- DeFi exploits exceeded $775 million in 2026, with KelpDAO, Drift, and Step Finance being the toughest hit.
- KelpDAO and Drift alone accounted for $577 million in losses as a result of bridge and oracle assaults.
- Non-public key compromise stays a serious danger in DeFi, together with bridge and oracle exploits.
Based mostly on the numbers offered, DeFi exploits triggered greater than $775 million in losses in 2026. KelpDAO, Drift, and Step Finance posted the largest incidents. Non-public key compromise additionally emerged as a significant factor behind a number of assaults.
The highest 10 checklist contains KelpDAO, Drift, Step Finance, Truebit, Resolv, Rhea Finance, Grinex, SwapNet, YieldBlox, and Saga. These incidents arose from several types of assaults. These embody bridge exploits, oracle manipulation, key compromise, authorization abuse, insider exfiltration, and extra.
sauce: ×
Prime DeFi Exploits of 2026
KelpDAO took first place with a lack of $292 million. Attackers focused the rsETH bridge and exfiltrated funds.
The identical doc connects the KelpDAO rsETH exploit to the presently high-profile $5 billion Aave liquidity disaster. He additionally stated Bridge and Oracle proceed to trigger losses. The report additionally states that losses are on observe to exceed $3 billion by the tip of 2026.
Drift got here in second with a lack of $285 million. The attacker used oracle manipulation and included a pretend token. This exploit positioned Drift simply behind KelpDAO within the 2026 rankings.
Step Finance remained in third place after dropping almost $40 million. The attacker has compromised the platform’s non-public key. The incident has introduced much more consideration to main safety failures in DeFi this 12 months.
Truebit took fourth place with a lack of roughly $26.4 million. The reported trigger was a bug within the good contract. This makes it the biggest contract-related exploit within the high part of the checklist.
Small-scale DeFi abuses will improve losses in 2026
Resolv got here in fifth place with a lack of $25 million. The exploiter compromised the platform’s AWS KMS keys.
Uncommon Finance got here in sixth place with a lack of $18.4 million. The exploit concerned oracle manipulation and pretend tokens.
Greenex ranked seventh with a lack of $13.7 million. The reported trigger was an exit rip-off or insider leak. This case was completely different from the bridge, oracle, and first exploits seen elsewhere on the checklist.
SwapNet misplaced $13.4 million and got here in eighth place. The attackers exploited authorization to extract funds. YieldBlox incurred $10.2 million in losses associated to collateral and oracle manipulation.
Saga completed within the high 10 with a lack of $7 million. The reported trigger was a bridge exploit. It recorded the smallest loss among the many listed DeFi circumstances.
This quantity exhibits that the best injury occurred from a small variety of platforms. Within the breakdown offered, KelpDAO and Drift alone account for almost all of the reported losses. The entire quantity for each initiatives reached $577 million.
Associated: $293M KelpDAO rsETH exploit freezes 9 DeFi protocols
Disclaimer: The knowledge contained on this article is for informational and academic functions solely. This text doesn’t represent monetary recommendation or recommendation of any type. Coin Version just isn’t answerable for any losses incurred because of using the content material, merchandise, or companies talked about. We encourage our readers to do their due diligence earlier than taking any motion associated to our firm.