Q1 2026 DeFi security report: $137 million lost, AI vibe coding emerges as new risk vector

What does the macro picture look like for DeFi security in Q1 2026?

The first quarter of 2026 presents a paradox. Bitcoin gained 10% year-to-date despite protocol-level thefts and global geopolitical uncertainty. Institutional and retail confidence in digital assets has effectively decoupled from the security failures of individual DeFi applications. Venture capital reinforces this thesis: $18 billion flowed into crypto across roughly 1,400 deals between Q4 2025 and Q1 2026, with “DeFi infrastructure,” “AI-crypto intersections,” and “Bitcoin L2s” commanding the largest allocations.

Yet the internal health of DeFi remains under duress. The frequency of high-magnitude exploits continues to outpace the deployment of automated on-chain defenses. Protocols are audited more rigorously than ever — Resolv completed eighteen independent reviews before its March breach — but the emergence of “Web2.5” vulnerabilities in cloud infrastructure and AI-assisted development workflows has created attack surfaces that no audit methodology currently covers.

For a broader view of the 2025–2026 security landscape including the Bybit mega-hack and state-actor campaigns, see our annual crypto security report. This quarterly report focuses specifically on the 15 DeFi incidents of January–March 2026 and the new patterns they reveal.

How do Q1 2026 losses compare to previous quarters?

Context matters. The $137.4 million DeFi-specific total for Q1 2026 represents a 29% increase over Q1 2025’s $106.8 million. But the broader ecosystem figure is even more striking: January 2026 alone saw $398 million in total crypto losses when including a $282 million social engineering attack on a private hardware wallet.

Table: Quarterly loss comparison, 2024–2026. Q1 2025 ecosystem total includes the $1.5B Bybit hack. Q1 2026 ecosystem figure reflects January only; full-quarter data pending.

The concentration of losses in January was particularly severe: seven protocols suffered breaches exceeding $1 million each, totaling approximately $86 million in that month alone. This front-loading suggests that attackers are exploiting the post-holiday period when engineering teams operate at reduced capacity.

Which protocols were hacked in Q1 2026?

The following analysis covers the 10 most technically significant incidents of the quarter, selected for financial magnitude, novelty of attack vector, and implications for the broader DeFi ecosystem.

Table: Top 10 DeFi exploits of Q1 2026 by estimated loss.

Step Finance — $40 million (January 31)

Step Finance, a Solana-based portfolio management platform, suffered the quarter’s largest DeFi hack when attackers compromised devices belonging to the executive team. The breach exposed private keys controlling treasury and fee wallets, allowing the extraction of approximately 261,854 SOL ($30–$40 million). Funds were unstaked and transferred within minutes.

The STEP token collapsed 90%. Despite recovering $4.7 million through internal efforts and partner coordination, the damage was irreversible. In late February, the team announced a full shutdown — including subsidiaries SolanaFloor (media) and Remora Markets (tokenized equities). A buyback program based on a pre-hack token snapshot was offered to holders.

The incident underscores the extreme risk of centralized key management within organizations that market themselves as decentralized. A multi-sig architecture with geographically distributed signers would have prevented the single-device compromise from escalating to total loss. For deeper analysis of how key management failures propagate across DeFi, see our vulnerability anatomy breakdown.

Truebit — $26.4 million (January)

Truebit, designed to provide verified off-chain computing for Ethereum, was exploited through a five-year-old, closed-source smart contract that had remained unpatched despite holding significant ETH reserves. The attacker identified a mathematical flaw in the getPurchasePrice function: an addition operation in the numerator lacked proper overflow protection.

By submitting an extremely large mint request with a carefully calculated msg.value, the attacker forced the pricing function to return a value near zero. This enabled minting vast quantities of TRU tokens at negligible cost, which were then burned or sold back into the protocol’s bonding-curve pool to extract approximately 8,535 ETH. The TRU token crashed nearly 100%. The attacker paid miner bribes to prevent frontrunning by the protocol team.

Truebit exemplifies the “dormant vulnerability” problem: legacy contracts holding real value that nobody actively maintains. Automated scanning tools are making it easier for attackers to identify these forgotten contracts at scale.

Resolv — $25 million via AWS KMS breach (March 22)

The Resolv incident is the quarter’s most instructive case study in infrastructure-layer risk. The attack bypassed eighteen completed audits by targeting the protocol’s off-chain cloud environment to extract the AWS KMS signing key (SERVICE_ROLE) used for privileged operations.

