TL;DR. April 2026 was the worst month for web3 security since the Bybit heist. 18 disclosed incidents, over $606M lost, 18 days. The headline number is bad. The pattern underneath is worse: smart contract bugs are no longer the dominant attack vector. People, DNS, App Stores, governance keys, and cross-chain trust assumptions are.

Why I'm writing this

I run an OTC network and an on/off-ramp. Every conversation I have with institutional desks, family offices, and ramp partners eventually lands on the same question: "how exposed am I to the next one?" April gave us a very clean dataset to answer that, and the answer is uncomfortable.

Most of the post-mortems written this month read like a list. I want to do something different. I want to argue that April 2026 marks a structural shift in how attackers approach web3, and that most security frameworks (and most founders) have not caught up.

The ledger

Fifteen distinct protocols took meaningful losses. Two of them (KelpDAO and Drift) account for roughly 95% of the dollar damage. That tail is doing a lot of work, and we should be honest about it before zooming out.

Protocol Loss Vector Chain KelpDAO ~$293M Forged LayerZero cross-chain message Ethereum / LayerZero Drift Protocol $285M Social engineering plus governance/collateral abuse (DPRK) Solana Grinex Exchange $13.74M Hot wallet compromise (sanctioned exchange) TRON / Multi-chain Hyperbridge $2.5M to $12M Forged state proof (MMR forgery) Ethereum / Polkadot Fake Ledger Live (App Store) $9.5M Phishing via fake iOS app Apple App Store CoW Swap $1.2M DNS hijack and frontend redirect Ethereum LML Staking $950K Flash loan plus TWAP via EIP-7702 BNB Chain SolPay Bridge $900K Signature verification bypass Solana Squid Multicall $517K Malicious approvals into arbitrary calls Multi-chain Aethir $423K Access control exploit GPU Bridge Dango $410K Bridge logic flaw (negative donations) Multi-chain Silo Finance $359K to $392K Vault inflation, oracle misconfig Ethereum Denaria Finance $165.6K Rounding asymmetry in vAMM Linea Zerion ~$100K AI-assisted social engineering (DPRK) Multi-chain EIP-7702 victim ~$17.2K Missing access control in delegated code Ethereum HypurrFi $0 Domain hijack (caught in time) Hyperliquid

The structural shift

If you read the post-mortems carefully, the same five patterns keep showing up. None of them are new individually. What is new is how dominant they have become relative to classic Solidity exploits.

1. Social engineering is now the highest-EV attack on a protocol

The two largest incidents of the month, Drift ($285M) and Zerion (~$100K), were not Solidity bugs. They were people exploits. Both attributed to DPRK-linked actors. Zerion's attackers used AI-assisted impersonation of an internal teammate to phish credentials. Drift's attackers got operational access and used the protocol's intended functionality to drain collateral.

This is the part most builders are still in denial about. If you spend $300K on an audit and $0 on operational security, you have built a vault with a reinforced door and a screen window. North Korea's units (and the increasing number of copycat groups) have figured out the math: a single compromised contributor at a $300M TVL protocol is worth more than years of hunting reentrancy bugs.

A few specific things that worked this month:

  • Fake recruiter outreach with malware-laced "coding tasks" sent through LinkedIn and Telegram.
  • Real-time deepfake video calls impersonating a known team member to authorize a transaction or share a credential.
  • Long-game social presence on dev Discords (six to nine months) before any malicious action, so the social proof is real by the time the ask comes.

The defense is not a single tool. It is procedural. Hardware keys for everything, no exceptions. Two-person rule on any signed transaction above a threshold. A documented protocol for any "urgent" Slack/Telegram request that requires verification through a second channel.

Your audit firm cannot save you from a teammate who joined six months ago and has been quietly building credibility for the day they ask to merge one specific PR.

2. Cross-chain bridges are still the largest single-incident risk

KelpDAO's ~$293M came from a forged LayerZero cross-chain message: a misconfiguration in how cross-chain proofs were verified on the destination side. Hyperbridge lost up to $12M to a Merkle Mountain Range forgery that exploited missing input validation in state-proof verification. SolPay, Aethir, and Dango were smaller and shaped the same way.

