2026/6/22 · 10:29

DeFi Week 26: $17.3M in 12 exploits, DPRK post-mortem on Humanity Protocol, Taiko bridge halted

DeFi TVL slipped -0.45% to $73.87B as the Week 25 recovery stalled. Twelve exploits totaled $17.3M — led by Secret Network/Axelar ($4.67M infinite-mint), Taiko Bridge halt ($1.7M forged proof), and two Aztec deprecated-contract drains ($4M combined). The Humanity Protocol rekt.news post-mortem confirmed DPRK attribution. Arbitrum Foundation's $45M vote dropped to 82.2% approval as delegate opposition organized. apxUSD deepened to $0.906; Pendle PT holders took ~$3M loss at June 18 maturity.

DeFi TVL Ranking & Protocol Anomalies @NeoDrop Official

DeFi TVL paused at $73.87B in the week ending June 22 — down a fractional -0.45% from last week's $74.21B — while exploit losses accelerated to $17.3M across 12 incidents, the Humanity Protocol post-mortem confirmed DPRK attribution, and two separate Taiko and Secret Network bridge failures reminded traders that bridge security hasn't improved. 1 2

Week 26 quick scan

Signal	Entity	Direction	Reading
Total DeFi TVL	All DeFi	▼	$73.87B, -0.45% WoW
Biggest protocol gainer (%)	USDD (Tron)	▲	+3.12% → ~$710M 3
Biggest protocol gainer ($)	Aave V3	▲	+$344M → $12.71B 3
Biggest protocol loser (%)	Spark Savings	▼	-15.73% → $1.56B 3
Biggest protocol loser ($)	Spark Savings	▼	-$246M 3
Chain outperformer	Tron	▲	+4.79% → $4.66B 4
Chain underperformer	Solana	▼	-6.79% → $4.96B 4
Largest exploit	Secret Network / Axelar	▼	$4.67M — IBC infinite-mint 5
Bridge halted today	Taiko Bridge	▼	$1.7M — forged proof, chain halted 6
Deprecated-contract theme	Aztec Network	▼	Two exploits in one week, $4M combined 7
Post-mortem published	Humanity Protocol	🔍	DPRK attribution confirmed, 7 keys on 1 laptop 8
On-chain vote ongoing	Arbitrum Foundation $45M	🗳️	155M ARB For (82.2%), delegate revolt forming 9
Governance active	Lido DAO	🗳️	Six proposals, all open June 15–22
Stablecoin depeg deepening	apxUSD	▼	$0.906, -9.4% from peg — PT holders took ~$3M loss at June 18 maturity 10
Yield shift	Solana staking	▼	SIMD-550 proposes 5.84% → 2.25% over 3 years 11

TVL: the pause after the recovery

Two consecutive weeks of recovery from the June 5 macro crash (+2.72% in Week 25) stalled out this week. The $73.87B reading sits -$343M below Week 25 — a rounding error at the aggregate level, but the composition shifted meaningfully. 1

Ethereum grew +1.41% (+$547M) to $39.43B, lifting its share of total DeFi TVL to 53.4%. Tron grew +4.79% (+$213M) to $4.66B, driven by JustLend V1 (+1.70%) and USDD (+3.12%). Base held its L2 lead at $4.29B (+0.67%), now $2.97B ahead of Arbitrum. 4

Solana dropped -6.79% (-$361M) to $4.96B — the only major chain down significantly on the week. Kamino Lend actually held flat (+0.55%), implying the outflows concentrated in Solana meme-coin and smaller DEX pools rather than the core lending market. No single public catalyst explains the drop; the June 16 publication of SIMD-550 (see Yields section) may have contributed to SOL-denominated TVL compression. 4

Hyperliquid L1 appeared in the top-10 chain ranking for the first time at $1.54B, above both Arbitrum ($1.32B) and Polygon. 4

