DeFi Week 23 — $17M in exploits, TVL drops to $79.7B, CFTC greenlights Bitcoin perps

DeFi Week 23 — $17M in exploits, TVL drops to $79.7B, CFTC greenlights Bitcoin perps

Total DeFi TVL fell for the second consecutive week to $79.66B (-3.15%), with six confirmed exploits totaling ~$17.3M — led by DxSale’s $7.3M ownership-override attack on BNB Chain, Gravity Bridge’s $5.4M signing-key compromise, and New Market Trading’s $3.98M Gnosis Safe module exploit. Gnosis Pay’s Zodiac Delay Module remained under active attack at week’s close with losses unquantified. On the regulatory front, the CFTC approved the first US-regulated Bitcoin perpetual futures contract and CME went 24/7 on the same day (May 29). Uniswap’s fee-and-burn now covers 13 chains; Arbitrum’s Foundation faces delegate pushback on a $45M funding request.

DeFi TVL Ranking & Protocol Anomalies
DeFi TVL Ranking & Protocol Anomalies@NeoDrop Official
June 1, 2026 · 11:35 PM
1 subscriptions · 3 items
This is Week 23 (May 25 – June 1, 2026). Total DeFi TVL fell for the second consecutive week, landing at $79.66B, down 3.15% from $82.25B. Six protocols were drained for a combined ~$17.3M in confirmed losses, with a seventh incident — Gnosis Pay — still active and unquantified at week's close. Two landmark US regulatory actions arrived on the same day: the CFTC approved the first Bitcoin perpetual futures contract for regulated trading, and CME Group ended weekend crypto derivatives gaps by going 24/7. 1 2

Week 23 quick scan

SignalEntityDirectionScale
TVL changeAll DeFi$79.66B, -3.15% WoW
Biggest protocol gainerSparkLend+11.05% / +$366M
Biggest protocol loserSpark Liquidity Layer-12.66% / -$347M
Only Top-10 gainerSky Lending+5.20% / +$298M
Largest exploitDxSale$7.3M — BNB Chain
Bridge exploitsGravity Bridge + Alephium$5.4M + $815K
Ongoing exploit (unquantified)Gnosis Pay⚠️Zodiac Delay Module, team pledged full refund
Governance executedUniswap P96Fee-and-burn now active on 13 chains
Governance in voteArbitrum $45M request🗳️Temp check active through June 4
Regulatory milestoneCFTC BTCPERP + CME 24/7Both May 29

TVL snapshot: second consecutive decline, Base the only growing chain

Total DeFi TVL dropped to $79.66B, $2.59B below the prior week's $82.25B. 1 2 Ethereum still dominates at $41.86B (52.6% of total), down $640M from $42.50B. Base was the only chain to post a positive week-over-week change (+0.5%, from $4.29B to $4.31B). Tron fell 5.0% and Bitcoin-native DeFi fell 5.1%. Hyperliquid L1 now sits at $1.77B in TVL, overtaking Arbitrum ($1.42B) — a position that carries context given the ICE CEO's public praise later in the week (see below).
ChainTVL (Jun 1)WoW change
Ethereum$41.86B-1.5%
BSC$5.66B-0.2%
Solana$5.28B-3.8%
Tron$4.80B-5.0%
Bitcoin$4.70B-5.1%
Base$4.31B+0.5%
Hyperliquid L1$1.77Bn/a
Arbitrum$1.42Bn/a
At the protocol level, Lido leads at $17.52B (-6.60%) and Aave V3 at $13.15B (-4.91%). 1 The clearest signal in the Top 25 came from the Sky ecosystem's internal divergence:
  • SparkLend (Sky's lending market): TVL rose from ~$3.31B to $3.68B, +11.05% (+$366M) — the largest percentage gain of any Top 25 protocol. 1
  • Spark Liquidity Layer (Sky's capital allocation layer): TVL fell from ~$2.74B to $2.39B, -12.66% (-$347M) — the largest percentage loss. 1
The opposing moves suggest capital is rotating within the Sky ecosystem from the liquidity deployment layer toward the borrowing market directly, possibly as borrowers seek exposure closer to the collateral rather than through the intermediary layer. That interpretation remains inferential — Sky has not issued a statement on the split.
Sky Lending (the CDP module, separate from SparkLend) was the only Top-10 protocol to post a positive week: +5.20% (+$298M) to $6.03B. 1 The growth tracks with the broader Sky/sUSDS flywheel: despite the Sky Savings Rate being cut 110bps to 3.65%, sUSDS supply has grown three-fold over the past year to over $6B — organic demand appears to be absorbing the rate reduction.
One data point to treat with caution: EigenCloud ($5.80B, #6) shows a 7-day change of 0.00% per the DeFiLlama Protocols API, but DeFiLlama's own homepage displays -31.27% for the same period. 3 If the homepage figure is accurate, EigenCloud shed roughly $2.64B in a week — a move that would rank among the largest TVL draws in 2026. Chain-level verification has not been completed; both figures are live and irreconcilable at time of writing.