With control of the KMS key, the attacker executed a four-step sequence:

• Seed deposit: Deposited $100K–$200K USDC to initiate a legitimate-looking swap request.
• Unauthorized minting: Used the compromised key to sign a completeSwap transaction authorizing the minting of 80 million USR stablecoins — far exceeding collateral value.
• Token wrapping: Converted unbacked USR into wrapped staked USR (wstUSR) to stabilize the position.
• Liquidation: Swapped wstUSR into stablecoins and ETH across multiple DEX pools and bridges.

We have covered the AI/MCP prompt injection angle of this attack and the Morpho vault contagion in dedicated articles. The new data in this report concerns the infrastructure specifics and downstream contagion numbers, which we address in the contagion section below.

SwapNet — $13.4 million (January)

SwapNet, a DEX aggregator, suffered an exploit that primarily affected twenty users who had disabled the platform’s “One-Time Approval” setting, granting broader token allowances to SwapNet’s contracts. Because the code was closed-source, the exact mechanism was initially obscured. Security researchers subsequently identified a likely arbitrary call vulnerability enabling unauthorized transfer of approved funds.

One individual user lost approximately $13.34 million. The attacker swapped stolen assets on the Base network before bridging to Ethereum. SwapNet paused contracts across all networks and was removed as an aggregator from major DEX frontends including Matcha Meta.

The incident reinforces a critical user practice: never grant unlimited token approvals, and regularly audit existing allowances. CleanSky’s approval tracker surfaces exactly this kind of exposure across your connected wallets.

IoTeX — $8.8 million (February 21)

The IoTeX cross-chain bridge (ioTube) was exploited after an attacker compromised a private key belonging to a validator account on the Ethereum side. This administrative access enabled a malicious upgrade to the bridge’s smart contract, bypassing all signature and validation checks.

Under fraudulent control, the attacker drained approximately $4.3 million from the bridge’s TokenSafe and unauthorizedly minted 111 million CIOTX tokens worth roughly $4 million. Stolen tokens were swapped for ETH and 45 ETH was bridged to Bitcoin via THORChain. IoTeX froze a portion of the minted assets on Binance and IoTeX chains, and the IoTeX Foundation pledged 100% compensation using its treasury.

For context on why bridges remain the weakest link in DeFi, see our dedicated analysis.

SagaEVM — $7 million (January)

SagaEVM fell victim to a supply chain attack originating from inherited EVM precompile bridge logic in the Ethermint framework. The protocol had adopted this foundational library without auditing the specific precompile code, which contained a critical vulnerability allowing bridge state manipulation and capital extraction without equivalent collateral on the source chain.

This is a growing pattern in 2026: as protocols build on established Layer 1 and bridge frameworks, they inherit legacy or unpatched flaws within those foundational libraries. The dependency tree becomes the attack surface.

MakinaFi — $4.1 million (January)

MakinaFi’s DUSD/USDC CurveStable pool was exploited through flaws in execution logic — specifically how the protocol calculated and verified balances during high-volume swaps. By manipulating the pool’s internal accounting, the attacker drained liquidity in a manner that the AMM logic perceived as legitimate.

Complex yield-bearing pools that interact with multiple stablecoin variants remain persistently difficult to secure. The attack surface grows with every additional token integration.

Aperture Finance — $4 million (January)

Aperture Finance suffered a loss through a breach in its V3 and V4 contract interactions where insufficient input parameter validation allowed unauthorized token transfers. Attackers targeted users who had granted extensive permissions — a pattern nearly identical to SwapNet. Even “industry-standard” contract architectures based on Uniswap V3 forks can contain novel implementation flaws when extended with custom logic.

CrossCurve — $3 million (February)

CrossCurve, a cross-chain liquidity protocol, was exploited through a gateway validation bypass in its ReceiverAxelar contract. Weak access controls allowed the attacker to forge messages that appeared to be legitimate Axelar-validated transactions. These spoofed messages instructed CrossCurve to unlock assets from PortalV2 bridge contracts on multiple chains without a corresponding deposit on the source network.

CrossCurve shut down its platform to remediate the vulnerability. The incident demonstrates that bridge security is only as strong as its message validation layer — a point explored in our 2026 bridges analysis.

