Another day, another exploit. The security crisis in blockchain-based decentralized finance (DeFi), once touted as a challenger to legacy infrastructure, is only getting worse.
The latest victim is Volo Protocol, a platform built on the Sui blockchain, where users deposit assets into yield-generating “vaults,” which function as pooled investments. Deposited tokens such as bitcoin, stablecoins and tokenized assets are deployed using various onchain strategies to generate returns.
Early Wednesday, the protocol confirmed a security breach that drained a total of roughly $3.5 million in digital assets from three of the vaults. Assets locked in other vaults were not affected, it said in a post on X.
“The ~$28M in TVL across all other Volo vaults is safe. The exploit was isolated to 3 specific vaults, and we have confirmed no shared attack vector exists with the remaining vaults,” the protocol said, adding that it is “prepared to absorb” the financial loss rather than pass it on to users.
The attack hit vaults holding wrapped bitcoin (WBTC), Matridock’s tokenized gold token, XAUm, and the dollar-pegged stablecoin USDC. In response, the protocol froze all vaults and began working with the Sui Foundation and onchain investigators to contain the damage and trace funds.
Since the incident, Volo has “frozen” $500,000 in assets through coordination with ecosystem partners, meaning those funds have been immobilized onchain to prevent any movement or withdrawal. Still, the majority of the stolen funds remain under investigation.
Growing unease
The breach adds to growing unease across decentralized finance, where a string of exploits has raised questions about smart contract security and protocol oversight. The timing is particularly sensitive, coming just days after the weekend’s KelpDAO exploit, in which an attacker drained millions by artificially minting unbacked liquid restaking tokens, rsETH.
The aftermath has rippled across the DeFi, triggering collateral damage in multiple protocols, including leading lending platform Aave, where users rushed to withdraw funds because of the heightened uncertainty.
To date, decentralized finance has suffered roughly $7.78 billion in hacks, according to data from DeFiLlama. Bridge protocols — which enable the transfer of assets across blockchains — account for another $2.90 billion in losses. Combined, the figure exceeds $10 billion, roughly equivalent to the market capitalization of cryptocurrencies ranked between 10th and 15th globally.
Volo says it will publish a full post-mortem once its investigation is complete and remediation steps are finalized.
But for DeFi users and investors, a broader pattern is becoming harder to ignore: while institutional adoption is accelerating, relatively little of that capital appears to be flowing into improving security, with exploits continuing to arrive in clusters.
Read more: The $13 billion DeFi wipeout in two days, and it started with KelpDAO attack