The DeFi industry built its security culture around a single ritual: audit the smart contract. Find the reentrancy bug, catalogue the integer overflow, patch and redeploy. Done. Ship it.
That ritual has always been incomplete. In April 2026, it started looking catastrophically so.
In 18 days, DeFi protocols lost more than $606 million across at least a dozen incidents. The two attacks that accounted for 95% of the damage had nothing to do with smart contract code. One was social engineering. One was bridge verification logic. Both were entirely outside the perimeter that most DeFi security teams spend their time defending.
And sitting in the background of all of this is Anthropic's Mythos, a model that can autonomously identify and chain vulnerabilities across interconnected systems at a scale the industry has never seen. The question it raises for DeFi is not whether the attack surface is larger than everyone thought. The question is whether the industry is even looking at the right surface.
Two Attacks, Zero Contract Bugs
The Drift Protocol breach on April 1 cost $285 million. TRM Labs traced it to North Korean state-sponsored hackers who spent months socially engineering multisig signers. The actual exploit path was a zero-timelock governance migration combined with pre-signed transactions obtained through that social engineering campaign. No bug in the contract. The contract did exactly what it was told to do, by people who had been manipulated into authorising it.
The Kelp DAO incident on April 18 cost $292 million. An attacker spoofed cross-chain messages through Kelp's LayerZero-powered bridge, releasing 116,500 rsETH. The cascading bad debt hit Aave, Compound, and Euler. The vulnerability was in bridge verification logic, not in any individual protocol's smart contract. It was a systemic failure that propagated across the composability graph exactly as designed.
Total 2026 DeFi losses are now approaching $772 million. Ledger's head of security Charles Guillemet has said that 2026 "is very likely to become the year with the most thefts in history." The trajectory supports that view.
What Mythos Is Actually Finding
Anthropic launched Mythos on April 7 under its Project Glasswing initiative, restricted to approximately 40 vetted enterprise and government partners including Amazon, Apple, Microsoft, Nvidia, and JPMorgan Chase. The model has demonstrated the ability to find thousands of zero-day vulnerabilities across operating systems, browsers, and cryptographic libraries. One of those vulnerabilities had existed in OpenBSD for 27 years.
That last detail is worth sitting with. A flaw in a cryptographic system, undetected through decades of manual auditing and automated scanning, found by an AI in a matter of weeks. OpenBSD is not an obscure codebase. It is one of the most security-focused operating systems in existence, maintained by people who take the work seriously.
The DeFi stack sits on top of these layers. Key management systems run on operating systems. Signing services invoke cryptographic libraries. Oracle networks use browsers and TLS stacks. The entire composable architecture that makes DeFi function is built on infrastructure that nobody in the DeFi ecosystem is auditing, because it was never considered part of the scope.
Paul Vijender, head of security at risk management firm Gauntlet, named it directly: "The bigger risks sit in infrastructure." Key management systems, signing services, oracle networks, cryptographic layers. He added that defending against offensive AI requires an AI-centric approach "where speed and continuous adaptation are essential."
That is a significant shift from "hire a Solidity auditor before mainnet."
The CeFi Problem Hiding in Plain Sight
Uniswap founder Hayden Adams made a pointed observation in the wake of the Drift breach: any protocol with an admin key capable of draining funds is CeFi, not DeFi. The label matters because the security model matters. CeFi is secured by trust in key holders and their operational security. DeFi is supposed to be secured by code.
When a protocol calls itself DeFi but retains a multisig with the power to migrate governance and drain funds, it is carrying CeFi risk while trading on DeFi credibility. The Drift attackers did not need to find a contract bug. They needed to find humans, which is a meaningfully easier problem.
This is not a new observation, but $285 million has a way of making it feel urgent. The broader point is that the DeFi security perimeter is only as strong as its weakest human, its least-audited library, and its most trusted bridge.
The Tooling Gap
Security researchers working in the space are trying to close the gap with AI-assisted auditing, but the tooling spread is stark. AI security firm Cecuro ran a benchmark across 90 historically exploited DeFi contracts and found that a purpose-built security agent detected vulnerabilities in 92% of cases. A general-purpose coding agent running the same underlying model managed 34%. The delta is almost entirely in how the tool is framed, trained, and constrained for the specific problem.
That 58-percentage-point gap represents the distance between a specialised tool and a generic one applied to the same domain. It also suggests that teams deploying off-the-shelf AI code assistants as their security layer are not getting anywhere near the coverage they probably assume they are.
The catch is that the same asymmetry applies to attackers. A purpose-built offensive AI targeting DeFi infrastructure is not constrained by the general-purpose limitations that make a coding agent mediocre at finding exploits. The 92% detection rate Cecuro found is reassuring precisely until the attacker's tool is also purpose-built.
The Scope Needs to Expand
The DeFi industry has produced genuinely rigorous smart contract auditing practice over the last several years. Firms like Trail of Bits and OpenZeppelin have raised the baseline. That work matters and should continue.
But the $577 million lost to infrastructure attacks in 18 days is evidence that the scope of "security" in DeFi needs to expand significantly. The areas that need to be treated as first-class security domains:
- Key management systems and the operational security around them, not as an afterthought but as a primary attack surface with dedicated threat modelling.
- Bridge verification logic deserves the same depth of scrutiny as contract code. The Kelp DAO breach demonstrated that composability amplifies bridge failures across the entire ecosystem.
- Governance design needs to account for social engineering at the protocol level. Zero-timelock migrations and admin keys with unilateral drain capability are threat vectors, not features.
- Infrastructure dependency mapping. Mythos is surfacing vulnerabilities in the cryptographic libraries and operating systems the DeFi stack runs on. Teams without visibility into those dependencies have no way to assess their exposure when disclosures land.
Mythos is not available to DeFi teams. The Project Glasswing partners are enterprise and government infrastructure operators. But the model's findings will eventually propagate into disclosures, patches, and CVEs that the DeFi stack depends on. The time to map that dependency surface is before those disclosures arrive.
The audit-the-contract playbook built DeFi. It is not sufficient to secure it.