Protocol movers

Aave V3 climbed to $12.71B (+2.75% WoW, +$344M) — its third consecutive week of gains and the largest absolute dollar increase among top-10 protocols. The 21-chain deployment continues to absorb collateral migration from riskier venues. 3

Spark — Sky Protocol's (formerly MakerDAO) lending and savings arm — had an unusual split this week. Spark's three sub-entities moved in opposing directions: SparkLend ($3.53B, +0.36%) and Spark Liquidity Layer ($2.06B, -3.33%) were broadly stable, while Spark Savings collapsed -15.73% (-$246M) to $1.56B. Sky Lending itself fell only -1.29%, suggesting the outflow was internal to the Spark product layer. The trigger for $246M leaving Spark Savings in a single week isn't publicly documented; a plausible but unconfirmed reading is reallocation toward the pending LITE-PSM-USDC-A buffer doubling. 3

Pendle reversed its entire Week 25 recovery, falling -14.33% (-$145M) to $1.01B. The PT-apxUSD market's June 18 maturity ($31.8M TVL) accounts for some of the outflow, but the $145M decline is roughly 4.6× the size of that single market — Pendle's broader PT ecosystem shed capital across multiple pools as apxUSD's deepening depeg (from $0.959 to $0.906) raised counterparty concerns on other structured positions. 3

Ondo Finance added 173 tokenized stocks and ETFs on June 19, expanding its product catalog to 430+ assets across Ethereum, Solana, and Base. Ondo Yield Assets TVL stood at $2.64B (+0.37%), while Ondo Global Markets dipped -2.76% to $1.05B. 3

Top 5 TVL losers (Week 26, minimum $200M TVL):

Protocol	TVL	7d change	Notes
Spark Savings	$1.56B	-15.73%	Product-layer outflow; catalyst unconfirmed 3
Pendle	$1.01B	-14.33%	apxUSD PT maturity + broader PT sector de-risk 3
Kelp	$1.01B	-4.88%	W24–W25 recovery fully reversed 3
Maple	$2.08B	-4.19%	No public catalyst 3
Tether Gold	$2.99B	-3.53%	RWA sector broadly weak 3

Exploits: 12 incidents, $17.3M — two themes dominate

The week produced 12 confirmed in-window exploits totaling ~$17.3M. Two structural themes ran through them: IBC/bridge verification failures and attacks on deprecated contracts with funds still locked inside. 2

Secret Network / Axelar — $4.67M, infinite-mint via IBC (June 19)

The week's largest exploit drained $4.67M from the Axelar–Secret Network IBC bridge via an infinite-mint bug in a modified CW20-ICS20 token contract on Secret Network. The attacker launched a Cosmos chain with a single validator and sent IBC packets with fabricated asset denominations. The ICS-20 contract minted "wrapped" saTokens — saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH — without verifying the source channel of incoming packets. 5 12

Axelar's lead developer Common Prefix published a technical analysis: "We analyzed the Secret Network incident. An attacker exploited an infinite-mint bug in a modified CW20-ICS20 token contract on Secret to drain ≈$4.67M. The attacker minted arbitrary Secret-wrapped Axelar assets on Secret by spinning up a new Cosmos chain with 1 validator." 5 The main Axelar protocol and other IBC connections were unaffected. Axelar's emergency committee disabled Secret and Secret-SNIP bridge routes. SCRT briefly surged ~6% before settling at ~$0.058 — a market cap of ~$20M, down 99.5% from its October 2021 peak of $10.64.

Taiko Bridge — $1.7M, chain halted (June 22)

Orange and purple illustration of a crypto padlock being broken open, with warning symbols — representing the Taiko bridge exploit — Taiko Bridge: $1.7M drained via forged proof exploit, chain production halted on June 22. 6

Today's exploit drained ~$1.7M from Taiko's Ethereum L2 bridge. The flaw: the bridge accepted crafted message proofs on Ethereum L1 even when no corresponding MessageSent event existed on the Taiko source chain. The attacker registered fraudulent bridge messages and withdrew from the ERC20 vault without legitimate backing. 1.99M TAIKO tokens (~$189K) were transferred to MEXC exchange; the remaining ~$1.5M sits in exploiter wallets in ETH. 6 13

The Taiko team's emergency notice stated: "The security assumptions of all bridges deployed on Taiko can no longer be relied upon." Taiko halted all block production and urged users to withdraw from all bridges immediately. South Korean exchanges Upbit and Bithumb suspended TAIKO deposits and withdrawals and placed the token on delisting watchlists. 13 TAIKO was trading at $0.084 at time of writing, down 98% from its 2024 peak.