Exploit roundup: seven incidents, bridges dominate again

Six protocols reported confirmed losses totaling ~$17.3M during May 25–June 1. A seventh — Gnosis Pay — remained active at week's close with losses unquantified. May 2026 cumulatively: ~$68.3M in confirmed losses across 22 incidents, down roughly 90% from April's $635M. 4 Bridge and cross-chain infrastructure again led the category, accounting for roughly $6.2M of the week's total.

DxSale — $7.3M (May 28, BNB Chain)

The largest confirmed loss of the week. An attacker exploited a hidden privileged function inside a 2021-era liquidity pool contract that DxSale — a BNB Chain launchpad — had locked years earlier. 4 5 DeFiLlama classifies the attack as an ownership override — the function permitted the caller to reassign contract ownership, bypassing the lock mechanism. Roughly 1,400 liquidity providers were affected. Full technical details have not been published; no whitehack offer or recovery plan has been announced.

Gravity Bridge — $5.4M (May 30, Ethereum ↔ Cosmos)

The Ethereum-Cosmos bridge lost ~$5.4M: $4.3M USDC, 274 ETH (~$553K), $434K USDT, and approximately $64K in PAYG tokens. 6 4 PeckShield attributed the attack to a signing key compromise — Gravity Bridge uses its Cosmos validator set to authorize cross-chain transfers, so a leaked key enables arbitrary withdrawals. The attacker routed part of the proceeds through Binance and ChangeNow. As of this report, the attacker still holds approximately 2,102 ETH (~$4.23M) on-chain, the bulk of the stolen value.

New Market Trading — $3.98M (May 25, Ethereum / Base / Arbitrum)

NMT (a Gnosis Safe-based wealth management platform) lost ~$3.98M from 88 client Safe wallets across three chains in under 15 minutes. 7 The root cause: a custom module called SquidRouterModule was integrated into NMT's V2 architecture without an audit, and it contained a single missing line — require(msg.sender == delegate). Without that check, the contract accepted a caller-supplied delegate address from the transaction payload, meaning any attacker who read the real delegate address from the on-chain PermissionsManager could impersonate it. The exploit used Axelar's expressExecuteWithToken() as an entry point, which NMT had configured as a vault door rather than a relay interface.
"The missing line that stops all of it: require(msg.sender == delegate)" — Rekt News 7
Squid (the cross-chain router whose name the module borrowed) confirmed the contract shares their name but was not built or operated by them. 7 NMT's CEO Frank Hepworth issued a whitehack offer: return 90% to keep 10% with no legal action, deadline May 30. No response from the attacker was reported. The attacker's consolidation wallet holds approximately $3.07M in DAI and has not moved.

Alephium Bridge — $815K (May 30, Ethereum + BNB Chain)

Alephium's TokenBridge — a Wormhole protocol fork — was drained of $815K in roughly seven minutes. 8 The attacker forged VAA (Validator Action Approval) messages — the signed attestations that Wormhole-style bridges use to authorize cross-chain transfers — in a way that induced the 4-of-13 guardian quorum to sign them. Alephium's post-incident statement drew a specific distinction: the exploit did not involve guardian private key theft, but rather a flaw that allowed forged messages to be presented to and signed by guardians. 8 The attacker also minted 13.76M unbacked wrapped ALPH. The bridge was closed; Alephium has committed to exploring compensation options.

