2026's hacks no longer hit the contract, but the perimeter

In the four largest DeFi thefts of 2026, the audited smart contract did not fail once. Instead, bridge configurations, nodes feeding a verifier, AI agents with transfer permissions, and developer toolchains were compromised. The code guarding the money — the code that is audited, published, and combed through line by line — held firm; what gave way was the surrounding perimeter: the infrastructure. April 2026 was the worst month in DeFi history with $606 million stolen, and nearly all of that money left through the back door, not the reinforced lock at the front. This article defends a thesis: in 2026, the locus of attack has shifted outside the contract. We argue this using the year's public incidents, explain why the perimeter is structurally softer than audited code, and conclude with what this changes for protocols and users. This is not a manual on how to attack anything — it is a reading of the pattern and the defense.

Why did the smart contract stop being the target?

For years, the mental image of a DeFi hack was the contract exploit: a reentrancy bug, oracle manipulation, or a poorly protected withdrawal function. The attacker would read the public code, find the mathematical hole, and drain the pool in a single block. The industry responded with the machinery that now defines a serious protocol: multiple audits, formal verification, seven-figure bug bounties (Aave pays up to $1 million on Immunefi for a critical bug), and standard libraries reviewed by thousands of eyes. The contract became the most expensive part of the entire system to attack.

And that is precisely why it stopped being a profitable target. The logic follows that of any rational attacker: you don't enter through the armored door when the bathroom window is open. An audited contract is nearly immutable code, public, and scrutinized by defenders who have spent years closing that specific class of flaws. The surrounding perimeter — the developer's editor, the deployment pipeline, the RPC nodes (the servers that serve chain state to applications) feeding a bridge, the AI agents with permissions to move funds — does not receive even a tenth of that scrutiny. It changes daily, is maintained by people in a hurry, and almost no one audits it with the rigor applied to a Solidity function.

The data confirms this. According to TRM Labs, 76% of all value stolen in crypto in 2026 was concentrated by North Korea's Lazarus Group in just two operations. Neither was a contract logic exploit: one attacked a bridge configuration, the other involved months of social engineering against human operators. The big money of 2026 didn't enter through the code. It entered through everything else.

What are the four perimeter vectors of 2026?

The thesis is supported not by an isolated case, but by a pattern. Four public incidents in 2026, each attacking a different layer of the perimeter, illustrate the same shift. In none of them did the contract logic fail; in all four, the infrastructure surrounding it did.

The table should be read as a map, not just a list of events. Each row is a layer of the stack that a protocol needs to function but which does not appear in its audit report. The contract is the only piece those reports cover — and it is the only piece that held up in all four cases.

How did Kelp DAO fall without touching a contract?

On April 18, 2026, Kelp DAO lost $292 million through its bridge on LayerZero. There was no bug in Solidity. The bridge operated with a DVN (the network of verifiers that approves cross-chain messages) configuration in "1-of-1" mode: a single verifier validated cross-chain messages without redundancy. The attacker poisoned the RPC nodes that the verifier consulted to read the source chain state and, in parallel, launched a DDoS (distributed denial of service) attack against that infrastructure. With the verifier reading a manipulated state, it fabricated a false message that ordered the bridge to release 116,500 rsETH on Ethereum without a corresponding burn on the source chain.

The devastating part of the case is that the warning already existed. LayerZero had pointed out the risk of the 1-of-1 configuration before the hack; nearly 47% of applications on LayerZero used that same default. Kelp held billions in custody and never hardened beyond the default settings. The bridge contract did exactly what it was programmed to do — the problem was the infrastructure deciding which messages were legitimate. The shockwave reached more than twenty connected protocols and triggered over $10 billion in outflows from Aave, even though Aave's contracts were not exploited: they were simply left with disputed collateral. We analyze this in detail in how they stole 292 million from Kelp DAO without touching a contract.

Why is an AI agent with permissions a ticking bomb?

Step Finance, a DeFi portfolio manager on Solana, was drained in January 2026 and eventually closed on February 24. The figure is around $27 million (261,854 SOL in a single transaction; some reports raise it toward $40 million counting the 97% collapse of its token). The initial vector was human and classic: compromising project executives' devices to obtain their keys. But the amplifier was new.