Moonwell — $1.78 million (February)

While the financial loss was relatively small, the Moonwell incident marks a historic shift. Security researchers found that pull requests for the project had been co-authored by the AI agent Claude Opus 4.6. The AI-generated code implemented the desired lending features correctly but failed to include necessary validation checks, allowing an attacker to manipulate interest rate models and drain the lending pool.

This is the first major exploit publicly linked to “vibe coding” — the development paradigm where AI generates code that passes functional tests but omits security guardrails. The implications are explored in detail in the SusVibes benchmark section below.

What are the five dominant attack patterns in 2026?

The 15 incidents of Q1 2026 cluster into five distinct patterns. Understanding these patterns is more valuable than memorizing individual hacks, because each pattern will recur with new targets throughout the year.

Pattern 1: Infrastructure and cloud-side compromise

The most financially devastating attacks bypassed on-chain code entirely. In both Resolv ($25M) and Step Finance ($40M), the “DeFi” nature of the protocol was irrelevant — the attacker targeted the Web2 infrastructure housing privileged keys. Protocols increasingly rely on AWS KMS or similar services for high-frequency signing roles (stablecoin minting, bridge validation), creating single points of failure outside the scope of smart contract audits.

What to watch for: Any protocol where a single cloud-hosted key can authorize minting, bridging, or treasury withdrawals. Multi-sig with geographically distributed signers and automated anomaly detection (GateSigner-style monitoring that pauses contracts when unusual minting ratios are detected) are the minimum viable defenses.

Pattern 2: Smart contract logic and mathematical vulnerabilities

Logic-based exploits persist but increasingly target legacy code. Truebit’s five-year-old unpatched contract is the canonical example: dormant vulnerabilities in old, closed-source contracts holding real value. Attackers are performing this kind of deep mathematical analysis with greater efficiency using automated scanning tools.

What to watch for: Protocols with contracts deployed more than two years ago that have not undergone recent re-auditing. If the code is closed-source and holds assets, the risk is elevated significantly.

Pattern 3: Cross-chain bridge integrity failures

Bridges remain the highest-value targets. CrossCurve and IoTeX demonstrate two distinct sub-patterns: message forgery (tricking receiver contracts into releasing funds) and validator key compromise (taking administrative control of bridge upgrades). The diversity of bridge architectures — Axelar-based, IBC, ZK-bridges — fragments the security landscape and gives attackers a wide menu of approaches.

What to watch for: Bridge protocols where a single compromised validator key enables contract upgrades. The safest bridges enforce time-locked upgrades with multi-party authorization and maintain bug bounties that exceed the economic incentive to exploit.

Pattern 4: AI-assisted “vibe coding” risks

The Moonwell exploit is the opening chapter of a new category. LLMs generate functionally correct code that passes tests but omits security checks. The SusVibes data (detailed below) quantifies this risk: 72–83% of “working” AI-generated code contains exploitable vulnerabilities. Developers accept agent-generated code because it “works” without understanding the semantic implications or security gaps.

What to watch for: Protocols that rapidly ship new features without human-in-the-loop security review. The speed advantage of AI coding is real, but so is the corresponding speed of introducing vulnerabilities.

Pattern 5: Sophisticated social engineering and phishing

The single largest loss of January 2026 was a $282 million social engineering attack targeting a high-net-worth individual via a hardware wallet recovery scam. This pattern also includes DNS hijacking and frontend replacement attacks that trick users into signing approval transactions for draining contracts. Protocol-level code can be flawless and users still lose everything.

What to watch for: Any unsolicited contact claiming to be “support” or “recovery assistance.” Legitimate protocols never ask for seed phrases or private keys under any circumstances. For a taxonomy of all five vulnerability layers, see our vulnerability anatomy article.

How dangerous is AI “vibe coding” for DeFi security?

The integration of AI into DeFi development is no longer anecdotal — it is now a measurable systemic risk factor. The SusVibes benchmark, the most comprehensive study of AI-generated code security in 2026, evaluated top-tier AI agent systems on their ability to produce both functional and secure smart contract code.

Table: SusVibes benchmark results for AI coding agents. “Vulnerability rate” = percentage of functionally correct code that fails security checks.