Stake DAO — $91K realized (May 27, Arbitrum)

A deployer private key compromise allowed the attacker to modify the vsdCRV token's LayerZero v2 OFT (Omnichain Fungible Token) peer configuration on Arbitrum, redirecting cross-chain message trust to a malicious contract. 9 The attacker then minted approximately 5.4 trillion vsdCRV — nominally worth ~$763B. Thin market liquidity did the rest: only 43.7 ETH (~$91K) could be extracted before the order book ran dry. Blockaid detected the attack in real time. Stake DAO warned users to avoid interacting with vsdCRV.

WUSD.fi / Glove — $200K (May 25, Ethereum)

A Sybil abuse attack drained $200K from WUSD.fi on Ethereum. 4 Technical details beyond DeFiLlama's classification (Protocol Logic / Sybil Abuse / Solidity) have not been publicly documented.

Gnosis Pay — losses unconfirmed (ongoing as of June 1)

Gnosis Pay's Zodiac Delay Module — a queuing layer that routes transactions through a shared delay before execution — was exploited by an attacker who found a way to inject malicious withdrawals into user queues. 10 Gnosis co-founder Martin Köppelmann initially urged users to withdraw their GNO and EURe, then retracted the advice after acknowledging most users could not do so. Gnosis has committed to making all affected users whole from project treasury. The total loss and number of affected wallets remain unconfirmed; PeckShield flagged an active attack, and the situation was still developing at time of writing. 11
This is a distinct event from the May 25 New Market Trading exploit, which also involved a misconfigured Gnosis Safe module but on a different protocol.

Governance: UNI burns expand, Arbitrum treasury under scrutiny

Uniswap Proposal 96 — fee-and-burn reaches 13 chains

Executed on May 22 (three days before this week's window), Uniswap Proposal 96 passed with 72.98M UNI in favor, zero opposed, and 112.11 abstaining across 338 addresses. 12 The proposal extends protocol fee collection and UNI burning to BNB Chain (V2/V3), Polygon (V2/V3), and Celo (V2/V3/V4) — bringing the total count of active fee-and-burn chains to 13. BNB Chain and Polygon use Wormhole NTT (Native Token Transfers) for cross-chain fee routing; Celo uses its native OP Stack bridge. All collected fees route to TokenJar, where searchers bridge UNI back to Ethereum mainnet for burning to address 0xdead. Protocol fee rate: 1/5 of the underlying LP pool tier (e.g., 0.06% from a 0.30% fee pool). 13

QuickSwap Clarity Act — 100% approval (May 25)

QuickSwap's Clarity Act governance proposal passed with 15.3M QUICK tokens — 100% of votes cast — closing at 12:30 PM UTC on May 25. 14 The act formalizes five governance pillars: Operational Cost Optimisation, Contributor Focus & Conflict-of-Interest Policy, Token Supply Reduction Framework, Foundation Mandate & Role Definition, and Transparency & Reporting. The proposal was described as codifying practices already in use rather than introducing structural change. QuickSwap operates across Base, Polygon, Ethereum, Immutable, Somnia Network, and Soneium.
Loading content card…

Arbitrum Foundation — $45M request faces delegate headwinds (temp check opened May 28)

The Arbitrum Foundation opened a temperature check vote on May 28 seeking ~$45M for continued operations: $16M in stablecoins/RWAs, 1,740 ETH (~$3.5M), and 230M ARB (~$26M at current prices). 15 The 230M ARB represents approximately 2.3% of total supply and 3.7% of circulating supply. The vote remains active through June 4; an on-chain binding vote is tentatively set for June 8.
The dominant delegate objection: the Foundation's projected 2027 spend (~$53M including ARB) is 2.3× the DAO's 2025 gross chain revenue of $23.49M (from transaction fees, Timeboost auction proceeds, and the Arbitrum Expansion Program). DeFi analyst DefiIgnas framed it as the Foundation "operating at 2.3x DAO revenue." Delegate Arbit1 argued that "ecosystem growth alone should not automatically be treated as tokenholder value." Delegate crypfuto proposed milestone-based releases on a 3–6 month runway rather than upfront disbursement. 15
ARB is trading at ~$0.11 — down ~16% in the past week and ~95% below its January 2024 high. Arbitrum's DeFi TVL has fallen from a peak near $21B to approximately $1.5B. The combination of token depreciation and TVL contraction forms the backdrop against which the spending request lands.
No other major DAO governance votes (Lido, Aave, Compound, Maker/Sky, Curve, Balancer, Morpho, EigenLayer, Optimism) closed during the May 25–June 1 window based on Tally.xyz and Snapshot.org checks. 16 17

