April opened with two of the year's most damaging security incidents, targeting very different layers of the stack but sharing a common thread, in line with last month's Resolv exploit: avoidable single-point-of-failure configurations. Overall, April would have shown slower developments and less action-packed news headlines, if it were not for the unfortunate exploits.
What originally should have remained a poor April fool's joke, quickly became a rude awakening for the Solana ecosystem. Drift protocol, one of the most famous Solana-based perpetual exchanges, was exploited for approximately $285 million. This became by far one of the largest DeFi hacks of the year. The hack has been linked to the Lazarus group, a DPRK national hacker group infamous for many hacks and exploits within crypto. According to the Drift team, this was a socially engineered event that took months to set up. The DPRK associated group pretended as an interested counterparty to deploy across Drift's protocol which originally started as a genuine face to face meeting at a conference. Attackers did not exploit a vulnerability in the code, but rather a human weak link by gaining unauthorized access to Drift’s Security Council. To begin compensating affected users, Drift partnered with Tether to replace all USDC on their platform with USDT, but what made this partnership so positive was Tether providing a recovery package of up to $127.5 million consisting of a $100 million revenue-linked credit facility (similar to the LEO system they set up with Bitfinex back in the day), an ecosystem grant, and market-maker loans. Unfortunately, this exploit deeply affected a lot of Solana-based startups considering they had some involvement with various Drift products, resulting in closure for a handful of smaller early stage projects.
A frustrating part for some was the lack of involvement coming from Circle. While many were expecting the stolen USDC funds to be frozen before they were bridged away from Solana, it was actually Circle itself that remained frozen, and chose not to act. CEO Jeremy Allaire faced the outburst and defended the company's decision on not getting involved, stating that Circle only freezes wallets at the direction of law enforcement or courts. Circle's main goal seems to be avoiding actions based outside of established legal processes which would create potential moral quandary in an effort not to thwart their attempts at establishing themselves as the most regulated and compliant stablecoin issuer.
In response to this, Solana launched STRIDE, a new security initiative led by Asymmetric Research that will independently evaluate projects using its own security framework, with results publicly available. Protocols with more than $10 million TVL that pass evaluation will receive ongoing operations security support and active threat monitoring, funded by the foundation. Alongside this initiative, the foundation launched the Solana Incident Response Network (SIRN), a membership-based network of security firms dedicated to the Solana ecosystem, with founding participants including Asymmetric, OtterSec, and Neodyme.
For what was already a bad month, April brought forth another major incident which was an approximate $290 million exploit of KelpDAO. The exploit was again linked to the Lazarus Group, though this time the hack used LayerZero as an attack vector. The exploit targeted a LayerZero bridge component that KelpDAO had configured themselves with a single-verifier setup; a setup which LayerZero had strongly advocated against, according to the LayerZero team. Attackers compromised two RPC nodes and used a DDoS attack to force a failover system to kick in, which led to the compromised node being able to trick the verifier into approving a fraudulent cross-chain transaction that allowed them to mint large amounts of rsETH. LayerZero stated the vulnerability stemmed from KelpDAO's security choices rather than a protocol-level bug, and announced it would no longer sign messages for any project using a 1-of-1 verifier configuration. This statement was not taken lightly by the public, as the LayerZero was the de-facto protocol which got exploited. Very quickly, this exploit became a game of pointing fingers around whose responsibility it truly had been, wherein the whole situation escalated to even filing lawsuits against each other for false representation of facts.
The aftermath was significant across the ecosystem. Luckily, Arbitrum froze $71 million worth of ETH stolen in the exploit. Aave, who took one of the largest losses and accrued bad debt, led a 'DeFi United’ relief effort that helped raise $300 million to cover losses. This effort had contributions coming from Aave, Sky, LayerZero, and more, ending this DeFi tragedy with a somewhat bittersweet story, luckily showing that there is a sense of community left for these large incidents. It continues to be clear that moving forward, an increasingly stronger emphasis needs to be placed on operational security and ensuring that no shortcuts are taken.
Kraken's parent company Payward agreed to acquire digital asset derivatives platform Bitnomial for up to $550 million in cash and stock, valuing the firm at $20 billion. Bitnomial is the first crypto-native platform to hold all three licenses required to operate a full-stack derivatives business in the US consisting of a designated contract market, a derivatives clearing organization, and a futures commission merchant license. This acquisition dramatically expands Kraken's regulated derivatives infrastructure precisely as the CFTC moves toward providing formal guidance on crypto perpetual futures. Additionally, Coinbase and Bybit confirmed they are working together to explore ways to tokenize, custody, and distribute assets including US public and pre-IPO stock. This follows March's announcements from Nasdaq/Kraken and NYSE/OKX, and reinforces the pattern of major exchanges building tokenized equity infrastructure in parallel. The NYSE additionally tapped Securitize to develop a 24/7 tokenized securities platform, with Securitize enabling creation and management of shares for stocks and ETFs as blockchain-based tokens. Most interestingly, reports emerged that both Kalshi and Polymarket are eyeing a push into perpetual markets, which is one of the most competitive sectors within crypto applications. We are yet to see how they will fare against the biggest decentralized perpetuals trading platform Hyperliquid, and whether they're large enough to already corner a significant part of the market share.
3F announced a $4 million seed fundraise to build on-chain infrastructure that unlocks leveraged exposure to tokenized real-world assets (RWAs). 3F aims to connect RWA issuers with on-chain capital seeking institutional-grade products. Leverage will enable the types of yields that crypto users are accustomed to. To facilitate this, 3F will also onboard liquidators to handle liquidations of leveraged positions. These liquidators will be responsible for pricing the settlement duration risk and the overall counterparty risk. Separately, Gensyn has completed its Token Generation Event (TGE) and launched its $AI token. To accompany the TGE, Gensyn also launched Delphi, an AI-driven iteration of prediction markets, which they term "information markets." Delphi allows for the permissionless launch of prediction markets, powered by AI resolutions. This ultimately benefits AI models by providing a source of absolute certainty they can reference later. Lastly, Maple Finance has strengthened its executive bench with three key senior hires. Natalie Williams joins as Head of Marketing, bringing proven fintech scaling experience from Airwallex and Clearco. Conor O'Hanlon has been appointed General Counsel, adding deep expertise in digital assets from prior roles at NYDIG, Block, and Perkins Coie. Tarek Court takes on Head of Trading, bringing over a decade of experience in derivatives and crypto market cycles since 2012. These strategic appointments will support Maple’s continued expansion in institutional on-chain lending and asset management.
