Aftermath exploit adds to April’s growing list of DeFi security incidents

Aftermath has confirmed an exploit affecting its perpetuals protocol, marking the latest security incident in a month that has seen widespread losses across DeFi.

The team said the issue stemmed from a flaw that allowed negative builder fees to be set, resulting in losses of around $1.14m. The protocol was paused as a precaution, while unaffected products remain operational.

The incident adds to a broader pattern of exploits throughout April, with both large-scale failures and smaller vulnerabilities impacting multiple protocols.

Major exploits dominate April losses

Two incidents account for the bulk of reported losses this month.

Kelp DAO’s rsETH-related exploit triggered one of the largest disruptions, with an estimated impact of ~$292m. The issue involved the minting of unbacked assets via a bridge-related vulnerability that then spread across integrated protocols.

While funds were not drained in a traditional sense, the event created systemic risk, particularly for lending platforms exposed to the asset.

Another major incident involved Drift Protocol, where an attack tied to collateral manipulation and administrative access led to significant losses. Reports estimate the impact at hundreds of millions, although the attack’s structure differed from a typical exploit.

Together, these incidents account for the majority of April’s reported losses, which exceed $600m based on available tracking data.

Mid-sized exploits continue to surface

Beyond the largest cases, several mid-tier exploits have contributed to the month’s tally.

Rhea Finance suffered losses of around $7.6m following an attack involving fraudulent token contracts and oracle manipulation.

Grinex Exchange reported a ~$13.7m wallet drain, affecting multiple addresses.

GiddyDefi lost approximately $1.3m due to an authorization validation flaw linked to signature replay mechanics.

CoW Swap also experienced a ~$1.2m incident tied to a domain-hijacking attack, highlighting risks beyond smart contract vulnerabilities.

Smaller incidents highlight persistent weaknesses

Several smaller exploits have also been reported across the ecosystem.

Silo Finance, Aethir, and Dango each experienced losses tied to oracle misconfigurations, access control issues, or contract bugs. In some cases, such as Dango, funds were later recovered through white-hat intervention.

More recently, Scallop and Volo Protocol disclosed incidents involving contract logic flaws and private key compromise, respectively. While these cases were smaller in scale, they reinforce the frequency of vulnerabilities across different layers of DeFi.

A fragmented risk landscape

Taken together, April’s incidents reveal a fragmented risk environment rather than a single point of failure.

Exploits have occurred across:

• smart contract logic
• key management systems
• domain infrastructure
• cross-chain bridges
• protocol design parameters

This spread suggests that risk in DeFi is not limited to code vulnerabilities but extends to operational security and system architecture.

Final Summary

• The Aftermath exploit adds to a wave of April incidents, with over $600m in reported losses driven largely by a few major events.
• A mix of contract bugs, key compromises, and infrastructure risks highlights the multi-layered nature of security challenges in DeFi.