Aftermath has confirmed an exploit targeting its perpetuals protocol, which occurred in April – a time when DeFi saw numerous security incidents and widespread losses.
According to the team's announcement, the cause was a bug that allowed negative builder fees to be set, resulting in losses of approximately $1.14 million. The protocol has been temporarily suspended as a precautionary measure, while unaffected products continue to function normally.
The Aftermath incident was part of a wave of major incidents in April.
This exploit is not an isolated case. Aggregated data shows that April saw numerous incidents related to DeFi, ranging from smart contract failures to infrastructure and governance issues. Some were very large-scale, while others were smaller but still exposed weaknesses at various layers of the ecosystem.
Two major incidents accounted for the majority of the damage.
The majority of reported losses this month stemmed from two incidents. The Kelp DAO involved a vulnerability surrounding rsETH, with an estimated impact of approximately $292 million. The issue was described as the minting of unsecured assets through a bridge-related weakness, which then spread to integrated protocols. In this case, funds were not withdrawn in the traditional way, but systemic risk increased, particularly for lending platforms exposed to those assets.
The other incident involved Drift Protocol, where an attack involving collateral manipulation and governance issues caused significant damage. Reports estimate the impact at hundreds of millions of dollars, although the structure of the attack differed from a typical exploit. Overall, these two incidents accounted for a large portion of the recorded losses in April, which exceeded $600 million according to available tracking data.
Many Medium sized incidents continue to occur.
Besides the major incidents, a series of Medium scale events also contributed to the overall losses. Rhea Finance recorded approximately $7.6 million in losses following an attack involving fake Token contracts and oracle manipulation. Grinex Exchange reported approximately $13.7 million withdrawn from wallets, affecting multiple addresses. GiddyDefi lost approximately $1.3 million due to an authorization validation error related to the signature replay mechanism. CoW Swap also experienced an incident of approximately $1.2 million, stemming from a domain hijacking attack, demonstrating that risks are not limited to smart contracts.
Smaller incidents indicate that vulnerabilities still exist in multiple layers.
Several other protocols, such as Silo Finance, Aethir, and Dango, have also reported losses related to incorrect oracle configurations, access control issues, or contract errors. In some cases, such as Dango, funds were subsequently recovered through white-hat intervention. More recently, Scallop and Volo Protocol have reported incidents related to contract logic errors and corresponding private key leaks. These incidents are smaller in scale, but they demonstrate that vulnerabilities still exist across various layers of DeFi.
The risks of DeFi are not concentrated in a single point.
The incidents in April showed that the risks are Shard rather than concentrated in a single cause. Problems have emerged in smart contract logic, key management systems, domain infrastructure, chain bridges, and protocol design parameters. Current data does not indicate that a single layer of security is sufficient to completely eliminate the risk, as weaknesses may lie in both source code and operational aspects.
Summary
The Aftermath exploit adds to the list of security incidents in April, as DeFi has recorded over $600 million in losses from various events. The overall picture shows risks spread across multiple technical and operational layers, but current data is still insufficient to conclude which link in the entire ecosystem is the weakest.
