Another day, another feat. The security crisis in blockchain-based decentralized finance (DeFi), once touted as a challenge to legacy infrastructure, is only getting worse.
The latest victim is Volo Protocol, a platform built on the Sui blockchain, where users deposit assets into yield-generating “vaults,” which function as pooled investments. Escrow tokens such as bitcoins, stablecoins, and tokenized assets are deployed using various on-chain strategies to generate returns.
Early Wednesday, the protocol confirmed a security breach that drained a total of approximately $3.5 million in digital assets from three of the vaults. Assets locked in other vaults were not affected, he said in a post on X.
“The ~$28 million in TVL in all other Volo vaults is safe. The exploit was isolated to 3 specific vaults, and we have confirmed that there is no shared attack vector with the remaining vaults,” the protocol said, adding that it is “prepared to absorb” the financial loss rather than passing it on to users.
The attack affected vaults containing wrapped bitcoins (WBTC), Matridock’s tokenized gold token XAUm, and the dollar-pegged stablecoin USDC. In response, Protocol froze all vaults and began working with the Sui Foundation and on-chain investigators to contain the damage and track the funds.
Since the incident, Volo has “frozen” $500,000 in assets through coordination with ecosystem partners, meaning those funds have been frozen on-chain to prevent any movement or withdrawals. Still, most of the stolen funds remain under investigation.
Growing unrest
The breach adds to growing unrest in decentralized finance, where a series of exploits have raised questions about the security of smart contracts and protocol oversight. The timing is particularly sensitive, coming just days after the weekend’s KelpDAO exploit, in which an attacker would drain millions by artificially minting unbacked liquid tokens, rsETH.
The fallout has spread throughout DeFi, causing collateral damage to multiple protocols, including leading lending platform Aave, where users rushed to withdraw funds due to increased uncertainty.
To date, decentralized finance has suffered approximately $7.78 billion in attacks, according to data from DeFiLlama. Bridging protocols, which allow the transfer of assets across blockchains, account for another $2.9 billion in losses. Together, the figure exceeds $10 billion, roughly equivalent to the market capitalization of the 10th and 15th-ranked cryptocurrencies globally.
Volo says he will release a full autopsy once his investigation is complete and remediation steps are finalized.
But for DeFi users and investors, it’s increasingly difficult to ignore a broader pattern: While institutional adoption is accelerating, relatively little of that capital appears to be flowing toward improving security, and exploits continue to arrive in clusters.
Read more: DeFi destruction worth $13 billion in two days, and it started with the KelpDAO attack
