Bridges haven't changed in four years

April was the worst month in DeFi's history by exploit count. Roughly thirty incidents, somewhere between $606m and $651m gone, and two protocols (Kelp DAO at $292m and Drift at $285m) carried nearly 88% of the total. The year-to-date number is past $770m and still climbing. The uncomfortable bit for anyone shipping cross-chain infrastructure is that neither of the two headline failures was novel.

Kelp lost $292m through a LayerZero bridge issue that, stripped of the cryptography jargon, was the same shape of trust failure that drained Ronin, Wormhole, and Nomad between 2022 and 2023: a small set of privileged signers, a delegated authority surface the team didn't fully understand, and a single compromise path that mapped one-to-one to "drain the bridge". The post-mortem will eventually use a different word for the signer set than "validators" and a different word for the compromise than "key extraction", but it will resolve to the same diagram on the whiteboard.

The architectural problem in bridges hasn't moved. Cross-chain settlement still rests on a trust set substantially smaller than the chains it bridges, that set's compromise is still catastrophic and unwindable, and the auditors who signed off on the 2022 designs are still signing off on the 2026 versions because what they're auditing is the implementation rather than the trust model. Implementation bugs are individually fixable; the trust model is what produces a $292m headline year after year.

There's a second story from this month that more teams should be paying attention to. Drift Protocol lost $285m to a campaign that started six months before the actual exploit fired, with a DPRK-linked group socially engineering its way into the team's operational perimeter. The contracts were fine. The auditors were fine. What broke was a signer who'd been groomed for months, a multisig that turned out to be a 3-of-5 in name and a 1-of-1 in practice once one of the keys had been pwned, and an irreversible withdrawal flow with no human-readable circuit breaker in front of it.

This is a different category of problem to solve, and we don't think most teams have absorbed the shift yet. TRM Labs attributes 76% of 2026 crypto theft to DPRK-linked operations, and the pattern in their reports is patient, well-resourced, social-first, and explicitly targeting the organisation rather than the code. You can't audit your way out of that. The hardening surface is operational: role separation that's enforced at the infrastructure level rather than in a Confluence doc, signer rotation that actually rotates, runbooks for irreversible operations that pass through human-confirmed queues with circuit breakers wired in, and an internal threat model where one of your colleagues plays the attacker for at least one tabletop exercise a quarter. None of this is exotic; it's just the shape of work the industry keeps deprioritising in favour of one more audit pass.

Put together, April was two parallel failures stacking: the trust-model problem in bridges, which has been the same problem since 2022 and which the industry keeps fixing one implementation at a time, and the operational-perimeter problem, which is where attackers have moved up the stack to once the smart-contract surface stopped paying out cheaply. Treating either as solved by an audit is how you become the next headline.