Aztec Network — two exploits, $4M combined (June 14–17)

Security researcher Blockful.eth summarized the recurring pattern: "In the last days, we had 2 exploits exposing a risk that few remember exists in DeFi: old contracts with millions of dollars sitting idle." 7

Hooded figure silhouette against bright green gradient with AZTEC text — representing the two Aztec Network hacks in Week 26 — Aztec Network suffered two separate exploits in one week, targeting contracts deprecated years ago with admin keys already renounced. 7

Exploit 1 (June 14): Aztec Connect — ~$2.1M. A deprecated ZK-rollup bridge lost 909 ETH, 270,513 DAI, 168 wstETH, and Yearn vault tokens. The attack exploited a mismatch between ZK proof verification (which checks rows in groups of 32) and settlement code (which only processes declared "real" rows). The attacker packed 14 crafted rollup submissions into a single transaction. A follow-up June 15 attack extracted an additional $88K from leftover bridge positions. The contract was deprecated in March 2023, admin keys renounced April 2024. 14

Exploit 2 (June 17): Aztec Private Rollup Bridge — ~$2M. 1,158 ETH, 150K DAI, and 0.5 renBTC were drained via the escapeHatch function, which can be called during brief windows when it's "open." SlowMist founder Yu Xian flagged three suspicious transactions as they executed. BlockSec identified both incidents as "public input binding issues." 7 Aztec Foundation confirmed neither contract has any connection to the AZTEC ERC-20 token or current Aztec network contracts — but that distinction doesn't help the people who left funds in the deprecated contracts.

Researcher Togbe's warning: "don't keep money in old contracts." 7 Three deprecated/immutable contracts were drained across the week (Aztec Bridge, Aztec Connect, Thetanuts Finance $105K on Ethereum June 15). The pattern of targeting abandoned contracts with locked-but-forgotten funds appears to be a systematic attacker strategy in Q2 2026.

RetoSwap — $2.7M, same attack vector twice (June 16)

7,000 XMR (~$2.7M) were stolen from RetoSwap, a Monero-based DEX built on the Haveno protocol — the second breach of the identical ACK frontrun vulnerability in less than 30 days (first attack: May 20). 15 16

Halborn security described the mechanism: "The attacker took advantage of a flaw in how Haveno managed ACK messages within its Tor-based wallet setup process. They created a trade as a taker or maker, granting them legitimate access to one of the three keys within the multisig wallet." 15 By sending a spoofed ACK message impersonating the arbitrator during 2-of-3 multisig wallet creation, the attacker caused the victim's client to register the attacker's address as the legitimate arbitrator — giving them 2 of 3 keys before any victim funds were deposited. RetoSwap suspended trading again on June 17 and banned the attacker's onion addresses. Monero's privacy properties make fund recovery structurally impossible.

Halborn-branded "THE RETOSWAP HACK EXPLAINED" poster on dark green gradient background — Halborn's breakdown of the Haveno protocol ACK frontrun vulnerability, which RetoSwap was hit by twice in <30 days. 15

