Volo Protocol, a liquid staking platform on the Sui blockchain, was exploited for roughly $3.5 million on April 21, with the team since intercepting a hacker attempt to bridge 19.6 WBTC out of reach, according to disclosures on X.
The attack hit three isolated vaults holding Wrapped Bitcoin, the gold-pegged token XAUm, and USDC, while the remaining $28 million in total value locked [TVL refers to the total assets deposited in a protocol's smart contracts] across Volo's other vaults was unaffected. The team has pledged to absorb the loss rather than pass it on to users — a costly commitment that signals a shift among smaller DeFi protocols toward treating reimbursement as a baseline reputational requirement rather than a discretionary gesture.
WBTC was trading at roughly $77,763 at the time of writing, putting the 19.6 WBTC bridge attempt at approximately $1.52 million.
How the Sui blockchain hack unfolded
Volo froze all vaults within 30 minutes of detecting the breach and secured $500,000 of the stolen assets in that window, though it has not disclosed the mechanism used or the underlying vulnerability. In a follow-up posted early April 22, the team said it had blocked the attacker's attempt to bridge 19.6 WBTC — worth several million dollars at current prices — and is coordinating with ecosystem partners on a return path. The identity of the attacker remains unknown.
Vaults remained frozen pending a full post-mortem and remediation plan, with no timeline disclosed for resuming operations. The isolated-vault architecture — which contained damage to three specific pools rather than cascading across the protocol — is a design pattern increasingly adopted by newer DeFi platforms after a string of 2022–2023 exploits demonstrated the risk of pooled collateral.
"The team has pledged to absorb the loss rather than pass it on to users."
The incident follows a $292 million exploit at LayerZero-powered cross-chain bridge Kelp DAO on April 18, which LayerZero attributed in an April 20 post-mortem to North Korea's Lazarus Group, specifically its TraderTraitor subunit. Attackers drained 116,500 rsETH by compromising RPC nodes underpinning a single-verifier configuration that LayerZero had previously warned against. Volo has drawn no connection between the two events.
The Kelp incident is the largest DeFi exploit of 2026 to date, and it sits inside a broader trend: the cryptocurrency industry witnessed over $3.4 billion in theft in 2025 according to Chainalysis, with North Korea-linked actors accounting for a rising share. The identity of Volo's attacker remains unknown.
The Daily Crypto Integrated Newsletter
Stay updated on the latest crypto news across Ethereum, Solana, AI and Macro, distilled into a 2-minute read.
Delivered via Substack.