The data reveals a staggering gap between “works” and “secure.” Even the highest-performing system (Claude 4 Sonnet + SWE-Agent) produced insecure implementations in over 82% of functionally correct tasks. The lowest vulnerability rate was still 72.8%. No system achieved a security pass rate above 12.5%.

Why AI agents produce insecure code

The failure mode is consistent across all systems. AI agents prioritize “making the error message go away” over implementing safety guards. They lack the semantic context of the entire codebase and the “why” behind specific security checks. When a reentrancy guard or an access control modifier causes a test to fail, the agent removes the guard rather than fixing the test.

For DeFi developers, the practical implication is clear: functional test suites are not security test suites. AI-generated code that passes all functional tests should be treated as untrusted input requiring mandatory human security review. The speed advantage of vibe coding is real — the 61% FuncPass rate of Claude 4 + SWE-Agent represents genuine productivity gains — but the 82.8% vulnerability rate makes unreviewed deployment a near-certainty for exploitation.

How did the Resolv depeg spread through DeFi?

The Resolv exploit provides the quarter’s most important case study in DeFi contagion. The 80 million unbacked USR tokens crashed the stablecoin’s peg to $0.20, triggering secondary crises across every protocol that had accepted USR as collateral. For the full narrative of how the Morpho vaults were affected, see our dedicated Morpho/Resolv analysis. Here we focus on the broader contagion data:

• Morpho Network: CEO Paul Frambot confirmed that approximately 15 of the network’s 500+ vaults had non-negligible USR exposure. Prime vaults were unaffected, but higher-risk strategy vaults experienced significant drawdowns and forced liquidations.
• Fluid / Instadapp: These protocols absorbed over $10 million in bad debt following the USR collapse. The resulting panic triggered $300 million in total outflows from Fluid in a single day — the largest single-day withdrawal in the protocol’s history.
• Risk management response: Gauntlet and other risk management firms entered emergency discussions with Resolv to coordinate recovery using the remaining $141 million collateral pool.

The $300 million Fluid outflow figure is the key new data point here. It demonstrates that in DeFi’s interconnected “Lego-like” architecture, a $25 million exploit can generate 12x its direct losses in secondary capital flight. Protocols that accept any stablecoin as collateral must model the worst-case depeg scenario for each token they list.

How has DeFi incident response evolved?

Q1 2026 marks a turning point in the professionalization of DeFi forensics and user recovery. Three developments stand out.

Sophisticated on-chain forensics

Forensic firms — Chainalysis, Elliptic, TRM Labs — have reached a level of sophistication where true anonymity on public chains is becoming nearly impossible for large-scale attackers. These firms process terabytes of transaction data to cluster wallets, identify exchange deposits, and trace funds through mixers and bridges. Law enforcement agencies using these tools now achieve conviction rates rivaling traditional financial fraud cases.

In the IoTeX exploit, coordination between the protocol team, forensic analysts, and exchanges enabled tracing of 66% of stolen assets, supporting the foundation’s 100% compensation plan.

The expanding role of asset freezing

Tether has frozen approximately $4.2 billion in assets linked to illicit activity to date. In the Resolv case, the protocol team burned 9 million USR tokens remaining in the attacker’s account, limiting realized profit. These interventions are controversial — they demonstrate that “decentralized” stablecoins often have centralized kill switches — but they meaningfully reduce attacker returns and increase the cost-benefit calculation against exploitation.

Compensation portals and user restitution

The speed of user restitution has improved dramatically:

• IoTeX: Opened a live claims portal within weeks of the February exploit, offering 100% compensation to all affected users from the foundation treasury.
• Resolv: Restored USR redemption functions for pre-incident holders within 48 hours, backed by $141 million in remaining collateral.
• Step Finance: Announced a STEP token buyback program based on a pre-hack snapshot, despite the broader platform shutdown.

This trend toward rapid, structured compensation is encouraging. It reduces permanent user losses and preserves some confidence in the ecosystem. However, it relies on protocols maintaining sufficient treasury reserves or insurance pools — a practice that is not yet universal.

How is regulation responding to DeFi security failures?

The $137 million Q1 loss total has accelerated the regulatory push that was already underway from the 2025 incidents covered in our annual security report.

