Letter 111: I'm Pulling All My Money Out of DeFi

April’s hack surge underscored the fragility of today’s DeFi infrastructure. More than 40 incidents ripped $651 million from protocols, but the Drift and KelpDAO exploits stood out for their scale and methodology. Drift’s attackers leveraged durable nonces to trick security council members into pre‑signing transactions, while KelpDAO’s single‑verifier bridge misconfiguration let hackers mint $292 million of unbacked rsETH. These breaches not only drained capital but also triggered massive outflows from lending platforms, pushing total DeFi TVL down by over $13 billion and shaking investor confidence.

The emergence of Anthropic’s Mythos AI adds a new, more dangerous dimension. Designed to locate and chain together software vulnerabilities, Mythos can uncover zero‑day bugs across operating systems and browsers in days—a capability that rivals elite human researchers. Project Glasswing limits the model to a select group of tech giants, but the underlying technology is expected to proliferate within 6‑18 months. When AI can scan smart‑contract code in hours instead of months, the attack surface of open‑source DeFi protocols expands dramatically, foreshadowing a wave of automated, high‑value exploits.

For investors and protocol teams, the message is clear: heightened vigilance is essential. Users should audit holdings, consider moving assets to cold storage, and diversify across more secure platforms. Meanwhile, DeFi projects must adopt AI‑assisted auditing, enforce multi‑verifier bridge designs, and prioritize real‑time monitoring to stay ahead of AI‑driven threats. The next year will likely be the most perilous period for crypto security, but those who adapt early will shape a more resilient ecosystem for the future.