Step Finance had integrated AI agents with permission to execute large SOL transfers without human approval. Once inside, the attackers didn't have to move the money manually: they used the protocol's own agents — with their excessive permissions and lack of isolation — as leverage to extract the funds. The failure was not the contract or the AI model itself, but automation with permissions: a machine identity capable of moving value without a human in the loop turns a credential compromise into an instantaneous drain. It is the same principle that makes an unreviewed service with administrator privileges dangerous in traditional security.

A similar case is Resolv USR ($25 million): a prompt injection in an AI agent with cloud access, attacking the tool layer — MCP, Supabase, managed keys in AWS KMS — instead of the contract. Two incidents, two different points of the same new layer: the AI infrastructure that protocols are connecting to their operations faster than they can secure it. Details on the prompt injection can be found in 25 million stolen via prompt injection in MCP.

How does an attacker enter through the dev toolchain?

The fourth vector is the most insidious because it acts before the contract even exists. On May 18, 2026, the TeamPCP group (tracked as UNC6780) published a poisoned version of Nx Console, the official VS Code extension for the Nx monorepo, with 2.2 million installations. It was available in the official Marketplace for less than 20 minutes — enough for the automatic update to push it to an unknown number of machines. The payload, dubbed Mini Shai-Hulud, stole CI/CD tokens, self-propagated as an npm worm, and swept disk paths for wallets. GitHub confirmed the exfiltration of about 3,800 of its internal repositories.

The frightening innovation was not breaking a defense, but co-opting it: the worm generated authentic SLSA Build Level 3 provenance attestations for the malicious packages. In other words, the cryptographic signature the industry built after SolarWinds to certify that a package came from a trusted pipeline was correct — it was just that the pipeline was already hijacked. For a Web3 developer, this is critical: the key that signs a contract deployment and the seed of a treasury wallet coexist on their machine. There is no fraud department to reverse the transaction: if the extension leaks that key and the attacker signs, the funds are gone. What the incident revealed is what actually contained the damage — according to GitHub, client repositories were not affected because the compromised access was segregated. Permission discipline, not the contract, was the last line of defense.

Why is the perimeter softer than the contract?

The key question is not why attackers have moved to the perimeter, but why the perimeter allows it. The answer lies in a structural asymmetry between two classes of surface area.

The smart contract has four properties that harden it: it is public (anyone can audit it), it is nearly immutable (it doesn't change after deployment), it has a defined perimeter (the set of functions is finite and known), and it concentrates all the sector's defensive attention. The surrounding infrastructure is the exact opposite in all four respects:

• It changes daily. A contract is audited once and remains fixed. The developer toolchain, RPC nodes, npm dependencies, and AI agent configurations mutate constantly. Every update is a new window, and no one re-audits the entire system with every change.
• It is opaque and dispersed. Contract code is on a block explorer for the world to see. A bridge's DVN configuration, an AI agent's permissions, or the tokens living in a CI/CD pipeline are not published or scrutinized. Kelp's vulnerable default had been there for months, warned about, without anyone changing it.
• It inherits trust from third parties. The protocol does not control the VS Code Marketplace, the npm registry, a provider's RPC nodes, or the cloud pipeline. It trusts them. TeamPCP didn't attack the contract: it attacked the trust link — a signed extension — that the developer takes for granted.
• Almost no one audits it with the same rigor. There are million-dollar bug bounties for a contract flaw and formal verification for every function. There is no equivalent for "is your bridge configured correctly?" or "what can your AI agent move without a human present?". The security budget was spent on the part that was already hardened.

The consequence is direct: the marginal cost of finding a flaw in the perimeter is much lower than breaking an audited contract, and the prize is identical — the same funds. A rational attacker, and Lazarus is one, goes where the effort-to-reward ratio is best. In 2026, that is the infrastructure.

Does this mean contract exploits have disappeared?