Infrastructure & regulatory context

CFTC approves first regulated Bitcoin perpetual futures (May 29)

The CFTC approved KalshiEX's BTCPERP contract on May 29 — the first US-regulated perpetual futures contract referencing Bitcoin spot price. 18 Kalshi submitted the application on May 28; the Commission approved under Commodity Exchange Act Section 5c(c)(4) and Regulation 40.3. Simultaneously, the CFTC issued a policy statement (PR 9242-26) inviting other market participants to submit perpetual contracts across asset classes for voluntary review. 19 CFTC chair Mike Selig called it a "historic action." Consumer protection group Better Markets countered that perpetual futures are among the highest-risk crypto instruments for retail investors.
The approval also opened a path for Coinbase's US derivatives exchange to list comparable products, a detail noted in WSJ coverage.

CME Group launches 24/7 crypto derivatives (May 29)

CME Group extended its Bitcoin and Ethereum futures and options to around-the-clock trading on May 29, with only a 2-hour weekly maintenance window. 20 The move eliminates the "CME gap" — the weekend price discontinuity that traders have exploited and hedged around for years. Both announcements on May 29 mark the most significant US regulatory/infrastructure expansion for crypto derivatives in a single day since Bitcoin futures first launched at CME in 2017.

Chainlink CCIP: Kraken kBTC and Lido wstETH migrate from LayerZero

Both Kraken and Lido's Network Expansion Committee selected Chainlink CCIP (Cross-Chain Interoperability Protocol) as their exclusive cross-chain infrastructure during the pre-window period, part of a broader post-Kelp DAO migration wave. 21 22 Kraken is moving its Wrapped Bitcoin (kBTC) and all future wrapped assets away from LayerZero; Lido is using CCIP for wstETH cross-chain deployment (wstETH manages approximately $20B in staked ETH). A Chainlink Labs executive noted that roughly $4B in DeFi value has migrated to CCIP following the April 18 Kelp DAO exploit. 23 CCIP holds ISO 27001 and SOC 2 Type 2 certifications and runs 16 independent oracle nodes.
Lido wstETH cross-chain expansion via Chainlink CCIP
Lido's wstETH cross-chain infrastructure migrates to Chainlink CCIP. 21

Circle freezes $12.6M in Zama's confidential USDC pool (May 30)

Circle blacklisted Zama's cUSDC contract address (0xe978F…72B2) at 01:08 UTC on May 30, locking ~$12,606,386 USDC. 24 25 The freeze followed a federal court temporary restraining order (TRO) signed by Judge P. Casey Pitts on May 29 in a lawsuit between Overnight Finance and Patagon Management. Zama is not named as a defendant. The issue: cUSDC is a pooled contract that uses Zama's fully homomorphic encryption (FHE) infrastructure, meaning Circle froze the entire pool when the court targeted a single depositor's funds. More than 99% of the contract's balance came from a single deposit of ~$12.4M made by Overnight Finance founder Maxim Ermilov on May 11. Zama CEO Rand Hindi said the team was "caught in a crossfire" and received no advance notice; Zama has suspended cUSDC, cUSDT, and cWETH contracts.
The incident is a direct stress test for privacy-preserving DeFi infrastructure: pooled contract designs that shield individual user balances from on-chain visibility also prevent courts from surgically targeting one user's position.
Circle freeze on Zama confidential USDC — DeFi crossfire
Circle freezes $12.6M in Zama's cUSDC pool following a federal court TRO. 24

Sui mainnet: three outages in 48 hours (May 28–29)

Sui's mainnet halted three times between May 28 and May 29, all traced to the v1.72 upgrade. 26 The first two outages stemmed from an edge case in mixed-gas payment handling; the third from a bug in the on-chain randomness protocol triggered during validator restarts. No user funds were lost and no transactions were rolled back. SUI fell ~19% in the week to approximately $0.88. This is Sui's third major reliability incident since its 2023 mainnet launch. Sui TVL sat at approximately $5.28B at the time of the outages.

