Valid Signatures Are Not Enough

April was one of the worst months crypto has seen for security losses. PeckShield reported 40 major hacks totaling about $647M in losses, the largest being Drift Protocol and KelpDAO.

If we had to sum up what happened in one sentence: Valid signatures are not enough. A transaction can be signed by the right key, routed through the right contract, or approved by the right governance module, and still be the wrong transaction. That is the gap attackers exploited across governance compromise, cross-chain verification failures, oracle or routing manipulation, and privileged-key theft.

Governance compromise: Drift Protocol

On April 1, 2026, Drift Protocol, a Solana-based DeFi derivatives platform, suffered one of the largest crypto attacks of the year. Chainalysis reported that the attacker gained admin control and drained an estimated $285M from vaults, wiping out more than half of the protocol’s TVL.

Several analyses describe it as a control-plane compromise: attackers obtained the ability to execute privileged, governance-level transactions that looked valid on-chain. CM Alliance describes the attack as a governance failure involving Security Council-level permissions and pre-approved transactions, rather than a direct smart-contract vulnerability.

Halborn’s report says that Drift lost about $285M within 12 minutes, making the speed of execution part of the attack’s impact: once the attacker had the right authority, onchain monitoring had little time to stop the drain.

Takeaway

Governance authorization is not enough. Protocols need execution authorization: a signer may be valid, but the requested transaction still needs to be checked against an onchain policy that says whether this specific action is allowed. Governance and multisig systems need transaction-policy controls, signer isolation, timelocks for high-risk actions, pre-execution simulation, and independent monitoring of emergency powers.

Cross-chain verification failure: KelpDAO

On April 18, 2026, KelpDAO was hit by a major cross-chain exploit. Chainalysis reported that attackers linked to North Korea’s Lazarus Group stole about $292M, or 116,500 rsETH, from KelpDAO’s LayerZero bridge setup. KelpDAO posted that it had identified suspicious cross-chain rsETH activity, paused rsETH contracts across mainnet and several L2s, and was working with LayerZero, Unichain, auditors, and security experts.

The attack was due to a compromise of off-chain infrastructure and a single-point verification setup: attackers allegedly compromised internal RPC nodes, DDoS’d external nodes, and fed false data to a 1-of-1 DVN configuration so that a fake source-chain event appeared valid to the destination contract. Halborn similarly attributed the root cause to KelpDAO’s 1-of-1 verifier configuration, where only a single node needed to validate cross-chain messages before funds could be released.

Takeaway

Cross-chain systems need multiple independent verifiers, source-chain and destination-chain invariant checks, watcher diversity, DDoS-resilient RPC infrastructure, and circuit breakers when bridged supply changes abruptly.

Cross-chain proof-verification bug: Hyperbridge

Hyperbridge’s April incident was smaller in dollar terms, but the attack was technically important. On April 13, 2026, Rekt reported that a missing bounds check in Hyperbridge’s Merkle Mountain Range proof verifier allowed forged proofs to pass. Coindesk reported the incident as an attacker minting a huge quantity of bridged DOT on Ethereum, though only a much smaller amount was successfully extracted before containment. The loss was later revised from an initial lower figure to about $2.5M.

A Polkadot forum described the exploit as a forged MMR proof issue in Hyperbridge’s Token Gateway, with challengePeriod set to zero, and confirmed realized losses across Ethereum, Arbitrum, Base, and BNB Chain.

Takeaway

Proof verifiers are consensus-adjacent infrastructure. They need adversarial audits, formal verification where possible, non-zero challenge windows, rate limits, and emergency pauses tied to abnormal mint events. Proof systems need defense in depth. A proof may pass, but the action it authorizes should still be bounded by onchain policy.

Oracle, route, and slippage manipulation: Rhea Finance

Rhea Finance, a NEAR-based DeFi hub, was exploited in mid-April. Halborn reported a $7.6M loss via oracle manipulation. Rhea posted that about $18.4M were drained in an attack that exploited a weakness in a slippage protection mechanism, but the attacker later returned about 3.359M USDC and 1.564M NEAR to the lending contract, while 4.34M USDT was frozen.

The general attack pattern was price-path manipulation. Attackers created fake token contracts and liquidity pools, then used the protocol’s routing or margin logic to misprice assets and drain assets from the protocol’s reserve pool.

Takeaway

Protocols should not trust arbitrary routes, pools, or tokens. Onchain systems need strict token allowlists, route validation, TWAP or multi-source pricing, slippage bounds that cannot be bypassed through synthetic pools, and invariant checks before debt or collateral state changes.

The transaction may be syntactically valid, but if it touches uncataloged contracts or produces impossible pricing behavior, it should not execute.

Privileged key compromise: Volo Protocol

Volo Protocol, on Sui, reported a vault-related exploit on April 21, 2026. About $3.5M was drained from three vaults holding WBTC, XAUm, and USDC. GoPlus Security and ExVul Security attributed the incident to a compromised privileged operator key rather than a flaw in audited smart contracts. The team froze vaults, blocked an attempted bridge of 19.6 WBTC, and said other vaults representing about $28M TVL were not affected by the same attack path.

Takeaway

Private-key compromise should not equal protocol compromise. Keys should authorize roles, while onchain policy authorize actions. Use withdrawal rate limits, per-vault permissions, and mandatory delay for high-risk admin actions.

Infrastructure compromise: Wasabi Protocol

Wasabi Protocol was exploited on April 30, 2026, with losses reported between about $4.5M and $5.7M across Ethereum, Base, Berachain, and Blast. Coindesk described the incident as an apparent admin-key compromise involving a compromised deployer key with no timelock.

Wasabi’s security update attributed the compromise to a Spring Boot Actuator configuration vulnerability in AWS infrastructure that exposed or enabled theft of private keys controlling EVM smart contracts; the reported impact was about $4.8M in user funds plus $900K from the protocol treasury.

PeckShield flagged the attack as a multi-chain exploit, and CertiK estimated losses at around $5.5M.

Takeaway

Cloud misconfiguration is crypto risk. Smart-contract security programs need cloud attack-surface management, secrets scanning, locked-down actuator/debug endpoints, HSM or MPC signing, timelocks, and separation between deployer, admin, and treasury keys.

Wasabi illustrates why infrastructure security and onchain execution controls need to work together. Cloud hardening protects the key; policy enforcement protects the protocol when the key fails.

April’s largest crypto attacks shared a theme: attackers increasingly targeted control points, not just code. Drift showed that governance and emergency powers can be weaponized. KelpDAO and Hyperbridge showed that cross-chain verification remains fragile. Wasabi and Volo showed that one compromised key can bypass an otherwise audited contract. Rhea showed that complex routing and margin logic still creates exploitable pricing assumptions.

For builders, the practical lesson is clear: code audits are necessary, but not enough. Protocols need operational security, signer security, cross-chain monitoring, incident drills, and on-chain controls that assume humans, keys, RPC nodes, and cloud infrastructure can fail.

Disclaimer: OKcontract Labs is working on a solution that simplifies considerably how teams enforce opsec.

Valid Signatures Are Not Enough was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.