Volo Protocol lost approximately $3.5 million in a recent hack, days after KelpDAO was breached. The attack targeted three vaults holding WBTC, XAU, and USDC, highlighting ongoing security vulnerabilities in DeFi protocols. The incident underscores the persistent risks in the decentralized finance space, with security breaches causing significant financial losses for users and developers alike.
Volo's vaults were exploited on April 22, 2026, draining $3.5 million. The team promptly froze affected vaults, securing $500,000, and confirmed that $28 million in total value locked remains safe. Volo pledged to cover all user losses, isolated the attack, and is working with partners to recover the stolen funds.
Cybersecurity researchers have identified a new LOTUSLITE malware variant, linked to Mustang Panda, targeting Indian banks and South Korean policy circles. The malware communicates with a dynamic DNS-based command-and-control server over HTTPS, supporting remote shell access, file operations, and session management. This indicates ongoing espionage efforts focused on sensitive financial and governmental sectors.
In a security incident on April 22, 2026, an IRGC gunboat attacked a container ship off Oman, undermining diplomatic efforts and escalating regional tensions. The attack occurred amid an ongoing ceasefire extension between the US and Iran, complicating prospects for a lasting agreement. The incident highlights ongoing security challenges in the region, impacting maritime safety and diplomatic negotiations.
Ripple CTO David Schwartz compared Arbitrum's emergency response to Bitcoin’s 2010 bug, defending the decision to freeze over 30,000 ETH linked to the KelpDAO exploit. The Arbitrum Security Council took this action on April 20, 2026, to mitigate potential damage, drawing parallels to Bitcoin’s early security measures. The move has sparked debate over security versus decentralization.
Aave (AAVE) saw over $15 billion in assets exit the protocol following a $292–$293 million exploit of KelpDAO’s rsETH bridge on April 21, 2026. The attack caused a bank-run, freezing markets and locking approximately $5 billion in USDT and USDC with no withdrawals possible. Total value locked dropped from $48.5 billion to around $30.7 billion.
A critical security flaw in the Python-based Terrarium sandbox, tracked as CVE-2026-5752, was disclosed on April 22, 2026. Rated 9.3 on CVSS, the vulnerability allows attackers to execute arbitrary code with root privileges and escape the container via JavaScript prototype chain traversal. This flaw poses significant security risks for systems using the Terrarium sandbox.