Remaining Week 26 incidents

Protocol	Date	Chain	Loss	Attack vector
LABUBU/OLPC	Jun 20	BSC	~$1.1M	Deflationary reserve poisoning on PancakeSwap V2 2
Namada Shielded Pools	Jun 19	Namada	~$600K	IBC transfer logic exploit, ATOM/USDC/OSMO/TIA/NYM swept from MASP 17
Little Boy Plus	Jun 17	BSC	~$367K	Oracle manipulation 2
mySwap CL	Jun 19	Starknet	~$300K	CL pool accounting hack (Cairo) 2
DIP Token	Jun 17	BSC	~$111K	Missing `return` in `_transfer()` — double-transfer via Pancakeswap router 18
Thetanuts Finance	Jun 15	Ethereum	~$105K	Low-supply share pricing on deprecated vault 2
JB	Jun 19	BSC	~$50K	Flashloan price manipulation 2

On the DIP exploit: SlowMist documented that the attacker called skim(router) to trigger double DIP transfers, then sync() to set the DIP reserve to an extremely low value, manipulating the AMM price to drain the USDC pool — no flash loan, oracle trick, or stolen key required. 18 A single missing line of code.

Humanity Protocol post-mortem: DPRK, 7 keys, one laptop

rekt.news published the definitive post-mortem this week on the June 8 Humanity Protocol breach — the $36M attack that was first reported in Week 25. The investigative conclusion, based on Quantstamp's forensic analysis: North Korean state-linked actors (DPRK attribution) executing a targeted spear-phishing campaign against a single endpoint. 8

The attack sequence: On June 5 at 02:00 UTC, director Chong Yee Wai received a spear-phishing email impersonating Korean exchange Bithumb. The attachment — Bithumb_Circulating_Supply_Lockup_Schedule.zip — contained hncagent.exe, a first-stage loader signed with a legitimate South Korean Hancom software certificate. By June 7, the attacker had full remote desktop access to Chong's Windows machine. Neither Sophos nor Windows Defender flagged the intrusion. 8

The attacker then copied the Chrome MetaMask extension with its encryption key, which held 7 production private keys backed up roughly one year earlier during mainnet setup. Those 7 keys gave access to 3 of 6 ETH Safe signers and 3 of 5 BSC Safe signers — enough to reach threshold on both multisigs from a single machine. The ProxyAdmin had no timelock. Three attack vectors followed: a direct hot wallet drain (6,045,060 $H), an ETH bridge drain via ProxyAdmin seizure and malicious upgrade (141,182,632 $H), and a BSC mint (300M+ $H). Total confirmed movement: $36.4M through Uniswap, mapped across 12 exploiter addresses by Arkham. 8

The attacker's on-chain message to researcher Chris Blec (surfaced by banteg) was blunt about the security posture: "i was stressing out about needing to social engineer four different devs across three different timezones. then you drop a revelation that it's actually just one guy with six signer keys in his metamask. thank you king." 8

The BSC ProxyAdmin contract remains under attacker control as of June 22 — recovery was not completed before this issue closed. The recovery portal at humanity-recovery.com (pre-incident holders exchanging legacy H for new H at 1:1.048) closes today. PeckShield assessed the incident as a "staged performance" based on pre-attack on-chain patterns; Cyvers' Dr. Hakan Ünal called the evidence "mixed." Founder Terence Kwok's prior company consumed ~$170M before collapse; he acknowledged that 88% of the protocol's 9M registered Human IDs may have been bots. 8

The operational failure every multisig operator should read: a threshold-signature safe provides zero protection when threshold keys share one machine. The Humanity architecture was a nominal 3-of-6 multisig that was, in practice, a single point of failure.

Gnosis Pay update (background): As a point of comparison, Gnosis Pay's June 1 Zodiac Delay Module exploit — which was estimated at ~$265K by Bleap — still has no published post-mortem, four weeks after the incident. Co-founder Martin Köppelmann pledged "Gnosis will cover all user losses," but the attack vector, affected account count, and precise loss figure have not been disclosed publicly. DeFiLlama lists the event at $0 loss, reflecting Gnosis covering losses rather than zero theft. 2

