by Coinstrooper Crypto Articles
Quick Take
  • 2026 DeFi losses crossed $1 billion in four months, with April alone draining $634 million across 28+ incidents, the worst month on record.
  • Drift ($285M) and KelpDAO ($292M) alone accounted for $577 million of April’s losses, and neither was a code exploit.
  • DefiLlama’s 2026 hack breakdown tells the same thing.
  • The biggest slices are LayerZero bridge exploits (18%), compromised admin keys (16%), spoof tokens (14%), and private key compromises (11%).

What Happened

Drift ($285M) and KelpDAO ($292M) alone accounted for $577 million of April’s losses, and neither was a code exploit.

DefiLlama’s 2026 hack breakdown tells the same thing.

The biggest slices are LayerZero bridge exploits (18%), compromised admin keys (16%), spoof tokens (14%), and private key compromises (11%).

Echo Protocol was not hacked through bad smart contract code. The attacker stole or accessed an admin key.

Monad itself was not hacked. Curvance’s main protocol was not directly hacked either. The failure came from Echo’s admin setup and Curvance trusting newly minted collateral.

Market Context

They could not cash out the full amount because Monad liquidity was thin. So they used 45 fake eBTC as collateral on Curvance.

The attacker escaped with about $816,000 in real value, not $76.7 million.

Basic protections could have reduced or stopped this: multisig admin control, timelocks, mint caps, rate limits, and collateral checks.

Echo got lucky. The attacker only failed to drain more because there was not enough liquidity to cash out the fake tokens.

Why It Matters

On May 18, an attacker broke into the Echo Protocol on Monad and printed 1,000 fake eBTC for themselves. That’s $76.7M on paper.

Details

2026 DeFi losses crossed $1 billion in four months, with April alone draining $634 million across 28+ incidents, the worst month on record.

Combined, operational and key-management failures account for the majority of all stolen value this year. Smart contract bugs like re-entrancy and oracle manipulation barely register.

Echo Protocol just became the latest data point.

The problem is, fake tokens don’t buy you anything unless you can trade them for something real. So they took a small chunk, dropped it into Curvance’s lending app as collateral, and borrowed real Bitcoin against it.

Then bridged that Bitcoin to Ethereum, swapped it for ETH, and ran it through Tornado Cash. Final take: around $816,000.

Everyone’s calling it $76.7 million but the real number is $816,000, and why those two numbers are so far apart is the main story here.

This breakdown covers what happened, how, and what it says about DeFi security right now.

The bottom line: The contract was fine. A stolen admin key and lazy controls did everything else, and that’s how most of 2026’s DeFi losses are happening.

Post Mortem (The Summary)

That admin key controlled minting rights for Echo’s eBTC token on Monad. One private key was enough to create fake Bitcoin-backed tokens.

The attacker minted 1,000 fake eBTC, worth about $76.7 million on paper. But those tokens had no real BTC backing.

Curvance accepted the fake eBTC as normal collateral and let the attacker borrow real WBTC.

Echo later burned the remaining 955 fake eBTC and paused affected functions.

The core lesson: DeFi attackers are now targeting keys, admins, bridges, infrastructure, and team operations more than smart contract bugs.