← Writing

The month DeFi got robbed

April 1st, Drift Protocol: $285 million gone. Not a contract bug. Not a zero-day in Solana’s runtime. Someone social-engineered their way to the keys and walked out the door. Three weeks later, the KelpDAO bridge: another $292 million, Lazarus group, same basic story. Compromised credentials, not clever math. We’re not done with the month yet.

When the final tally lands, April 2026 is going to be the worst month for DeFi exploits in the history of the category. North of $600 million, thirty-odd incidents, and the dominant cause isn’t a vulnerability in any protocol’s logic. It’s people getting phished and keys getting stolen.

That number, roughly 72% of 2026’s losses coming from stolen keys and credentials rather than contract exploits, has been sitting in various security reports since Q1, mostly ignored because it’s not a compelling story. There’s no elegant writeup for “someone clicked a link.” The blockchain security discourse runs on post-mortems with reentrancy diagrams and detailed exploit walkthroughs. “An employee got a fake job offer from a North Korean front and handed over their hardware wallet seed” doesn’t get the same traction, even when it accounts for most of the money.

the attack surface nobody wants to talk about

The DeFi security orthodoxy for the last four years has been: audit the contracts, use formal verification where you can, write fuzz tests, do a bug bounty. All of that is correct and all of it addresses a minority of actual losses. It addresses the part that’s intellectually interesting. The part that keeps paying out for attackers is operational: who has access to what keys, how did they get them, what can a single compromised credential do.

Multisig helps. Time-locks help. Neither one matters much when the social engineering is good enough to get a real signer to approve a malicious transaction. The Drift incident in particular, if the reporting holds, was meticulous. Weeks of groundwork, fake personas, patience. The Lazarus playbook at this point is known and documented and still working because the defense requires a level of operational security that is genuinely hard to maintain across a team.

This isn’t a new problem. It’s the same problem that’s been extracting money from exchanges, bridges, and protocols for years. What’s changed is scale: the targets are bigger, the attackers are better-resourced, and the hype cycle has handed them a convenient cover story.

agents with wallets

The current pitch, and I’ve been adjacent to it for a while so I’m not throwing stones from outside, is that the near future runs on autonomous agents holding wallets, trading around the clock, paying for services on-chain, executing strategies while the human sleeps. The demo version of this is compelling. Wire a model to a wallet, set some parameters, let it run.

The problem is that an agent holding keys around the clock is not a smaller attack surface. It’s a bigger one.

A human who controls a significant wallet has some natural limits: they sleep, they’re suspicious of unsolicited contact, they can recognize when something feels off. An agent doesn’t get suspicious. It executes. If someone injects instructions into the context, through a poisoned data source, a compromised API, a message that looks like a system prompt, the agent will follow them with the same confidence it follows the legitimate ones. I wrote about the prompt injection problem back in June and it’s only gotten more relevant. The attack surface that safety-is-a-layer was describing has grown with the wallets attached to it.

The “agents with wallets” demos are mostly fine because they’re demos. Small amounts, close supervision, reset after the stream. A production agent managing real treasury positions at 3am with nobody watching is a different thing. The failure mode isn’t the model doing something dumb. It’s the model doing exactly what it was told to do by someone who shouldn’t have been doing the telling.

what this argues for

The OpenSAM bet, and this is the explicit bet, not just the aesthetics, was that lean beats complex. A Rust agent that runs on a cheap VPS, holds the minimum state it needs, takes minimal custody of the minimum assets required for a specific job, and surfaces anything non-routine to a human for approval. It is not a general-purpose autonomous treasury manager. That was the point.

The pitch for minimal-trust design isn’t that you’re scared of the technology. It’s that you’ve looked at where the money actually goes and drawn the obvious conclusion. Big custodial surface, always-on, managed by rotating teams with varying OPSEC: this is what keeps losing. The solution isn’t a better audit. It’s less to steal and less that can be stolen without a human in the loop.

The irony is that the same bear market that’s making everyone miserable is the environment where this becomes obvious. Bull market: nobody cares, the losses are priced in as the cost of onchain life. Bear market with $600M gone in a month: the architecture question gets harder to ignore.

I don’t think most of the “agents with wallets” products being built right now have thought seriously about this. The demos are good. The operational design is an afterthought. April is going to be a good month for the people who build the afterthought.

The Drift team presumably knew they were a target. Probably had procedures. Still lost $285 million on April Fools’ Day to a phishing operation. The math on leaving fewer keys in fewer places has never been more legible.