Another day, another exploitation. The security crisis in blockchain-based decentralized finance (DeFi), once touted as a challenger to legacy infrastructure, is only getting worse.
The latest victim is Volo Protocol, a platform built on the Sui blockchain where users deposit assets into return-generating “vaults” that act as pooled investments. Deposited tokens such as bitcoin, stablecoins and tokenized assets are deployed using various onchain strategies to generate returns.
Early Wednesday, the protocol confirmed a security breach that drained a total of about $3.5 million in digital assets from three of the boxes. Assets locked in other boxes were not affected, a post on X said.
“The ~$28M in TVL across all other Volo vaults is secure. The exploit was isolated to 3 specific vaults and we have confirmed that no shared attack vector exists with the remaining vaults,” the protocol said, adding that it is “prepared to absorb” the financial loss rather than pass it on to users.
The attack hit vaults of wrapped bitcoin (WBTC), Matridock’s tokenized gold token, XAUm, and the dollar-pegged stablecoin USDC. In response to this, the protocol froze all vaults and began working with the Sui Foundation and onchain investigators to contain the damage and trace funds.
Since the incident, Volo has “frozen” $500,000 in assets through coordination with ecosystem partners, meaning these funds have been immobilized on the chain to prevent any movement or withdrawal. However, the majority of the stolen funds are still under investigation.
Increasing unrest
The breach adds to growing unease across decentralized finance, where a number of exploits have raised questions about smart contract security and protocol monitoring. The timing is particularly sensitive, coming just days after this weekend’s KelpDAO exploit, in which an attacker drained millions by artificially minting unbacked floating restaking tokens, rsETH.
The fallout has rippled across DeFi and triggered security breaches in several protocols, including leading lending platform Aave, where users rushed to withdraw funds due to the increased uncertainty.
To date, decentralized finance has suffered about $7.78 billion in hacks, according to data from DeFiLlama. Bridge protocols — which enable the transfer of assets across blockchains — account for an additional $2.90 billion in losses. Together, the figure exceeds $10 billion, roughly equivalent to the market value of cryptocurrencies ranked between 10th and 15th globally.
Volo says it will release a full autopsy once the investigation is complete and remediation steps are complete.
But for DeFi users and investors, a broader pattern is becoming harder to ignore: While institutional adoption is accelerating, relatively little of this capital appears to be flowing into improving security, and exploits continue to arrive in clusters.
Read more: The $13 billion DeFi wipeout in two days and it started with KelpDAO attack
