Another day, another feat. The security crisis of blockchain-based decentralized finance (DeFi), once touted as a challenger to existing infrastructure, is only getting worse.
The latest victim is Volo Protocol, a platform built on the Sui blockchain, where users deposit assets into yield-generating “vaults,” which function like pooled investments. Deposited tokens such as bitcoin, stablecoins, and tokenized assets are deployed using various on-chain strategies to generate returns.
Early Wednesday, the protocol confirmed a security breach that drained a total of approximately $3.5 million in digital assets from three of the vaults. Assets locked in other vaults were not affected, it said in an article on X.
“The ~$28M TVL in all other Volo vaults is safe. The exploit has been isolated to 3 specific vaults, and we have confirmed that there are no shared attack vectors with the remaining vaults,” the protocol states, adding that it is “prepared to absorb” the financial loss rather than passing it on to users.
The attack hit vaults containing wrapped bitcoin (WBTC), Matridock’s tokenized gold token XAUm, and the dollar-pegged stablecoin USDC. In response, Protocol froze all vaults and began working with the Sui Foundation and Onchain investigators to contain the damage and trace the funds.
Since the incident, Volo has “frozen” $500,000 in assets through coordination with ecosystem partners, meaning these funds have been locked on-chain to prevent any movement or withdrawal. Yet the majority of stolen funds are still under investigation.
A growing unease
The breach adds to growing unease within decentralized finance, where a series of exploits have raised questions about smart contract security and protocol oversight. The timing is particularly sensitive, coming just days after the weekend’s KelpDAO exploit, in which an attacker drained millions of dollars by artificially minting uncollateralized liquid refresh tokens, rsETH.
The consequences reverberated across DeFi, causing collateral damage across multiple protocols, including leading lending platform Aave, where users rushed to withdraw funds due to increased uncertainty.
To date, decentralized finance has suffered approximately $7.78 billion in hacks, according to data from DeFiLlama. Bridging protocols – which enable the transfer of assets between blockchains – account for another $2.90 billion in losses. In total, this figure exceeds $10 billion, which is roughly equivalent to the market capitalization of cryptocurrencies ranked between 10th and 15th in the world.
Volo says it will release a full autopsy once its investigation is complete and corrective actions are finalized.
But for DeFi users and investors, a larger pattern is becoming increasingly difficult to ignore: As institutional adoption accelerates, relatively little of that capital appears to be devoted to improving security, with exploits continuing to arrive in clusters.
Read more: DeFi wiped out $13 billion in two days, and it started with the KelpDAO attack
