Another week, another DeFi exploit. Volo Protocol, a liquid staking platform built on the Sui blockchain, announced Tuesday that it suffered an attack draining roughly $3.5 million from three of its asset vaults.
The team moved quickly to freeze affected accounts, recovered a portion of the stolen funds within minutes of the announcement, and committed to absorbing the loss rather than passing it to users, a pledge that will be tested in the weeks ahead.
The incident lands at an already bruising moment for the broader DeFi sector, which has absorbed hundreds of millions in losses over the past three weeks across multiple protocols and chains.
Here’s what happened
According to Volo’s statement, the exploit targeted three specific vaults holding WBTC (wrapped Bitcoin), XAUm (a tokenized gold asset), and USDC (a dollar-pegged stablecoin).
The team said it detected the attack, immediately notified the Sui Foundation and ecosystem partners, and froze the affected vaults to prevent additional outflows.
In a notable response time, Volo said that within 30 minutes of its initial announcement, it had successfully frozen $500,000 of the exploited assets. While that still leaves roughly $3 million unrecovered at the time of writing, the speed of the freeze suggests the team had systems in place to react once the attack was identified.
All Volo vaults are currently frozen pending a full post-mortem, a detailed technical review of what went wrong and how it happened. The protocol has not yet disclosed the vulnerability that made the attack possible, which is standard practice until an investigation is complete and the fix has been applied.
Volo also confirmed that the exploit was isolated: the remaining vaults do not share the same weakness, and the approximately $28 million in total value locked (TVL), the total amount of user assets deposited in the protocol, across those other vaults is secure.
“We want to be clear: Volo is prepared to absorb this loss. We will do our best not to pass this to our users,” the team wrote in its public statement. It also acknowledged the longer-term challenge of repairing trust: “We understand that trust is earned, and right now, we are focused entirely on actions.”
Plenty of protocols have made similar pledges after exploits and failed to follow through. The question is whether Volo has the treasury depth to actually make affected users whole once the post-mortem is complete and a remediation plan is put together.
That plan, the team said, will be shared publicly in full once the immediate damage control phase is over.
A difficult week for DeFi security
The Volo exploit doesn’t sit in isolation. It comes days after one of the largest DeFi incidents of the year, the $292 million drain of Kelp DAO’s cross-chain bridge on April 18.
Kelp DAO is a liquid restaking protocol that lets users deposit ether, routes it through a yield-generating system called EigenLayer, and issues a receipt token called rsETH in return.
That rsETH token was moved between blockchains using LayerZero’s cross-chain messaging infrastructure, technology that acts as a communications layer between otherwise disconnected blockchain networks.
Attackers drained 116,500 rsETH worth approximately $292 million from the Kelp DAO bridge, with LayerZero publishing a post-mortem attributing the attack with preliminary confidence to North Korea’s Lazarus Group, specifically its TraderTraitor subunit.
The attack worked by compromising the servers LayerZero’s verifier relied on, then flooding backup servers with junk traffic to force the system onto the compromised nodes, which then approved a fraudulent cross-chain transaction.
LayerZero blamed the exploit on Kelp’s decision to run a single-verifier configuration rather than a multi-verifier setup, saying it had communicated best practices around diversification to Kelp previously.
Kelp, for its part, has disputed that framing, arguing the compromised infrastructure was LayerZero’s own and not a configuration choice Kelp made against guidance. The two sides appear headed toward a prolonged public disagreement over who bears responsibility.
The exploit triggered a broader panic, with more than $10 billion flowing out of lending protocol Aave as users grew concerned about potential bad debt after the attacker used stolen rsETH as collateral to borrow large amounts of WETH.
The Kelp incident itself came on the heels of the $285 million Drift Protocol exploit on April 1, also attributed to North Korean state-linked operatives, making for a grim stretch. Across just over two weeks, more than $600 million has left DeFi across over ten protocols, in what appears to be a coordinated campaign.