TL;DR
- The DeFi sector has recorded losses of over $600 million so far in 2026
- Kelp DAO was subjected to an exploit that sent the sector's total value locked (TVL) to its lowest level in twelve months
- Attack vectors are shifting: social engineering and phishing are taking over where pure code vulnerability previously dominated
- Neither security audits nor bug bounty programs alone are sufficient protection
Kelp DAO Attack Sets New Course for TVL
A serious security breach against the DeFi protocol Kelp DAO in April 2026 has contributed to the sector's total TVL falling to its lowest point in a year. The attack comes during a period where DeFi losses have already accumulated to over $600 million since the new year, according to CryptoNews.
Kelp DAO is a restaking protocol that allows users to lock in liquid staking tokens to generate returns. The specific details surrounding the exploit mechanism have not yet been fully confirmed by independent investigators, and further technical details should be treated with caution until a thorough post-mortem is available.
Losses Accelerate in 2026
The background to the incident is grim: the crypto industry as a whole had already accumulated losses of $1.74 billion by the end of April 2025 — four times more than in the same period a year earlier, according to research data. The trend does not appear to be reversing.
Particularly concerning is the shift in attack patterns. While code-based smart contract exploits fell by a full 89 percent year-over-year in the first quarter of 2026, phishing and social engineering accounted for approximately $306 million in losses during the same period — almost two-thirds of the total, according to security research data.
Audits Are Not Enough
The DeFi security industry has grown significantly. The market for smart contract security was estimated at around $467 million in 2024, with an expected annual growth rate of nearly 25 percent towards 2033. Nevertheless, figures show that audits are no guarantee.
Analyses of over 8,000 audit reports from the period 2020 to 2023 found little evidence that audits themselves reduce the number of successful attacks afterward. A central weakness is that audits are snapshots — they do not capture changes in code, governance, or administration keys introduced after the report is delivered.
Bug Bounty: Ongoing, But Not Universal
Bug bounty programs, where ethical hackers are rewarded for uncovering vulnerabilities, appear to be an important supplement. The Immunefi platform states that it has paid out over $116 million to security researchers since its inception in December 2020, and currently protects over 330 projects that collectively manage $190 billion in TVL.
The model of escalating rewards — where the payout is linked to a percentage of the potential losses a security flaw could cause — is, according to Immunefi CEO Mitchell Amador, intended to make ethical disclosure more profitable than actually exploiting the vulnerabilities. In the first half of 2025, over 8,500 white-hat disclosures were registered on such platforms.
Nevertheless, it is worth noting that bug bounty coverage varies greatly between protocols, and not all projects offer competitive programs.
What Should Protocols Do Now?
Security experts are clear that no single mechanism is sufficient in the current threat landscape. Recommendations point towards a layered approach: frequent and thorough code audits, active bug bounty programs with meaningful reward structures, real-time transaction monitoring, and a sharpened focus on operational security — particularly around private keys and internal procedures.
For Kelp DAO and other protocols that have recently been attacked, it remains to be seen what specific measures will be implemented. Investors and users are closely watching how the sector handles a series of events that are now pushing TVL down to levels not seen in over a year.
Sources: CryptoNews, security research data on DeFi audits and bug bounty programs (2020–2026)