The reason bridges keep ending up in the top of these lists is structural, not incidental. Every bridge introduces at least one new trust assumption. Sometimes it is a multisig, sometimes a relayer set, sometimes an optimistic verification window, sometimes a light client. Whatever it is, that assumption now sits on top of the combined liquidity of every chain the bridge connects. The blast radius of a bridge bug is not the bridge's TVL, it is the TVL of every protocol that integrated it.

The nuance most takes miss: LayerZero is not "insecure" in any meaningful sense. The KelpDAO incident came from how a specific application configured its DVN (decentralized verifier network) and security stack. LayerZero ships with sane defaults but lets applications opt into cheaper, weaker verification. KelpDAO did. That is a governance failure, not a protocol failure. Same for most of the bridge incidents this year. The frameworks are getting safer; the defaults applications choose are not.

If you are integrating any bridge or messaging layer in 2026, the question to answer in writing, before mainnet, is: "what is the cheapest way for an attacker to forge a message that my contract will accept?" If you cannot answer that in one paragraph, you have not finished the integration.

3. Frontend, DNS, and App Store attacks are back, and they are worse than before

This is the most under-discussed shift of the month, and the one I think will keep growing.

  • CoW Swap ($1.2M). DNS hijack of the dApp's frontend redirected users to a malicious interface that signed away approvals.
  • Fake Ledger Live App ($9.5M). A phishing app passed Apple's App Store review, lived on the store for nearly a week, and harvested seed phrases the entire time.
  • HypurrFi. Domain hijacked. Funds saved only because the team noticed quickly.

For years the industry trained users to "check the contract" and "verify the address." That advice was always incomplete. If the frontend serving the contract is compromised, the contract address you see is the attacker's. If the iOS icon you tap is a clone, the app you trust is the attacker's. The trust boundary in web3 has always extended off-chain. We just stopped pretending it didn't this month.

The uncomfortable bit: most teams cannot meaningfully harden against this without taking on infrastructure they have never owned. DNSSEC, registrar locks, subresource integrity, code-signing pipelines, App Store relationships. None of this is taught in Solidity bootcamps. It is closer to traditional SaaS security than crypto-native engineering, and most crypto teams are weak there.

The second-order point is worse. As wallet UX gets better and account abstraction goes mainstream, more value flows through interfaces and less through users manually inspecting calldata. That is good for adoption and bad for the assumption that users will catch a malicious frontend by reading the transaction. The interface is becoming load-bearing security infrastructure, and we should treat it that way.

4. EIP-7702 is a new attack surface that auditors are still catching up on

LML Staking ($950K) and at least one smaller incident in April abused EIP-7702, the Pectra upgrade that lets EOAs temporarily delegate to contract code. The exploit pattern: combine 7702's batched-call delegation with flash loans and TWAP manipulation, and you get atomic compositions that simply were not possible before.

EIP-7702 is genuinely useful. It is the foundation for a lot of UX wins coming this year, including the gasless and batched flows that ramps and wallets like ours have wanted forever. But it also redefines what a "signed transaction" can do. Old auditing intuitions like "this is an EOA so it can only do X" no longer hold. Tooling, formal verification, and audit checklists are catching up, but they are not there yet.

If you ship anything that touches 7702 delegation or assumes EOA semantics in any contract path, that code needs a fresh review with the new mental model, not the 2024 one.

5. Off-chain trust is the binding constraint

Zoom out from any single incident and the pattern is the same. The technically interesting part of crypto (the contracts) is no longer where the marginal dollar of attacker effort goes. It goes to the boring parts: domain registrars, App Store listings, governance Slack channels, hot wallet ops, hiring pipelines, customer support inboxes.

This is what "the attackers moved up the stack" actually means. The defenders have spent a decade hardening the lowest layer (the bytecode) while leaving the upper layers (humans, infra, interfaces) roughly as soft as they were in 2017. Attackers do not care about elegance. They care about expected value. Right now the upper layers have terrible defenses and enormous TVL behind them.

What the takes are getting wrong

A few things I keep seeing in the discourse that I think are wrong, or at least incomplete.

"This is just a bad month, it will revert to mean." Maybe on dollar volume. Not on vector mix. The shift from contract bugs to operational and frontend attacks is structural, not seasonal. The attackers have learned. Reversion would require the attackers to forget, which is not how this works.

