- DeFi exploits topped $775M in 2026, with KelpDAO, Drift, and Step Finance hit hardest.
- KelpDAO and Drift alone accounted for $577M in losses from bridge and oracle attacks.
- Private key compromise remained a major DeFi risk, alongside bridge and oracle exploits.
DeFi exploits have caused more than $775 million in losses in 2026, based on the provided figures. KelpDAO, Drift, and Step Finance posted the biggest incidents. Private key compromise also emerged as a major factor behind several attacks.
The top ten list includes KelpDAO, Drift, Step Finance, Truebit, Resolv, Rhea Finance, Grinex, SwapNet, YieldBlox, and Saga. These incidents came from different attack types. They included bridge exploits, oracle manipulation, key compromise, approval abuse, and insider-linked drains.
Source: X
Top DeFi Exploits in 2026
KelpDAO ranked first with a loss of $292 million. The attacker targeted the rsETH bridge and drained the funds.
The same material linked the KelpDAO rsETH exploit to the $5 billion Aave liquidity crunch now being watched. It also said bridges and oracles continue to drive losses. The content further stated that 2026 is on pace to cross $3 billion in losses by year-end.
Drift ranked second with a loss of $285 million. The attacker used oracle manipulation and included a fake token. That exploit placed Drift just behind KelpDAO in the 2026 ranking.
Step Finance held third place after losing nearly $40 million. The attacker compromised the platform’s private keys. That incident added to the focus on key-related security failures in DeFi this year.
Truebit ranked fourth with a loss of about $26.4 million. The reported cause was a smart contract bug. That made it the largest contract-related exploit in the top section of the list.
Smaller DeFi Exploits Add to 2026 Losses
Resolv took fifth place with a loss of $25 million. The exploiter compromised the platform’s AWS KMS key.
Rhea Finance stood in sixth place after losing $18.4 million. The exploit involved oracle manipulation and a fake token.
Grinex ranked seventh with a loss of $13.7 million. The reported cause was an exit scam or insider drain. That case differed from the bridge, oracle, and key exploits seen elsewhere on the list.
SwapNet placed eighth after losing $13.4 million. The attacker used approval abuse to extract funds. YieldBlox followed with a loss of $10.2 million tied to collateral or oracle manipulation.
Saga closed the top ten with a loss of $7 million. The reported cause was a bridge exploit. It recorded the smallest loss among the listed DeFi incidents.
The figures show that the biggest damage came from a small group of platforms. KelpDAO and Drift alone accounted for most of the reported losses in the provided breakdown. Their combined total reached $577 million.
Related: Nine DeFi Protocols Frozen After $293 Million KelpDAO rsETH Exploit
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/defi-exploits-top-775m-in-2026-as-kelpdao-drift-lead-losses/