{"id":168029,"date":"2026-05-20T07:15:11","date_gmt":"2026-05-20T07:15:11","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=168029"},"modified":"2026-05-20T07:15:11","modified_gmt":"2026-05-20T07:15:11","slug":"valid-signatures-are-not-enough","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=168029","title":{"rendered":"Valid Signatures Are Not Enough"},"content":{"rendered":"

April was one of the worst months crypto has seen for security losses. PeckShield<\/a> reported 40 major hacks totaling about $647M in losses, <\/strong>the largest being Drift Protocol and\u00a0KelpDAO.<\/p>\n

If we had to sum up what happened in one sentence: Valid signatures are not enough<\/strong>. A transaction can be signed by the right key, routed through the right contract, or approved by the right governance module, and still be the wrong transaction. That is the gap attackers exploited across governance compromise, cross-chain verification failures, oracle or routing manipulation, and privileged-key theft.<\/p>\n

Governance compromise: Drift\u00a0Protocol<\/h3>\n

On April 1, 2026<\/strong>, Drift Protocol, a Solana-based DeFi derivatives platform, suffered one of the largest crypto attacks of the year. Chainalysis<\/a> reported that the attacker gained admin control and drained an estimated $285M<\/strong> from vaults, wiping out more than half of the protocol\u2019s TVL.<\/p>\n

Several analyses describe it as a control-plane compromise<\/strong>: attackers obtained the ability to execute privileged, governance-level transactions that looked valid on-chain. CM Alliance<\/a> describes the attack as a governance failure involving Security Council-level permissions and pre-approved transactions, rather than a direct smart-contract vulnerability.<\/p>\n

Halborn<\/a>\u2019s report says that Drift<\/a> lost about $285M within 12 minutes<\/strong>, making the speed of execution part of the attack\u2019s impact: once the attacker had the right authority, onchain monitoring had little time to stop the\u00a0drain.<\/p>\n

Takeaway<\/strong><\/h4>\n

Governance authorization is not enough. Protocols need execution authorization: a signer may be valid, but the requested transaction still needs to be checked against an onchain policy that says whether this specific action is allowed. Governance and multisig systems need transaction-policy controls, signer isolation, timelocks for high-risk actions, pre-execution simulation, and independent monitoring of emergency powers.<\/p>\n

Cross-chain verification failure:\u00a0KelpDAO<\/h3>\n

On April 18, 2026<\/strong>, KelpDAO was hit by a major cross-chain exploit. Chainalysis<\/a> reported that attackers linked to North Korea\u2019s Lazarus Group stole about $292M<\/strong>, or 116,500 rsETH<\/strong>, from KelpDAO\u2019s LayerZero bridge setup. KelpDAO<\/a> posted that it had identified suspicious cross-chain rsETH activity, paused rsETH contracts across mainnet and several L2s, and was working with LayerZero, Unichain, auditors, and security\u00a0experts.<\/p>\n

The attack was due to a compromise <\/a>of off-chain infrastructure and a single-point verification setup: attackers allegedly compromised internal RPC nodes, DDoS\u2019d external nodes, and fed false data to a 1-of-1 DVN<\/strong> configuration so that a fake source-chain event appeared valid to the destination contract. Halborn<\/a> similarly attributed the root cause to KelpDAO\u2019s 1-of-1 verifier configuration<\/strong>, where only a single node needed to validate cross-chain messages before funds could be released.<\/p>\n

Takeaway<\/strong><\/h4>\n

Cross-chain systems need multiple independent verifiers, source-chain and destination-chain invariant checks, watcher diversity, DDoS-resilient RPC infrastructure, and circuit breakers when bridged supply changes abruptly.<\/p>\n

Cross-chain proof-verification bug: Hyperbridge<\/h3>\n

Hyperbridge\u2019s April incident was smaller in dollar terms, but the attack was technically important. On April 13, 2026, Rekt<\/a> reported that a missing bounds check in Hyperbridge\u2019s Merkle Mountain Range proof verifier allowed forged proofs to pass<\/strong>. Coindesk<\/a> reported the incident as an attacker minting a huge quantity of bridged DOT on Ethereum, though only a much smaller amount was successfully extracted before containment. The loss was later revised from an initial lower figure to about\u00a0$2.5M<\/strong>.<\/p>\n

A Polkadot forum<\/a> described the exploit as a forged MMR proof issue in Hyperbridge\u2019s Token Gateway, with challengePeriod set to zero, and confirmed realized losses across Ethereum, Arbitrum, Base, and BNB\u00a0Chain.<\/p>\n

Takeaway<\/strong><\/h4>\n

Proof verifiers are consensus-adjacent infrastructure. They need adversarial audits, formal verification where possible, non-zero challenge windows, rate limits, and emergency pauses tied to abnormal mint events. Proof systems need defense in depth. A proof may pass, but the action it authorizes should still be bounded by onchain\u00a0policy.<\/p>\n