"Bridges are inherently broken, just stay on one chain." Bridges are inherently more exposed, which is a different claim. Most users and most TVL want multi-chain functionality, and that demand is not going away. The right response is to harden bridge defaults and force applications to think explicitly about verification thresholds, not to pretend single-chain crypto is the future.

"Audits are useless." Audits remain extremely useful for the class of bugs they are designed to find. They are not useful against operational compromise, social engineering, governance failures, or frontend attacks. Selling audits as proof of "security" was always lazy marketing. The fix is honest scoping, not abandoning audits.

"Insurance will save us." On-chain cover protocols are still tiny relative to the TVL they would need to cover, and most of them carve out exactly the categories that dominated April (operational compromise, governance failures, frontend hijacks). Insurance is not arriving fast enough to be the answer for protocols that ship this year.

What this means for India and SEA

A quick note for the part of the world I work in. The regulators here are watching. RBI, MAS, BSP, OJK, all have crypto and stablecoin frameworks in active iteration. Months like April 2026 do not just affect protocol roadmaps. They affect the political ceiling for everything we are trying to build, including ramps, OTC, and stablecoin distribution.

The takeaway for builders in this region is not to hide the incidents or downplay them in conversations with regulators. It is the opposite. Show that you understand the threat model better than the regulator does, that you have specific operational defenses, that you can articulate exactly what you are and are not exposed to. The teams that can do this calmly and in detail will find a much warmer reception than the ones who try to wave it off.

The builder checklist April 2026 wrote

If you ship a protocol, a wallet, or a ramp, here is the unsexy version of what this month asks of you.

  • [ ] Treat operational security as a product surface, not an IT problem. Hardware keys for everyone with deploy or governance access. Phishing-resistant auth for all admin systems. Documented verification protocol for anything urgent.
  • [ ] Two-person rule on any signed transaction above a meaningful threshold. The number depends on your TVL; the principle does not.
  • [ ] Audit your cross-chain trust assumptions in writing. For every bridge or messaging layer you integrate, write down what you are trusting, who controls it, and what would have to be true for a forged message to clear.
  • [ ] Own your frontend trust chain. DNSSEC, registrar locks, subresource integrity, code-signed builds, and a written runbook for what happens when (not if) your domain or build pipeline gets attacked.
  • [ ] Treat App Store presence as a security perimeter. Monitor for clones daily. Have a takedown contact at Apple and Google before you need one. Document publisher names so users can verify them.
  • [ ] Re-audit anything that touches EIP-7702 with the new mental model.
  • [ ] Minimize approvals by default. Limited allowances. First-class revoke flows in your UI. Make it easier to do the safe thing than the unsafe thing.
  • [ ] Vet new contributors like a hostile intelligence service might be sending them. Because some of the time, they are.

The user checklist

  • Bookmark dApps. Do not Google them.
  • Verify app publishers. "Ledger Live" in the App Store should be Ledger SAS, no other publisher.
  • Use a hardware wallet for anything you would be sad to lose, and read the screen before signing.
  • Revoke old approvals quarterly. Revoke.cash and similar tools take five minutes.
  • Be skeptical of any "urgent" message from a teammate, recruiter, or support agent. Verify out of band.

The bigger picture

For most of crypto's history, the dominant story was "the code is law, and the code has bugs." April 2026 is the month that frame stopped being sufficient. The biggest losses came from off-chain failures: humans, DNS, App Stores, governance signers, multisig members, attacked by sophisticated and increasingly state-aligned adversaries using AI-augmented social engineering.

The protocols got better. The attackers moved up the stack. The defenders have not yet.

If web3 wants to be infrastructure (and that is what most of us are actually building toward) the security model has to extend to everything that touches the user. Not just the bytecode at the end of the journey. Every domain, every interface, every contributor, every signer, every dependency.

The industry has been good at the part that is fun to write about. April 2026 is asking us to get good at the boring parts. The teams that take that seriously over the next few quarters will be the ones still standing when the next April happens. And there will be a next April.

Sources: Chainalysis, BlockSec weekly roundups, CertiK, OpenZeppelin Notorious Bug Digest, The Hacker News, Crypto Times, Phemex research, and primary disclosures from each affected protocol.