Compromised Private Keys Remain the Biggest Source of DeFi Losses

Executive Summary

DeFi security spending is concentrated on smart contract risk, but the funds are leaking elsewhere. Across 2025 and the first months of 2026, the majority of value lost in DeFi traces back to compromised wallet infrastructure and private keys, not flaws in contract code.

The difference matters. A contract bug can be audited and bug-bountied before an attacker reaches it, but a compromised key bypasses all of that. The attacker holds legitimate credentials and takes legitimate-looking actions, and once a privileged key is in play, a drain takes minutes while the window to respond is measured in seconds.

For security teams, the implication is that monitoring built only for contract exploits leaves the single largest loss category uncovered. Closing that gap means validating transactions at the moment of intent, before they settle, with an automated, zero-trust solution like Blockaid's Cosigner as a core part of the stack.

Why Smart Contract Monitoring is Not Enough

A smart contract bug is a flaw in code. Code can be audited, formally verified, and bug-bountied before an attacker ever finds it. The industry has gotten good at this, and new defenses compound.

But a compromised private key bypasses this entirely. There is no vulnerable function to discover. The attacker holds legitimate credentials and uses them to take legitimate-looking actions: upgrade a proxy, grant a role, reconfigure a cross-chain peer.

That is what makes these incidents so hard to catch with conventional tooling. A scanner looking for known-bad code patterns sees nothing wrong, because nothing about the code is wrong. The transaction is authorized, correctly formed, and signed by a key the system trusts. The only anomaly is intent, and intent is exactly what static analysis cannot see.

Once a privileged key is compromised, draining funds takes minutes. The window to detect and respond is only a matter of seconds.

The Anatomy of a Key-Compromise Drain

Most of these incidents follow the same cadence:

1. Acquire control: the attacker obtains a deployer, admin, or governance key, or penetrates wallet infrastructure to trick a legitimate signer into signing (more on that below).
2. Escalate quietly: the attacker upgrades a contract to a malicious implementation, grants themselves an admin role, or repoints a token's cross-chain trust to a contract they control.
3. Drain funds: the new privileges let them mint, transfer, or unlock balances, often across several chains at once.

Recent incidents map cleanly onto this pattern. Figures are estimates from on-chain data; transaction references are linked for verification.

• Conduit: On Apr 23, 2026, a compromised admin account executed a malicious proxy upgrade on a USDC gateway on Arbitrum, draining roughly $6.59M. Exploit tx
• Syndicate: On Apr 29, 2026, a compromised governance key hijacked an Arbitrum Orbit token bridge on Base via a malicious upgrade, draining about 33% of supply (~$629K).
• Wasabi Protocol: On Apr 30, 2026, a compromised deployer key granted an admin role to a helper contract, then upgraded the perp vaults to a malicious implementation, draining roughly $5M across four chains spanning Ethereum and Base.
• StakeDAO: On May 27, 2026, a compromised deployer key reconfigured a LayerZero v2 token peer to an attacker contract on Arbitrum, which minted 5.4 trillion tokens and extracted ~43.79 ETH via swaps. The cross-chain infrastructure operated correctly; the key was the weak point.

Private Key Compromises Don't Require Private Key Theft

Key custody is not the whole problem. A legitimate signer can be manipulated into approving a malicious transaction, known as blind signing, and the outcome is identical: unauthorized access to privileged operations.

The KelpDAO incident is the clearest recent example, with the 2025 Bybit incident as the largest. Leading a legitimate signer to approve a malicious transaction is equivalent to key theft. The key was never stolen, the signer was, and from the contract's perspective there is no difference between the two.

This is why pre-signing validation matters as much as key hygiene. An automated, zero-trust Cosigner integrated into any MPC or multi-sig workflow prevents wallet draining via compromised infrastructure, phishing, impersonation, and malicious contract call patterns.

Sophistication is Escalating

These are not smash-and-grab operations. Attackers are chaining infrastructure to move and obscure funds:

• Mixers and privacy networks to launder proceeds. In the StablR incident, the attacker compromised one signer of a 1-of-3 minting multisig, replaced the other owners, minted ~$12.85M in stablecoins, and routed funding through a privacy network as a mixer.
• Cross-chain bridges cascade a single compromise into simultaneous multi-chain drains, as in Wasabi's four-chain hit.
• Forged cross-chain messages, as in the Alephium token-bridge incident (May 30, 2026), where forged validation messages drained roughly $815K.

The common thread is that the initial compromise and the eventual loss are increasingly decoupled in time, chain, and form. By the time funds surface on the other side of a mixer or a bridge, recovery is effectively off the table. That shifts the entire problem upstream, toward stopping the malicious transaction before it is ever signed.

Where a Cosigner Fits Into Your Monitoring Stack

Catching a key-compromise drain is a different problem from catching a contract bug. There is no vulnerable code to scan ahead of time; the signal is in the transaction itself, an anomalous privileged action from a key that should not be taking it.

This is the case for evaluating transactions before they settle rather than reconstructing them afterward. Post-hoc monitoring tells you what was lost. Pre-confirmation screening, checking what a transaction will do at the moment of intent, is the only way the loss can be prevented.

For compromised wallets and private keys, an automated, zero-trust solution is the last and strongest line of defense. Blockaid's Cosigner sits in the signing path, evaluates the actual effects of a proposed transaction, and withholds its signature when those effects don't match policy, regardless of who or what initiated the request. Because it trusts nothing by default, it does not matter whether the signer is honest and fooled or the key itself is in an attacker's hands; a malicious upgrade, an unexpected role grant, or a suspicious cross-chain reconfiguration is blocked at the moment it would otherwise execute.

Conclusion

Audits and bug bounties have made contract code a harder target, and attackers have followed the path of least resistance to the keys and the people who hold them. Comprehensive DeFi security requires a solution that seamlessly integrates pre-transaction validation with onchain monitoring of both managed and dependent smart contracts.

The numbers make the priority clear. As long as the largest share of losses comes from compromised keys and manipulated signers, a security program built solely around contract monitoring is defending the door while the window is open. The fix is not to abandon contract monitoring, which still matters, but to extend coverage to the surface where the money is actually being lost.

The defenses that matter over the next year are the ones that make a malicious transaction legible to both the monitoring system and to the human signer before it is executed. Move the decision point to the moment of intent, validate every privileged action against what it will actually do, and the most common drain in DeFi stops being inevitable.

About Blockaid

Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users, combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3 billion transactions and blocked 585 million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.

Learn more at blockaid.io, and follow us on Twitter and LinkedIn.