Key Takeaways:
Volo Protocol misplaced $3.5 million from three Sui-based vaults on April 21, 2026, following a compromised admin personal key. GoPlus Safety and ExVul confirmed a privileged operator key breach, not a flaw in Volo’s audited sensible contracts. Volo blocked the attacker’s 19.6 WBTC bridge try and is absorbing all losses, with vaults frozen pending autopsy.
Volo Protocol $3.5M Safety Breach: What Occurred on the Sui Blockchain
The assault drained three vaults holding wrapped bitcoin (WBTC), tokenized gold asset XAUm from Matrixdock, and USDC. Unbiased breakdowns positioned the losses at roughly $2.1 million in WBTC, $0.9 million in XAUm, and $0.5 million in USDC. The remaining vaults, representing roughly $28 million in complete worth locked, weren’t affected and confirmed no shared vulnerability.
Volo’s staff detected the breach shortly. The staff froze all vaults, notified the Sui Basis, and started working with onchain investigators and ecosystem companions to hint and recuperate the stolen funds.
In a put up on X, Volo acknowledged it could take in the complete loss with out passing prices to depositors. “Volo is ready to soak up this loss. We are going to do our greatest to not move this to our customers,” the staff wrote. A full autopsy was promised as soon as the investigation concludes.
“We’re in injury management mode now, however as soon as that’s performed, we’ll work out a remediation plan, and a full breakdown shall be shared shortly,” the staff added.
Inside half-hour of the preliminary announcement, Volo reported freezing roughly $500,000 of the stolen belongings by means of collaboration with ecosystem companions. The next day, on April 22, the staff confirmed it had intercepted and blocked the attacker’s try and bridge out 19.6 WBTC, price roughly $2.1 million. These funds are not beneath the attacker’s management.
Safety companies Goplus Safety, Exvul Safety, and Bitslab every revealed preliminary on-chain analyses pointing to a compromised high-privilege operator key as the foundation trigger. Researchers recognized the attacker’s tackle as 0xe76970bbf9b038974f6086009799772db5190f249ce7d065a581b1ac0adaef75, which used capabilities together with withdraw_with_account_cap_v2 to empty the vaults.
Goplus attributed the compromise to social engineering and associated fraud methods concentrating on the vault’s admin account. No flaw within the core sensible contract code was recognized. This locations the breach in a class of key administration failures relatively than protocol-level vulnerabilities.
Volo had beforehand accomplished audits with Ottersec, Movebit, and Hacken, and maintained an energetic bug bounty program on the time of the exploit. All vaults stay frozen. Volo and its companions are actively working to return the blocked WBTC to the protocol. An in depth remediation plan will accompany the forthcoming autopsy.
The April 2026 assault on Volo adopted the KelpDAO breach on April 18, 2026. Cumulative DeFi losses throughout protocols in April 2026 have exceeded $600 million by some estimates, reflecting a sample of exploits concentrating on entry controls and key administration relatively than onchain code.
Depositors in unaffected vaults haven’t reported losses. Volo’s staff has directed customers to the official @volo_sui account on X for real-time updates forward of the complete autopsy publication.
The incident provides to a rising document of DeFi platforms dealing with key administration dangers regardless of passing formal audits, a sample that safety researchers have flagged repeatedly throughout a number of blockchain ecosystems in 2025 and 2026.
