DeFi is having an April it would rather forget. More than $606 million has left the sector through hacks and exploits in less than three weeks, making this the worst single month for crypto theft since the Bybit breach in February 2025. What’s made it particularly unsettling is where the vulnerabilities are coming from.
The biggest losses this month had little to do with buggy code. They came from compromised personnel, misconfigured infrastructure and cross-chain systems that turned out to be far more fragile than anyone had stress-tested.
Flying Tulip, the full-stack DeFi platform that Andre Cronje has been building since mid-2025, responded this week by deploying a new safety mechanism: a withdrawal circuit breaker that can slow or queue outflows when activity looks suspicious. The idea is to create a reaction window, time to investigate and potentially intervene, before an attacker can empty a protocol entirely.
What a circuit breaker actually does
The concept originated in traditional stock markets, introduced after the 1987 crash as a way to halt trading automatically when prices moved too far in either direction. The pause was about interrupting a feedback loop long enough for calmer heads to assess the situation. DeFi has needed something similar for years.
Flying Tulip’s implementation monitors how quickly funds are leaving the protocol. When that rate crosses a defined threshold, indicating potential abnormal activity, the mechanism kicks in and slows or holds withdrawals instead of processing them instantly. It’s like a speed bump with a purpose: create enough delay that a team can look at what’s happening before the damage becomes irreversible.
The mechanism works differently depending on the product. For Flying Tulip’s Perpetual PUT product, a triggered circuit breaker means withdrawals revert, users get an error and have to try again once the situation clears.
For ftUSD, the platform’s native stablecoin, the approach is gentler: withdrawals enter a queue and become claimable after a waiting period instead of being blocked outright. Flying Tulip said users can monitor the feature through a dedicated status page.
Worth noting is how the mechanism handles its own failure. Flying Tulip built it to be “fail-open,” meaning if the circuit breaker itself runs into a problem, withdrawals continue as normal rather than getting stuck.
A system that accidentally locks users out during a malfunction would create a different kind of emergency, so the team chose to err on the side of access over restriction in that edge case.
The month that made this necessary
April’s losses have followed a pattern that security researchers have been flagging for months: the attack surface in DeFi has quietly shifted away from smart contracts and toward the layers surrounding them, the signers, the bridges, the governance infrastructure that protocols depend on but often treat as an afterthought.
Drift Protocol lost roughly $285 million on April 1 in about 12 minutes, with most stolen funds moved to Ethereum within hours. The attacker didn’t find a flaw in Drift’s code. They spent months getting close enough to the right people to manipulate them into authorizing transactions they didn’t fully understand.
By the time the protocol’s defenses could respond, the money was already gone. The sophistication involved an onchain staging beginning nearly three weeks before the actual exploit, making it one of the more methodical attacks DeFi has seen.
Then on April 18, Kelp DAO lost $292 million through its LayerZero-based bridge. Attackers compromised the verification layer used to authenticate cross-chain transactions, forging messages that appeared legitimate onchain and allowing them to mint roughly 116,500 rsETH tokens without any real backing.
Those tokens were then used as collateral on Aave to borrow real assets. Kelp’s emergency pause came 46 minutes after the drain had already completed, enough time for the damage to be done and the contagion to start spreading to Aave, SparkLend and Fluid.
What ties both incidents together is that the exploits succeeded because the systems around the code, the humans, the verification networks, the governance processes, had gaps that sophisticated attackers had learned to exploit.
Industry researchers tracking the pattern note that operational weaknesses have become the primary entry point for large-scale DeFi theft, a shift that changes what “being secure” actually means for a protocol.
That’s the environment Flying Tulip is operating in. Cronje’s platform has attracted institutional backing from firms including Amber Group, Fasanara Digital, CoinFund, FalconX and Susquehanna Crypto, and carries a $1 billion fully diluted valuation. Projects at that level of visibility tend to become targets.
Adding a mechanism that limits how quickly funds can leave, even if it can’t prevent an attack from starting, is a meaningful layer of protection in a threat market where speed is often the attacker’s most important advantage.
Ledger’s chief technology officer said publicly that 2026 will “most likely be the worst year in terms of hacks.” If that prediction holds, the protocols that have built-in friction against fast, large-scale outflows may end up in a considerably better position than those that haven’t.