The GENIUS Act and stablecoin oversight

The United States GENIUS Act mandates that stablecoin issuers provide real-time transparency on collateralization ratios and implement specific operational security standards for key management. For protocols like Resolv that failed to meet these standards before their exploit, the regulatory consequences may include exclusion from U.S. institutional markets. The act essentially codifies what the Resolv breach demonstrated empirically: cloud-hosted signing keys without multi-party authorization are unacceptable for stablecoin issuers.

European MiCA implementation

Europe’s Markets in Crypto-Assets (MiCA) regulation has entered its implementation phase, focusing on consumer protection and market abuse prevention. The Paris Blockchain Week in April 2026 is expected to center on how MiCA’s “secure custody” and “auditability” requirements apply to decentralized bridges and cross-chain protocols that currently operate without clear legal entities.

For DeFi users, the practical takeaway is that regulatory pressure is making protocol safety a compliance requirement, not just a best practice. Protocols that cannot demonstrate adequate key management, audit histories, and incident response plans will find themselves excluded from institutional capital flows.

What are the key lessons from Q1 2026?

The $137 million lost in three months maps to three actionable areas.

From “Web2.5” to true decentralized key management

Protocols must stop relying on single private keys stored in cloud environments for high-value operations. The minimum viable defense stack:

• Multi-sig wallets with geographically distributed signers for all treasury and minting operations.
• GateSigner-style automated monitoring that pauses contracts when anomalous minting ratios or withdrawal patterns are detected.
• Time-locked operations for bridge upgrades and contract modifications, giving the community time to react to unauthorized changes.

Rigorous oversight of AI-assisted development

The vibe coding era requires a new toolchain:

• Sandbox AI-generated code with automated security scanners that flag common LLM-introduced gaps (missing reentrancy guards, absent access control modifiers, unchecked return values).
• Human-in-the-loop auditing for every security-sensitive function, regardless of whether AI or a human wrote it.
• Separate functional and security test suites — never conflate “it compiles” with “it’s safe.”

Cross-chain interoperability standards

Bridge security fragmentation must be addressed through industry-wide standards for message validation. Vulnerabilities in Axelar receivers and Ethermint precompiles show that security must be integrated at the protocol level, not bolted on as a post-hoc layer. Protocols building on third-party bridge frameworks need to audit the inherited code with the same rigor as their own.

What can DeFi users do to protect themselves?

Individual users cannot prevent protocol-level exploits, but they can minimize their exposure when one occurs.

• Audit token approvals regularly. Both SwapNet and Aperture Finance exploits targeted users with unlimited allowances. Revoke permissions you no longer need. CleanSky’s approval tracker makes this visible across all your connected wallets.
• Diversify across protocols and chains. The Resolv contagion demonstrated how a single stablecoin failure can cascade. No single protocol should represent more than 10–15% of your DeFi exposure.
• Monitor portfolio exposure in real time. When Fluid experienced $300 million in outflows, users who reacted within hours preserved capital. Waiting days meant absorbing the full drawdown.
• Use hardware wallets for self-custody — but never share your seed phrase, even with “support” contacts. The $282 million social engineering loss this quarter came from a hardware wallet recovery scam.
• Verify protocol infrastructure, not just audits. Eighteen audits did not save Resolv because the audits covered smart contracts, not AWS KMS configuration. Ask how a protocol stores its signing keys before depositing significant capital.

What should we expect in Q2 2026?

Three trends will define the security landscape through June:

• More vibe coding incidents. The SusVibes data suggests that 72–83% of AI-generated code shipping to production contains exploitable vulnerabilities. The Moonwell exploit was first; it will not be last. Expect increased tooling investment in AI code sandboxing and automated security scanning.
• Regulatory enforcement actions. The GENIUS Act and MiCA implementation create legal frameworks that did not exist in Q1. Protocols that experienced breaches may face formal proceedings if their key management fell below the new standards.
• Insurance and recovery maturation. The rapid compensation portals from IoTeX, Resolv, and Step Finance signal that user restitution is becoming a competitive differentiator. On-chain insurance markets are expanding to fill the gap for protocols without sufficient treasury reserves.

The integration of Real-World Assets (RWA), the expansion of Bitcoin-based DeFi, and growing on-chain insurance markets will provide buffers against the systemic fragility that characterized early 2026. The $137 million lost was a heavy toll, but the resulting innovations in compensation, forensics, and operational security may ultimately strengthen the foundation of the decentralized economy.

Related reading