No, and the nuance matters to avoid falling for easy headlines. Contract logic flaws — reentrancy, oracle manipulation, rounding errors — still happen and will continue to happen, especially in young protocols, unaudited ones, or those with half-copied code. The anatomy of these flaws hasn't changed and is worth knowing; we review it in the anatomy of a crypto vulnerability.

What the thesis asserts is more precise: the big money of 2026 has shifted to the perimeter. Of the $606 million stolen in April — 3.7 times the total for the entire first quarter — two Lazarus attacks accounted for nearly 95%, and neither was a contract exploit. When code has become so hardened that draining a serious protocol via mathematics is prohibitively expensive, major operators migrate to the cheap route. Contract exploits aren't dead; they've been relegated to easy prey, while the big fish fall through the perimeter. It is a redistribution of risk, not a replacement.

What changes for protocols?

If the attack no longer enters through the contract, auditing only the contract is like defending an armored door with the window open. Defense must shift with the attack. For a protocol, this means treating the perimeter with the same rigor as the code:

1. Audit the configuration, not just the code. Bridge defaults, DVN modes, RPC providers, and their redundancy are part of the attack surface. Kelp had the contract right and the bridge on "1-of-1": the audit that mattered was the configuration audit, and it wasn't done.
2. Minimum permissions for AI agents. No machine identity should be able to move value without a human in the loop or strict limits. An agent with unlimited transfer permission is, in practice, a private key with its own will. The Step Finance lesson is exactly that.
3. Segregate credentials by blast radius. The token that builds should not be the one that publishes; the key that tests should not be the one that deploys to production. In the TeamPCP case, GitHub client repositories were saved precisely because the compromised access did not reach them: segregation contained the damage.
4. Harden the developer toolchain. Manual and reviewed updates on machines that touch keys, skepticism toward signed provenance (it's no longer a guarantee), and never leaving production seeds within reach of an editor session.
5. Do not ignore existing warnings. LayerZero warned Kelp. The vulnerable default was documented. Perimeter defense starts by acting on known risk before searching for the unknown.

We address the underlying difference regarding who executes the attack separately: if you're wondering if AI is already the autonomous attacker draining protocols, the answer and data are in OpenZeppelin's alarm on "superhuman" AI. That article is about who attacks; this one is about which part is attacked. They are complementary: as of June 1, 2026, the attacker is still human and the target has moved to the perimeter.

What signals should a user look for?

The DeFi user doesn't audit bridges or configure agents, but their exposure depends on perimeter decisions they can evaluate before depositing. Four practical signals:

• Inherited bridge risk. Any "wrapped" or bridged token inherits the risk of the bridge infrastructure, not the contract that issues it. If you hold cross-chain assets, it's worth knowing which bridge backs them and in what configuration. To compare the verification architectures of major bridges before moving funds, the LayerZero vs. Wormhole vs. Axelar comparator helps see the differences at a glance.
• Concentration in a single provider. Having all cross-chain exposure under a single bridge provider replicates the single point of failure that sank Kelp. Diversification reduces the blast radius for the user as well.
• Collateral with disputed backing. If you use a bridged asset as collateral in lending, your position depends on that backing remaining valid. When the issuing bridge suffers an incident, the Health Factor can deteriorate without you doing anything.
• Perimeter maturity, not just audit counts. An audit seal covers the contract. Asking if the protocol publishes its bridge configuration, how it manages automation permissions, and how it segregates credentials says more about its real risk in 2026 than the number of contract audits.

The overarching lesson is uncomfortable but clear: in 2026, reading only the contract audit report is reading the part that is already solved. Risk lives in the unaudited margin. The contract is looked at once and is public; the perimeter changes every day and almost no one watches it — and that is where, blow by blow, the big money is falling. Monitoring your positions and your portfolio health serves precisely to detect early when a perimeter incident begins to contaminate the assets you touch.

Sources and links: TRM Labs (attribution and % stolen 2026) · BeInCrypto ($606M in April, 3.7x Q1) · CoinDesk (Step Finance closure) · Halborn (Step Finance analysis) · CISA (TeamPCP / Nx Console alert) · Chainalysis (Lazarus attribution)