Oracle, route, and slippage manipulation: Rhea\u00a0Finance<\/h3>\n

Rhea Finance, a NEAR-based DeFi hub, was exploited in mid-April. Halborn<\/a> reported a $7.6M<\/strong> loss via oracle manipulation. Rhea posted<\/a> that about $18.4M<\/strong> were drained in an attack that exploited a weakness in a slippage protection mechanism, but the attacker later returned about 3.359M USDC<\/strong> and 1.564M NEAR<\/strong> to the lending contract, while 4.34M USDT<\/strong> was\u00a0frozen.<\/p>\n

The general attack pattern was price-path manipulation. Attackers created fake token contracts and liquidity pools, then used the protocol\u2019s routing or margin logic to misprice assets and drain assets from the protocol\u2019s reserve\u00a0pool.<\/p>\n

Takeaway<\/strong><\/h4>\n

Protocols should not trust arbitrary routes, pools, or tokens. Onchain systems need strict token allowlists, route validation, TWAP or multi-source pricing, slippage bounds that cannot be bypassed through synthetic pools, and invariant checks before debt or collateral state\u00a0changes.<\/p>\n

The transaction may be syntactically valid, but if it touches uncataloged contracts or produces impossible pricing behavior, it should not\u00a0execute.<\/p>\n

Privileged key compromise: Volo\u00a0Protocol<\/h3>\n

Volo Protocol, on Sui, reported<\/a> a vault-related exploit on April 21, 2026<\/strong>. About $3.5M<\/strong> was drained from three vaults holding WBTC, XAUm, and USDC. GoPlus Security<\/a> and ExVul Security<\/a> attributed the incident to a compromised privileged operator key rather than a flaw in audited smart contracts. The team froze vaults, blocked an attempted bridge of 19.6 WBTC<\/strong>, and said other vaults representing about $28M TVL <\/strong>were not affected by the same attack\u00a0path.<\/p>\n

Takeaway<\/strong><\/h4>\n

Private-key compromise should not equal protocol compromise. Keys should authorize roles, while onchain policy authorize actions. Use withdrawal rate limits, per-vault permissions, and mandatory delay for high-risk admin\u00a0actions.<\/p>\n

Infrastructure compromise: Wasabi\u00a0Protocol<\/h3>\n

Wasabi Protocol was exploited on April 30, 2026<\/strong>, with losses reported between about $4.5M and $5.7M<\/strong> across Ethereum, Base, Berachain, and Blast. Coindesk<\/a> described the incident as an apparent admin-key compromise involving a compromised deployer key with no timelock.<\/p>\n

Wasabi\u2019s security update attributed the compromise to a Spring Boot Actuator configuration vulnerability<\/strong> in AWS infrastructure that exposed or enabled theft of private keys controlling EVM smart contracts; the reported impact was about $4.8M in user funds<\/strong> plus $900K from the protocol treasury<\/strong>.<\/p>\n

PeckShield flagged the attack as a multi-chain exploit, and CertiK<\/a> estimated losses at around\u00a0$5.5M<\/strong>.<\/p>\n

Takeaway<\/strong><\/h4>\n

Cloud misconfiguration is crypto risk. Smart-contract security programs need cloud attack-surface management, secrets scanning, locked-down actuator\/debug endpoints, HSM or MPC signing, timelocks, and separation between deployer, admin, and treasury\u00a0keys.<\/p>\n

Wasabi illustrates why infrastructure security and onchain execution controls need to work together. Cloud hardening protects the key; policy enforcement protects the protocol when the key\u00a0fails.<\/p>\n

April\u2019s largest crypto attacks shared a theme: attackers increasingly targeted control points<\/strong>, not just code. Drift showed that governance and emergency powers can be weaponized. KelpDAO and Hyperbridge showed that cross-chain verification remains fragile. Wasabi and Volo showed that one compromised key can bypass an otherwise audited contract. Rhea showed that complex routing and margin logic still creates exploitable pricing assumptions.<\/p>\n

For builders, the practical lesson is clear: code audits are necessary, but not enough. Protocols need operational security, signer security, cross-chain monitoring, incident drills, and on-chain controls that assume humans, keys, RPC nodes, and cloud infrastructure can\u00a0fail.<\/p>\n

Disclaimer: OKcontract Labs is working on a solution that simplifies considerably how teams enforce\u00a0opsec.<\/em><\/p>\n

Valid Signatures Are Not Enough<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"

April was one of the worst months crypto has seen for security losses. PeckShield reported 40 major hacks totaling about $647M in losses, the largest being Drift Protocol and\u00a0KelpDAO. If we had to sum up what happened in one sentence: Valid signatures are not enough. A transaction can be signed by the right key, routed […]<\/p>\n","protected":false},"author":0,"featured_media":168030,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-168029","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/168029"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=168029"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/168029\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/168030"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=168029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=168029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=168029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}