Volo Protocol Loses $3.5 Million in Sui Blockchain Exploit, Blocks WBTC Bridge Attempt

Key Takeaways:

• Volo Protocol mislaid $3.5 cardinal from 3 Sui-based vaults connected April 21, 2026, pursuing a compromised admin private key.
• GoPlus Security and ExVul confirmed a privileged relation cardinal breach, not a flaw successful Volo’s audited smart contracts.
• Volo blocked the attacker’s 19.6 WBTC span effort and is absorbing each losses, with vaults frozen pending post-mortem.

Volo Protocol $3.5M Security Breach: What Happened connected the Sui Blockchain

The attack drained 3 vaults holding wrapped bitcoin (WBTC), tokenized gold plus XAUm from Matrixdock, and USDC. Independent breakdowns placed the losses astatine astir $2.1 cardinal successful WBTC, $0.9 cardinal successful XAUm, and $0.5 cardinal successful USDC. The remaining vaults, representing astir $28 cardinal successful full worth locked, were not affected and showed nary shared vulnerability.

Volo’s squad detected the breach quickly. The squad froze each vaults, notified the Sui Foundation, and began moving with onchain investigators and ecosystem partners to hint and retrieve the stolen funds.

In a station connected X, Volo stated it would sorb the afloat nonaccomplishment without passing costs to depositors. “Volo is prepared to sorb this loss. We volition bash our champion not to walk this to our users,” the squad wrote. A afloat post-mortem was promised erstwhile the probe concludes.

“We are successful harm power mode now, but erstwhile that’s done, we volition enactment retired a remediation plan, and a afloat breakdown volition beryllium shared shortly,” the squad added.

Within 30 minutes of the archetypal announcement, Volo reported freezing astir $500,000 of the stolen assets done collaboration with ecosystem partners. The pursuing day, connected April 22, the squad confirmed it had intercepted and blocked the attacker’s effort to span retired 19.6 WBTC, worthy astir $2.1 million. Those funds are nary longer nether the attacker’s control.

Security firms Goplus Security, Exvul Security, and Bitslab each published preliminary on-chain analyses pointing to a compromised high-privilege relation cardinal arsenic the basal cause. Researchers identified the attacker’s code arsenic 0xe76970bbf9b038974f6086009799772db5190f249ce7d065a581b1ac0adaef75, which utilized functions including withdraw_with_account_cap_v2 to drain the vaults.

Goplus attributed the compromise to societal engineering and related fraud techniques targeting the vault’s admin account. No flaw successful the halfway smart contract codification was identified. This places the breach successful a class of cardinal absorption failures alternatively than protocol-level vulnerabilities.

Volo had antecedently completed audits with Ottersec, Movebit, and Hacken, and maintained an progressive bug bounty programme astatine the clip of the exploit. All vaults stay frozen. Volo and its partners are actively moving to instrumentality the blocked WBTC to the protocol. A elaborate remediation program volition travel the forthcoming post-mortem.

The April 2026 onslaught connected Volo followed the KelpDAO breach connected April 18, 2026. Cumulative DeFi losses crossed protocols successful April 2026 person exceeded $600 cardinal by immoderate estimates, reflecting a signifier of exploits targeting entree controls and cardinal absorption alternatively than onchain code.

Depositors successful unaffected vaults person not reported losses. Volo’s squad has directed users to the authoritative @volo_sui relationship connected X for real-time updates up of the afloat post-mortem publication.

The incidental adds to a increasing grounds of DeFi platforms facing cardinal absorption risks contempt passing ceremonial audits, a signifier that information researchers person flagged repeatedly crossed aggregate blockchain ecosystems successful 2025 and 2026.