ICE CEO on Hyperliquid: "bigger than Nasdaq"

Jeff Sprecher, CEO of ICE (NYSE's parent company), said at the Bernstein annual strategy conference on May 29 that Hyperliquid is "bigger than Nasdaq" and was built by a team of eleven people. 27 Sprecher confirmed ICE has held multiple meetings with the Hyperliquid team over the past month. The comments came two weeks after ICE and CME jointly lobbied US regulators to scrutinize Hyperliquid's offshore oil perpetual contracts (daily volume exceeding $1B). Sprecher said prior coverage had "made it seem like we were frightened" and characterized the engagement as mutual learning rather than adversarial lobbying. Hyperliquid L1 TVL reached $1.77B this week; the SPACEX-USDH pre-IPO perpetual contract suffered a 45% flash crash on May 28 when a single large sell order cleared the order book, liquidating $1.51M in positions in 30 minutes. 28
ICE CEO Jeff Sprecher explores collaboration with Hyperliquid
ICE CEO Jeff Sprecher called Hyperliquid "bigger than Nasdaq" on May 29, two weeks after ICE and CME jointly lobbied regulators over the platform's offshore oil perpetuals. 27

What to watch

  • Gnosis Pay loss total: The full damage from the Zodiac Delay Module exploit will become visible once Gnosis publishes its incident report. Gnosis has pledged treasury-funded restitution, so the figure also sets a floor on how much the team must spend.
  • Arbitrum $45M on-chain vote (June 8): The temperature check result (due ~June 4) will set the tone. Even if the Foundation's request passes, expect delegate demands for milestone-based disbursement tranches to make it into the final execution parameters.
  • SpaceX IPO and SPACEX-USDH volatility: SpaceX's IPO is expected around June 11. The Hyperliquid pre-IPO perpetual already flash-crashed 45% on thin liquidity; leveraged positions ahead of the IPO date carry significant gap risk given there is no external price reference anchoring the contract.
  • GENIUS Act comment period closes: The US Congress returns June 2 and the GENIUS Act stablecoin bill comment period is closing. The Circle/Zama freeze underlines that even technically compliant stablecoin infrastructure can be entangled in court orders — a dynamic regulators will need to address explicitly as pooled privacy contracts become more common. 29
Cover image: AI-generated illustration.

References

  1. 1DeFiLlama Protocols API
  2. 2DeFiLlama v2/Chains API
  3. 3DeFiLlama homepage
  4. 4DeFiLlama Hacks Database
  5. 5Crypto.news: DxSale exploit drains $7.3M
  6. 6Bitcoin.com News: Gravity Bridge $5.4M exploit
  7. 7Rekt News: New Market Trading
  8. 8BeInCrypto via Yahoo Finance: Alephium Bridge exploit
  9. 9Crypto Briefing: Stake DAO exploit
  10. 10Cointelegraph: Gnosis Pay exploit
  11. 11Crypto.news: Gnosis Pay Zodiac exploit
  12. 12Tally.xyz: Uniswap Proposal 96
  13. 13DEXTools: Uniswap UNI burn expansion
  14. 14QuickswapDEX on X: Clarity Act results
  15. 15The Defiant: Arbitrum $45M funding request
  16. 16Tally.xyz: Arbitrum governance
  17. 17Tally.xyz: Aave governance
  18. 18CFTC press release: BTCPERP approval
  19. 19CFTC policy statement on perpetual contracts
  20. 20The Defiant: CME 24/7 crypto futures
  21. 21The Defiant: Lido selects Chainlink CCIP
  22. 22The Defiant: Kraken migrates to CCIP
  23. 23TheStreet Crypto: $4B moved to CCIP post-exploit
  24. 24The Defiant: Circle freeze on Zama cUSDC
  25. 25Unchained: Court order forces Circle to freeze Zama USDC
  26. 26CoinDesk: Sui mainnet halts
  27. 27Bitcoin.com News: ICE explores collaboration with Hyperliquid
  28. 28CoinDesk: Hyperliquid SpaceX perpetual flash crash
  29. 29CoinDesk: Crypto week ahead June 1
DeFi TVL Ranking & Protocol Anomalies
DeFi TVL Ranking & Protocol Anomalies

Add more perspectives or context around this Post.

  • Sign in to comment.