first quarter of 2026.
Investigations are ongoing. Development and security teams have patched vulnerabilities, paused affected contracts or suspended services while forensic work continues. Several projects issued advisories to users about compromised wallets and steps to limit exposure.
Security researchers and law enforcement reported increased use of social engineering and AI-assisted techniques in recent breaches. The Drift Protocol and Zerion incidents were cited as examples where adversaries used AI tools to craft messages and obtain credentials.
Industry participants called for stronger audit practices, more conservative oracle configurations and tighter access controls for administrative keys as teams continue emergency responses and probes.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