Governance: Arbitrum pressure building, Lido most active in weeks

Arbitrum Foundation $45M budget — delegate revolt forming

The on-chain Tally.xyz vote stood at 155.07M ARB For (82.2%), 8.67M Against, and 24.97M Abstain across 1,166 addresses as of June 22 — a 14-day-old proposal still active. The raw approval rate looks strong, but it has dropped from 99.8% in Week 25, and forum discussion has hardened. 9

The proposal requests $16M in RWA/stablecoins, 1,740 ETH (~$3.5M), and 230M ARB (~$26M) — roughly $45M at current prices — for one year of Foundation operations. Foundation projected 2027 expenses at $27.6M plus 244.9M ARB, with chain operations at 54% of total spend. 19

The delegate objections are substantive. DeFi analyst DefiIgnas calculated the Foundation is "operating at 2.3x DAO revenue" — projected 2027 spend of ~$53M against $23.49M in 2025 DAO gross profit. Delegate crypfuto argued funding should be "milestone-based rather than released entirely upfront," proposing 3–6 month runway releases tied to quarterly reporting. Delegate cp0x questioned a $10.4M G&A line (~$236K per implied employee). 19

The background tension: Arbitrum TVL has declined from ~$21B peak to ~$1.32B (per DeFiLlama), and ARB trades at $0.11, down 95% from its January 2024 all-time high. The Foundation cites 4.7M+ daily transactions (+270% from March 2023) and $8.6B stablecoin supply as the case for continued funding, but the tokenholders bearing the dilution are sitting on 95% losses. 9

Aave DAO — three Snapshot votes, Monad deployment approved

Three Aave DAO Snapshot proposals ran through the June 16–22 window, all with near-unanimous support:

[ARFC] Deploy Aave Protocol on Monad (created June 17, passed): ~349K AAVE For. Aave will deploy on Monad, a high-throughput EVM-compatible chain. 20
[ARFC] Concord Equivalence Checker by Certora (created June 18, passed): ~358K AAVE For. Funds formal verification tooling for Aave upgrade safety. 20
[ARFC] Onboard stcUSD to Aave V3 MegaETH (created June 19, active): ~312K AAVE participating. 20

Lido DAO — six simultaneous proposals

Lido DAO ran its most concentrated governance week in the tracked history of this channel. Six proposals opened June 15 and closed June 22, all with ~57M LDO voting power: LIP-35 (Staking Router v3 Architecture), LIP-33 (CMv2 and CSMv3 Architecture), appointment of Nemo as Director, Wind Down Simple DVT Module Regular Clusters, Revoke Canonical Status of (w)stETH Bridge Endpoints on Selected Chains, and Galaxy Node Operator Infrastructure Update. All six passed with overwhelming support. 20 The breadth of the agenda — covering staking infrastructure, committee membership, bridge endpoints, and node operators in a single sweep — is a signal of coordinated governance activity rather than routine maintenance.

Sky — LITE-PSM-USDC-A buffer doubling

BA Labs, Sky's risk advisor, proposed doubling the LITE-PSM-USDC-A buffer from $400M to $800M on June 11. With USDC reserves at $4.13B — up 108% since the last recalibration in October 2024 — the current 400M buffer is structurally undersized: the heaviest single-day DAI sale on record was 1.75B on May 18, 2026. The 800M proposal would raise daily refresh capacity to 1.6B and single-day serving capacity to 2.4B. Core Facilitator approved inclusion in an Executive Vote on June 12; on-chain execution status could not be independently verified as of this writing. 21 22

THORChain — still suspended five weeks after $10.7M exploit

THORChain trading remains suspended as of June 19 — over a month after the May 15 GG20 threshold signature scheme exploit drained $10.7M from a single vault. Version 3.19 has been deployed with the fix, but restart requires node operator migration and a "key verify" safety step that "will take several days once it begins." ADR028 covers the $10.7M loss from protocol treasury with no new RUNE minting. No official restart announcement has been made. 23

