Key Takeaways:
- Volo Protocol lost $3.5 million from three Sui-based vaults on April 21, 2026, following a compromised admin private key.
- GoPlus Security and ExVul confirmed a privileged operator key breach, not a flaw in Volo’s audited smart contracts.
- Volo blocked the attacker’s 19.6 WBTC bridge attempt and is absorbing all losses, with vaults frozen pending post-mortem.
Volo Protocol $3.5M Security Breach: What Happened on the Sui Blockchain
The attack drained three vaults holding wrapped bitcoin (WBTC), tokenized gold asset XAUm from Matrixdock, and USDC. Independent breakdowns placed the losses at approximately $2.1 million in WBTC, $0.9 million in XAUm, and $0.5 million in USDC. The remaining vaults, representing roughly $28 million in total value locked, were not affected and showed no shared vulnerability.
Volo’s team detected the breach quickly. The team froze all vaults, notified the Sui Foundation, and began working with onchain investigators and ecosystem partners to trace and recover the stolen funds.
In a post on X, Volo stated it would absorb the full loss without passing costs to depositors. “Volo is prepared to absorb this loss. We will do our best not to pass this to our users,” the team wrote. A full post-mortem was promised once the investigation concludes.
“We are in damage control mode now, but once that’s done, we will work out a remediation plan, and a full breakdown will be shared shortly,” the team added.
Within 30 minutes of the initial announcement, Volo reported freezing approximately $500,000 of the stolen assets through collaboration with ecosystem partners. The following day, on April 22, the team confirmed it had intercepted and blocked the attacker’s attempt to bridge out 19.6 WBTC, worth approximately $2.1 million. Those funds are no longer under the attacker’s control.
Security firms Goplus Security, Exvul Security, and Bitslab each published preliminary on-chain analyses pointing to a compromised high-privilege operator key as the root cause. Researchers identified the attacker’s address as 0xe76970bbf9b038974f6086009799772db5190f249ce7d065a581b1ac0adaef75, which used functions including withdraw_with_account_cap_v2 to drain the vaults.
Goplus attributed the compromise to social engineering and related fraud techniques targeting the vault’s admin account. No flaw in the core smart contract code was identified. This places the breach in a category of key management failures rather than protocol-level vulnerabilities.
Volo had previously completed audits with Ottersec, Movebit, and Hacken, and maintained an active bug bounty program at the time of the exploit. All vaults remain frozen. Volo and its partners are actively working to return the blocked WBTC to the protocol. A detailed remediation plan will accompany the forthcoming post-mortem.
The April 2026 attack on Volo followed the KelpDAO breach on April 18, 2026. Cumulative DeFi losses across protocols in April 2026 have exceeded $600 million by some estimates, reflecting a pattern of exploits targeting access controls and key management rather than onchain code.
Depositors in unaffected vaults have not reported losses. Volo’s team has directed users to the official @volo_sui account on X for real-time updates ahead of the full post-mortem publication.
The incident adds to a growing record of DeFi platforms facing key management risks despite passing formal audits, a pattern that security researchers have flagged repeatedly across multiple blockchain ecosystems in 2025 and 2026.