The ongoing security issues plaguing blockchain-based decentralized finance (DeFi) platforms continue to escalate. Volo Protocol, a platform operating on the Sui blockchain that allows users to deposit assets into yield-generating “vaults,” has been the latest target in this series of exploits. Vaulted assets include bitcoin, stablecoins, and other tokenized assets, which are utilized through various strategies to produce returns.
On Wednesday morning, Volo confirmed a security breach resulting in approximately $3.5 million worth of digital assets being stolen from three vaults. According to an update on X, the remaining $28 million in total value locked (TVL) across other vaults remained secure, with no shared vulnerability detected among them.
The platform emphasized its commitment to absorbing the financial loss instead of transferring it to users. The compromised vaults contained wrapped bitcoin (WBTC), Matridock’s gold token XAUm, and the stablecoin USDC. In response, Volo halted all vault operations and collaborated with the Sui Foundation and blockchain investigators to manage the fallout and track the stolen funds.
Volo has successfully immobilized $500,000 of assets in coordination with ecosystem partners, although most of the purloined funds are still under scrutiny.
This incident amplifies concerns within DeFi about smart contract security and oversight, especially following a similar exploit at KelpDAO over the weekend. There, an attacker siphoned millions by creating unbacked liquid restaking tokens, rsETH, causing widespread collateral damage across multiple protocols like Aave, prompting users to withdraw their funds.
DeFi has been hit with approximately $7.78 billion in hacks so far this year, per DeFiLlama data, with an additional $2.90 billion in losses attributed to bridge protocol breaches. Together, these figures surpass $10 billion, mirroring the market cap of cryptocurrencies ranked between 10th and 15th globally.
Volo has pledged a comprehensive post-mortem once its investigation concludes and remedial actions are implemented. However, for users and investors within DeFi, the persistent occurrence of exploits suggests that despite growing institutional interest, investment in security enhancements is lagging behind, with breaches continuing to cluster together.
For further reading: The $13 billion DeFi wipeout in two days, starting with the KelpDAO attack.