Yields: apxUSD maturity loss, SIMD-550, and a calmer anomaly pool

apxUSD — PT holders took ~$3M loss at June 18 maturity

The PT-apxUSD-18JUN2026 Pendle market matured on June 18 with apxUSD at approximately $0.906 — a 9.4% shortfall from the $1.00 face value. Holders of the ~$31.8M in PT positions received apxUSD worth ~$28.8M, a principal loss of roughly $3M. 10

TID Research confirmed the depeg is structural, not transient: "This is no longer the transient mark-to-market wobble earlier versions of this report told you to ignore; it is a sustained shortfall that has lasted several days." The reserve composition at trough was ~74% STRC preferred shares (Strategy preferred equity), ~13% cash, and ~13% protocol-owned liquidity. No Morpho lending market booked bad debt — the Morpho oracle keys off the redemption rate, not the spot price, so no liquidations were triggered. 10

Apyx launched Version 2.0 on June 16 — two days before the maturity — splitting capitalization into separate Redemption Value and Total Collateral Value metrics to eliminate the first-mover arbitrage inherent in NAV-based redemptions. A new RFQ (Request for Quote) redemption system allows approved counterparties to bid for redemption executions. The protocol committed to posting public updates within 2 hours if apxUSD deviates from NAV by more than 2%. 24 New Pendle apxUSD pools with a November 4, 2026 maturity are now live.

SIMD-550 — proposed path from 5.84% to 2.25% Solana staking yield

SIMD-550, published June 16, proposes doubling Solana's annual disinflation rate from 15% to 30%. The result: the path to Solana's 1.5% terminal inflation rate compresses from 5.7 years to 2.8 years, with nominal staking yields projected to decline from the current ~5.84% to ~4.34% in year 1, ~3.00% in year 2, and ~2.25% by year 3. Total SOL emissions reduction over six years: 18.9M SOL (~$1.51B at current prices). 11

Helius, the proposal's primary advocate, argued that Solana's bootstrapping phase is over: "Inflation was necessary to bootstrap the network. That job is largely over: Solana is an established network with strong institutional, enterprise, and developer segments." Helius also defended the doubling increment as "a clean Schelling point" that avoids "endless bikeshedding" about smaller adjustments. 11 Anza CEO confirmed SIMD-550, SIMD-123, and SIMD-553 will all ship in 2026. Only 2 of 738 active validators would become unprofitable in year 1 under the proposed schedule.

For SOL stakers and liquid staking protocols (mSOL, jitoSOL, bSOL), the immediate practical implication is a predictable yield compression path — the 2.25% terminal is still above Ethereum's ~3.7% real staking yield for now, but the gap narrows materially by 2028–2029.

Yield anomaly landscape — calmer, but base-rate dominated

Across 16,320 pools scanned, 72 anomalies (APY >100% or |7-day APY change| >20 percentage points, TVL >$1M) were identified — down 37% from last week's 114. The more notable shift was compositional: 58% of anomalies were base-rate driven (pure trading fees, zero token rewards) vs. 28% in Week 25, when Aerodrome memecoin incentives dominated the list. 25

Aerodrome (Base) still generated extreme readings — NOCK-USDC at 530,393% APY, CTR-USDC at 267,162%, VELVET-USDC at 172,183% — but none sustained >1,000% for the full week, indicating the emission-driven spikes are cooling in duration. The Curve IDAI-IUSDC-IUSDT pool (Ethereum) settled at 135.66% APY after Week 25's 272% spike, returning to its 30-day mean of 136.82% — the prior spike appears to have been a single large transaction inflating the backward-looking APY window. 25

StablR EURR (Malta, MFSA-regulated euro stablecoin) remains at $0.53 — effectively ~47% below €1.00 parity — with minting and redemption still suspended three weeks after the May 24 multisig exploit. CoinGecko no longer returns price data for EURR. StablR's June 15 update confirmed safeguarded assets remain in segregated accounts and work continues with the MFSA regulator under MiCAR/DORA, but no timeline for resumption was given. 26 27

Cover image: rekt.news — Humanity Protocol post-mortem illustration. 8