By Mari Hansen DeFi is accompanied like a shadow by a certain kind of irony. The fundamental tenet of decentralized finance is trustlessness, or the notion that you only need to believe in code rather than in a business or an individual. And yet, here we are once more: $800 million has disappeared into the digital ether, the code was the issue, and the person behind the code was the issue. The industry continues to refer to these occurrences as “unprecedented.” They’re not.
In the most recent instance, Before it made the wrong kind of headlines, the majority of people were unaware of the ROAR, a young Ethereum-based project. On April 16, Web3 security company Hacken revealed that a project-related staking contract had been fully depleted, with 100 million 1ROR tokens—roughly $785,000—gone in a single transaction.
| Field | Details |
|---|---|
| Protocol Name | The ROAR (Ethereum-based DeFi ecosystem) |
| Network | Ethereum Blockchain |
| Amount Lost | ~$785,000 (100 million 1ROR tokens) |
| Date of Exploit | April 16, 2025 (reported by Hacken) |
| Security Auditor | Hacken (Web3 security firm) |
| Attack Type | Backdoor embedded in staking contract constructor |
| Funds Laundered Via | Tornado Cash (crypto mixer) |
| Related Protocol | Balancer V2 Composable Stable Pools — lost $120M+ |
| Industry Total Lost (2026 Q1) | Over $137 million in exploits by March 2026 |
| Broader Context | $2.2 billion stolen from crypto platforms in 2024; 61% by North Korean-aligned actors (Chainalysis) |
It wasn’t the amount of the loss that hurt. It was the approach. The attack was not sophisticated. There is no zero-day vulnerability. No intricate relay chains or encrypted tunnels. A backdoor had been embedded by a developer.
Yehor Rudytsia, an on-chain researcher at Hacken, claims that the attacker had predetermined their wallet’s stake amount right inside the contract’s constructor, giving them withdrawal rights from the moment the contract was deployed. In reality, they never staked anything. They did nothing but wait. Specifically, seventeen days.
Long enough for liquidity to come in, long enough for the token to be listed, and long enough for ordinary investors to think this was genuine. Subsequently, the developer discreetly terminated the contract and transferred the money via Tornado Cash. “No complex exploit,” Rudytsia said, “just malicious logic planted at deployment.”
The attacker was identified by the ROAR as a contracted developer who was not a member of its core team, and the incident was confirmed. The team declared it was gathering evidence for legal action, revoked access, and scrubbed code contributions.
These are the appropriate statements to make. Additionally, they are currently a sort of script that the DeFi community has heard following almost every significant breach, delivered with the same blend of indignation and regret. When reading them, it’s difficult to avoid getting a little tired.
The industry’s trust in auditing should have been genuinely shaken by the Balancer breach. Balancer is not a brand-new initiative. It’s not a garage-based obscure team. With years of experience running bug bounty programs and commissioning audits from leading security firms, it is an automated market maker and portfolio manager.
Nevertheless, a rounding precision flaw in its Vault’s internal computations was exploited by attackers; this vulnerability was made worse by batch swap functions. GoPlus, a security firm, put it simply: token prices were impacted by each calculation’s rounding down, and attackers used carefully constructed parameters to take advantage of the drift. As a result, its V2 Composable Stable Pools suffered losses of more than $120 million.
As these incidents mount, it seems as though the DeFi sector has embraced auditing in the same way that some eateries have embraced health inspections: as a box to check, a credential to show, rather than a true assurance of safety. The team at Balancer took great care to emphasize that other pools remained unaffected. That is accurate. It’s also irrelevant. The audit itself becomes a question mark rather than a shield when a protocol that has “undergone extensive auditing by top firms” loses nine figures due to a rounding error.
The list from just the first quarter of 2026, which includes Step Finance, Truebit, and Resolv Labs, resembles a casualty roll. In just three months, over $137 million was lost due to unchecked permissions, logic errors, and Oracle manipulation. There are several different ways to attack. The same thing always happens: developers apologize, users lose, and the industry moves on to the next project that promises institutional-grade security.
Attackers, on the other hand, seem to be purposefully switching to smaller or faster-growing protocols—those with weaker audit histories and monitoring. It makes sense in a predatory manner. Blue-chip protocols have become more rigid. The rest is still up in the air.
The ROAR case is unique and, to be honest, more unsettling because it doesn’t require any technical expertise. Neither a nation-state actor nor a highly skilled hacking collective is responsible for creating a backdoor into a staking constructor. It was created by someone who was sufficiently familiar with the system to take advantage of people’s trust.
That is not a technical vulnerability, but rather a social one. Furthermore, improved audits fail to address social vulnerabilities. Slower hiring, more thorough background checks, and more dubious review procedures are used to patch them, but none of these are as marketable as a security certificate.
The outcome of a lawsuit against the ROAR developer is still unknown. Tornado Cash and other cryptocurrency mixers were created specifically to make such recovery challenging. Whether any money was returned has not been verified by the Balancer team.
These trends are so well-known that many in the DeFi industry have just priced them in: another quarter, another set of losses, another round of promises and post-mortems. Whether the next breach will occur is not a question worth pondering. It will. The question is whether the industry has quietly concluded that this is just the price of doing business on the frontier or if it genuinely wants to address this.
From the outside, it seems like DeFi is getting close to a reckoning it keeps putting off. Instead of losing $800 million, the retail investors who had faith in The ROAR lost $785,000. However, the number of these incidents, each written off as a bad actor, an edge case, or an unprecedented situation, is starting to add up to something bigger than any one hack. It’s contributing to a credibility issue. Furthermore, it is much more difficult to regain credibility once it has been lost than stolen ETH.