Cryptonews

DeFi projects lose $6M in fresh string of exploits this week

Source
CryptoNewsTrend
Published
DeFi projects lose $6M in fresh string of exploits this week

A flurry of relatively small-scale hacks continues to wreak havoc on smaller crypto projects, despite flying under the radar when compared to recent mammoth losses.

So far this year, Protos’ hack tracker shows 77 entries, totaling over $1.1 billion in losses.

April was a particularly rough month; the losses across its 33 incidents totalled over $600 million. However, just two incidents, namely the Drift Protocol and rsETH bridge hacks, made up 95% of the month’s losses between them.

While May hasn’t kept up such a devastating pace, an uptick in hacker activity has seen almost $6 million stolen from six projects this week alone.

Monday May 11: Two (smaller) hacks

On the Polygon network, Ink Finance’s Workspace Treasury Proxy contract was exploited for $140,000 on Monday.

According to crypto security firm SlowMist’s analysis, the root cause was the lack of access control in the PayrollDistribution function.

Huma Finance lost $100,000 the same day, also on Polygon. The team’s statement insists that the losses were from (now-paused) “legacy v1 contracts” and that its Solana-based v2 is a “complete rewrite and this issue does not apply.”

Tuesday May 12: Four hacks

On Tuesday evening, $TAC, a “purpose-built blockchain for EVM dApps to access TON,” alerted users to a “security incident affecting the $TAC bridge,” which had been paused.

Third-party reports estimated losses at $3 million worth of USDT, BLUM and other tokens.

The following day, security auditor Peckshield drew attention to a hack of Transit Finance, which also occurred on Tuesday, with $1.9 million of $DAI held by the exploiter.

#PeckShieldAlert @TransitFinance seems to have been hacked for ~$1.88MThe stolen funds are currently sitting in the following address in $DAI: 0x8a634DfA2609358849D7D65FFA270C8A57a8abA5 pic.twitter.com/9RSQkgdfX6

— PeckShieldAlert (@PeckShieldAlert) May 13, 2026

The team issued an announcement, explaining the losses came from “historical vulnerabilities” in a contract deployed on TRON which had been “deprecated since 2022.”

It said users “do not need to take any action” and affected users will be compensated.

The project was previously attacked in October 2022 for over $20 million, though the majority of funds were later returned. According to Decurity, Tuesday’s loss was due to the same vulnerability as in 2022, three and a half years later.

Also on Tuesday, DeFi projects Aurellion and BoostHook were reportedly attacked, losing approximately $455,000 and $200,000, respectively.

Wednesday May 13: One hack, so far…

During the writing of this article, another project was reportedly hacked on the Arbitrum network.

Blockaid flagged the loss of $130,000 from FOX Colony, before highlighting a further $50,000 nabbed by a copycat. The thread notes that other similar contracts are “exposed.”

This latest hack follows today’s news that Code4rena, a long-running audit contest platform, announced it would “wind down.”

Bug bounty platform ImmuneFi stated it will take over Code4rena’s bounty programs going forward.

DeFi projects lose $6M in fresh string of exploits this week