👋 Welcome to the April Edition
April was the worst month in crypto history by incident count. 28 breaches. $635M stolen. Nearly one attack every 26 hours. Two Lazarus operations alone accounted for 92% of losses not through code exploits, but through compromised humans, poisoned infrastructure, and admin keys with no guardrails.
The pattern across every major incident this month was the same, the contracts worked fine. Everything around them didn't.
On the research side, we published five pieces mapping exactly this gap from why stacking audits doesn't equal multilayer security, to the full Lazarus playbook, to why your deployer wallet may be your biggest unaddressed vulnerability. We broke down every major April exploit as it happened, from Drift's social engineering operation to Kelp DAO's RPC poisoning to the string of admin key compromises that bookended the month.
Beyond research, we joined the Ethereum Foundation's $1M security subsidy program for mainnet builders, hosted a live session dissecting the Drift hack, and had @ParthoRoyC on stage at the Rekt News panel at EthCC. We're also heading to New York for a closed-door security roundtable during ETHConf on June 11.
Here's the full April roundup research, exploits, community, and what's next.
From the Quill Research Desk
April's research kept landing on the same conclusion: the attack surface has moved well beyond the smart contract, and most security models haven't followed.
Multiple Audits ≠ Multilayer Security. Stop Paying for 3 Audits Cetus had three audits. Balancer had eleven. Drift had two. All three lost hundreds of millions to attack surfaces their audits never touched. Stacking reviews from the same firm is one layer repeated not three. The actual defense combines manual review, fuzzing, AI analysis, OpSec review, and monitoring. In 2025, 89 incidents cost $2.54B. Those protocols weren't unaudited. They confused audited with secure.
The Admin Audit Checklist $2B lost from Bybit, Drift, Radiant, and Resolv zero code bugs across all four. We published a structured checklist covering the 70% of attack surface a standard smart contract audit doesn't reach: multisig thresholds, key storage, upgrade timelocks, signer hardware, and operational procedures. A clean report means your code is fine. It says nothing about your admin setup.
North Korea Stole $7.5 Billion From Crypto. Here's Their Playbook. $577M drained in 18 days. Two completely different vectors. One group. We mapped Lazarus Group's five-phase playbook across a decade of escalating crypto heists from fake recruiter outreach and supply chain infiltration to RPC poisoning and UI spoofing. They don't repeat techniques. The attack surface keeps moving. Most defenses don't.
DVN Configuration Risk in LayerZero OApps 90 days of live data, 3,666 OApps, 2,246,770 messages. 45.6% of the ecosystem runs at min=0 or min=1 the identical configuration to the protocol that lost $292M on April 18. Five protocols had literally one DVN signer across every message for the full period. 98.2% of all traffic ignores the optional layer entirely. The fix is one config line. The analysis names protocols, shows market caps, and explains why min=2 still isn't enough if both operators share RPC infrastructure.
Your Deployer Wallet Is a 0-Day Vulnerability Wintermute lost $160M because its admin address was generated by a broken vanity wallet tool five days after a public disclosure about that exact tool. The contracts executed perfectly. We catalogued every major attack vector targeting deployer wallets: private key leaks, supply chain exploits, compromised CI/CD pipelines, and physical access risks. The most consistently under-secured address most teams have is also the one that controls everything.
Hack Watch
April 2026: 28 breaches, $635M stolen, one incident every 26 hours. The worst month by incident count in crypto history. Two Lazarus operations alone took $578M, 92% of all losses.
Drift Protocol $285M Solana, Apr 1, Social Engineering. Six months of trust-building, twelve minutes of execution. North Korean operatives befriended Drift's Security Council, got multisig signers to unknowingly pre-authorize withdrawals via Solana's durable nonce, then waited for a zero-timelock migration to pull the trigger. 31 pre-signed transactions. The contracts were perfect. The humans weren't.
Kelp DAO $292M Ethereum, Apr 18, RPC Poisoning. Lazarus didn't touch the code. They DDoS'd legitimate nodes until the DVN failed over to infrastructure they controlled, then fed it a lie. LayerZero's single verifier believed it, signed it, and 116,500 rsETH appeared from nothing. That rsETH went into Aave as collateral. $236M in real WETH came out. The malicious nodes self-destructed and took the logs with them.
Rhea Finance $18.4M NEAR, Apr 16, Slippage Logic Flaw. A quiet exploit across 423 wallets, draining reserves through a pricing flaw at the core of the DEX. Not novel, not sophisticated. Just a bug that shouldn't have survived deployment. Most of the funds were recovered.
