If you have been following crypto news in April 2026, you have probably seen some alarming headlines. Kelp DAO lost $292 million. Scallop lost $140,000. Total DeFi losses this month have topped $606 million. Bitcoin sits at $78,657 and Ethereum at $2,369, and the market keeps moving — but underneath, something important is happening that every crypto user should understand.
The common thread in many of these hacks is not what you might expect. It is not always a flaw in the newest, most complex code. Sometimes, the vulnerability comes from old, forgotten smart contracts that protocols have stopped using but never fully removed. Here is what that means, why it matters, and what you can do about it.
The Basics
A smart contract is a piece of code that runs on a blockchain. Think of it like a vending machine: you put something in, it follows programmed rules, and it gives you something back. DeFi protocols use many smart contracts working together — one for deposits, one for lending, one for rewards, and so on.
When a protocol updates its system, it often creates new contracts and stops using the old ones. These old contracts are called deprecated contracts. The problem is that on a blockchain, deployed code cannot simply be deleted. It stays live and accessible, even if the protocol has moved on.
This is exactly what happened with Scallop on April 26, 2026. Scallop is the largest lending protocol on the Sui blockchain. They had an old rewards contract that was no longer in active use, but it was still live on the network. An attacker found a flaw in this retired contract and exploited it for about $140,000. User deposits were not affected, but the incident exposed a real gap in how protocols manage old code.
Why It Matters
You might think that if a protocol has been audited, it is safe. That is a reasonable assumption, but the reality is more complicated. Scallop passed a full security audit by the Sui Foundation in February 2025. Kelp DAO passed two separate audits before losing $292 million on April 18, 2026.
The issue is that audits typically focus on the code a protocol is actively using. They often do not review retired contracts, because those are considered obsolete. But obsolete does not mean inaccessible. On the blockchain, if a contract is deployed and not explicitly deactivated, anyone can interact with it — including attackers.
This matters for you because the protocols where you deposit, lend, or stake your crypto may have these hidden risks. Even well-audited, reputable platforms can carry deprecated contract vulnerabilities that no one is actively monitoring.
Getting Started Guide
Here are practical steps you can take today to protect yourself:
1. Do not leave idle funds in old contracts. If you have tokens sitting in a staking or rewards contract that a protocol has replaced with a newer version, withdraw them. Move your funds to the current, actively maintained contract. Idle funds in deprecated contracts are low-hanging fruit for attackers.
2. Spread your risk across protocols. Instead of putting all your crypto in one DeFi platform, distribute it across several. If one protocol is exploited, you will not lose everything. This is the crypto equivalent of not keeping all your eggs in one basket.
3. Follow protocol announcements. When a protocol announces a migration, upgrade, or contract change, pay attention. They will usually provide instructions on what to do with your funds. Following these instructions promptly reduces your exposure to deprecated contract risk.
4. Check for transparency. The best protocols publish a list of all their active and deprecated contracts. Before depositing funds, see if the protocol provides this information. If they do not, that is a warning sign.
5. Use hardware wallets for large holdings. A hardware wallet stores your private keys offline, making them immune to online attacks. For any significant crypto holdings, this is one of the most effective security measures available.
Common Pitfalls
Assuming audits guarantee safety. Audits are important, but they are snapshots in time. They evaluate the code as it exists during the review. They cannot predict future attack techniques, and they often do not cover retired components. An audit report is a valuable indicator, not a guarantee.
Ignoring small exploits. The $140,000 Scallop hack might seem small compared to Kelp DAO’s $292 million, but it reveals the same systemic issue. Small exploits are early warnings. Protocols that ignore them often face larger breaches later.
Chasing high yields without checking security. New DeFi protocols often offer attractive yields to attract deposits. Before jumping in, check whether the protocol has been audited, who the auditors are, and whether the team is transparent about their contract infrastructure. High yield with low transparency is a red flag.
Panic-selling after a hack. When news of an exploit breaks, the instinct is often to withdraw everything immediately. While caution is warranted, panic can lead to losses through slippage, gas fees, and selling at the bottom. Instead, assess which protocols are actually affected, check official communications, and make measured decisions.
Next Steps
The events of April 2026 are a wake-up call for the entire DeFi industry, but they are also an opportunity for individual users to improve their security practices. Start by reviewing where your crypto is currently deposited. Check if any of those positions are in contracts that have been superseded by newer versions. Withdraw and reallocate as needed.
Stay informed by following reputable crypto security researchers on social media. Accounts like PeckShield, BlockSec, and CertiK regularly post alerts about vulnerabilities and exploits. Early awareness gives you time to act before a situation worsens.
Finally, remember that DeFi is still a young industry. The infrastructure is evolving, and security practices are improving — but the pace of improvement needs to match the pace of attacks. As a user, your best defense is staying informed, spreading your risk, and never assuming that any single protocol is perfectly safe.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions in cryptocurrency markets.
the deprecated contracts point is huge. protocols audit the new stuff and forget the old contracts are still live on-chain. Scallop got lucky it was only 140K
Kelp DAO losing 292M and Scallop 140K in the same month. both from deprecated contracts. the pattern is clear, protocols need sunset procedures not just audits
Kenta Mori the $292M Kelp DAO loss was from a single deprecated vault contract. one contract. the blast radius from forgetting to sunset old code is insane
^ this. an audit covers what exists today, not what you forgot to decommission six months ago. the attack surface grows with every unused contract
DeFi insurance protocols are maturing — that’s a bullish sign
The composability of DeFi is something TradFi can never replicate
AMM innovations like concentrated liquidity changed everything
$606M in DeFi losses for April 2026 alone. at what point does the industry standardize forced contract expiration dates
killswitch_ exactly. EIP-5269 or something similar for contract lifecycle management should be a priority. the tooling exists, the will doesnt
the vending machine analogy in the article is solid but beginners need to understand that approving a smart contract is like giving someone a key to your safe. revoke it when youre done