Volo Protocol $3.5M Sui, Apr 21, Compromised Admin Key. Someone socially engineered their way to a privileged vault admin key and used it to drain three vaults clean. The remaining $28M TVL across other vaults was untouched. The Sui Foundation froze $2M. The WBTC bridge attempt was intercepted.
Aftermath Finance $1.14M Sui, Apr 29, Signed Integer Overflow. Anyone could register as an integrator. The attacker did, set max_taker_fee = 0, then injected a fee value that read as positive under u256 but flipped deeply negative under signed settlement math. The vault overflowed. Phantom collateral unlocked. Real USDC drained. Eleven times. One missing bounds check was the entire gap.
Wasabi Protocol $5.9M Four Chains, Apr 30, Compromised Admin Key. One EOA held god-mode access over every vault across Ethereum, Base, Blast, and Berachain simultaneously. The attacker got the key, granted themselves admin on the PerpManager, deployed a fake strategy, and fired a single multicall that hit everything at once. No multisig. No timelock. The month ended exactly how it started.
TMM Pool $1.66M BSC, Apr 5, Flash Loan and LP Manipulation. Eleven hours of quiet LP accumulation across 44 wallets, then one atomic transaction. 276M BSC-USD flash-loaned, liquidity removed, pool depleted, $1.66M extracted and bridged to Ethereum within hours. Methodical, patient, and entirely on-chain.
April attack frequency is up 68% year-over-year. North Korea's cumulative crypto theft now exceeds $8B since 2017. Read the full April 2026 hack report and track the live incident log on QuillMonitor.
QuillAudits Stats
A quick look at our April audit activity and how we helped secure the Web3 ecosystem.
Where to Find Us Next
We're heading to New York.
QuillAudits Security Roundtable at ETHConf NYC June 11, 9:00 AM to 11:00 AM, NYC (private venue)
A closed-door, invite-only security roundtable for senior technical leaders building and securing blockchain infrastructure. The session focuses on real-world protocol failures, recent exploit deep dives, and defensive security design drawn from QuillAudits ongoing audit and investigation work across DeFi, infrastructure, and application-layer protocols.
Structured for peer-level, off-the-record dialogue. No panels, no open networking just candid conversations among people navigating the same challenges.
Built for CTOs, Blockchain Leads, Heads of Engineering, Security Researchers, Auditors, and Protocol Architects. Seats are extremely limited and each invite is personally confirmed.
If you're building or securing Web3 infrastructure and will be in New York during ETHConf week, register to request your spot.
Community Highlights
April brought a major subsidy program, a live spaces session on the month's biggest hack, a Rekt panel, a hackathon partnership, and an AI collaboration.
Ethereum Security Subsidy Program
QuillAudits joined the Ethereum Security Subsidy Program a joint initiative with the Ethereum Foundation's Trillion Dollar Security Initiative bringing $1M in audit subsidies to Ethereum mainnet builders. For early-stage teams that couldn't afford quality security pre-revenue, this removes the excuse. If you're building on Ethereum mainnet.
|
QuillAudits ➡️ Consensus Miami 🇺🇸
@QuillAudits_AI
|
5:11 PM • Apr 14, 2026
|
|
Live Space: Breaking Down the $285M Drift Hack
We hosted a live session with @saxenism and @Schnilch walking through what actually happened at Drift and what most post-mortems were still missing. The core takeaway: this wasn't a smart contract problem. It was a trust and identity problem around privileged access. The attack surface was human.
|
QuillAudits ➡️ Consensus Miami 🇺🇸
@QuillAudits_AI
|
8:40 AM • Apr 17, 2026
|
|
Rekt Panel at EthCC Security Summit
@ParthoRoyC joined Patrick Collins, @d0rsky from HackenProof, and @MitchellAmador from Immunefi on a Rekt News panel. Patrick's line from the room summed it up: We have God's gift to mankind, a security stack good enough to support trillions in capital flows. And nobody uses it.
Colosseum Hackathon Audit Partnership
QuillAudits partnered with teams across the Colosseum Frontier Hackathon to offer builders 10-25% off audits. Security shouldn't be the thing you figure out after you ship.
|
QuillAudits ➡️ Consensus Miami 🇺🇸
@QuillAudits_AI
|
11:4 AM • Apr 29, 2026
|
|
Wanna partner up w/ us or want to get your project audited? |
|
|
Have a great day,
Team QuillAudits
