Solana-based decentralized finance yield protocol Carrot said Thursday that it is shutting down permanently, becoming one of the first DeFi protocols to fall due to contagion from the Drift Protocol exploit in early April. 

In an X post on Thursday, Carrot said the Drift exploit was “catastrophic” for the protocol and had left it financially unable to continue operating. The platform set a May 14 deadline for users to withdraw remaining funds. It said it will continue to help recovery efforts related to Drift and distribute assets once they become available.

“We are setting May 14th as the deadline to withdraw any remaining funds from Boost, Turbo, and CRT before we will then begin to deleverage the system. Your deposited funds are still yours, but all leverage will be reduced to zero, freeing up all liquidity for CRT redemption,” the protocol’s team said.

The Drift protocol exploit on April 1 was the second-largest in 2026. It was a highly coordinated attack that involved months of social engineering by a group of hackers who gained admin control and drained more than half the protocol’s total value locked. 

The contagion spread to several affiliated projects such as the yield protocol Gauntlet, the lending and borrowing platform PrimeFi and the crypto fund Elemental DeFi. 

Related: Insider trading backlash forces Polymarket to step up surveillance

Carrot was integrated with Drift’s infrastructure and used its pools to generate yield for its users. Its TVL collapsed after the Drift Protocol hack. 

According to data from DefiLlama, Carrot’s total value locked was around $28 million before the Drift hack, and is currently $1.99 million, marking a decrease of roughly 93%.

Carrot’s sharp TVL drop after the Drift hack. Source: DefiLlama

DefiLlama data also shows nearly $630 million worth of digital assets were stolen in April across 25 incidents, making it the month with the largest losses since February 2025, when $1.47 billion was stolen.

The $293 million hack on liquid staking protocol Kelp is the largest exploit of 2026 so far. The Drift hack is close behind at $285 million. Together, these two attacks account for more than 90% of all crypto stolen in April.

Magazine: AI-driven hacks could kill DeFi — unless projects act now

Cryptocurrency exchange OKX has launched an open payments protocol for artificial intelligence agents, joining a growing push by crypto and payments companies to build infrastructure that lets software agents pay for services and transact with less human input.

The new cross-chain Agent Payments Protocol (APP) is designed to let AI agents operate and communicate autonomously. OKX said Wednesday that the cross-chain standard can handle agent-to-agent payments, recurring or top-up payment flows and other automated payment arrangements across business processes. The company also said agents will be able to negotiate with each other, escrow funds and release them on verified task delivery.

OKX said the framework is built around its self-custodial Agentic Wallet and Payment SDK, with support on X Layer and broader cross-chain implementation. The company is pitching the protocol as a way for AI agents to move from simple payment requests to more autonomous commercial activity.

The launch comes as competition intensifies to build payment rails for AI agents. Google has promoted its AP2 protocol, Coinbase has its x402 standard, and Visa and Stripe-linked efforts have also moved into the space, with companies apparently trying to quickly define the rails for machine-to-machine commerce.

APP compared to the existing payment protocols. Source: OKX

OKX targets end-to-end AI agent commerce

OKX is pitching APP as a broader commerce layer rather than a simple payment button.

The company said AI agents can query real-time market data feeds, while the service responds with an HTTP 402 payment request, and agents pay per call with automatic settlement.

Related: Stablecoin issuers and fintechs race to own payment rails 

Agents can then hire a specialized sub-agent to complete the research task, APP opens an escrow account, and payment is released upon verification after the work is delivered.

OKX AI agent framework. Source: OKX

Developers can also use OKX’s payment tools on X Layer, where the company says some stablecoin transfers can be executed without gas fees.

The growing race to enable machine payments could also support stablecoin usage, as they can help unlock machine-to-machine payments by making microtransactions viable and enabling programmable, conditional payments between software agents without a human in the loop, Bernstein said in March.

Magazine: Crypto wanted to overthrow banks, now it’s becoming them in stablecoin fight 

Australia’s future account-to-account (A2A) payment systems may need to adapt if tokenized forms of money gain broader use, including stablecoins and tokenized liabilities, according to a draft vision for the country’s domestic payment rails.

The draft, co-developed by the Account-to-Account Payments Roundtable, which includes AusPayNet, Australian Payments Plus, the Reserve Bank of Australia and the Commonwealth Treasury, identifies digital assets as one of several external forces that could affect future A2A payments. 

“Tokenised forms of money, such as stablecoins and tokenised liabilities, are moving from experimentation to adoption,” the draft said, adding that the shift reflects a move toward programmable, ledger-based value that could enable new settlement models, continuous availability and more automated execution. 

The consultation suggests Australia’s payments planners are beginning to treat tokenized money as a design consideration for mainstream payment infrastructure.

The document said A2A systems “may need to support secure interoperability between account-based money and tokenised representations of fiat currency,” allowing reliable movement of funds between those environments while maintaining trust. 

Common types of A2A payments. Source: RBA

The draft also treats digital assets as a potential parallel value layer alongside other emerging forces shaping payments.

It said these technologies could reshape how payments are initiated, authorized and managed, while introducing new risks around accountability, liability, data use and resilience. 

Australia advances tokenization work 

The A2A consultation comes as Australia continues broader work on tokenized money, stablecoins and digital asset regulation. 

In July 2025, the RBA and the Digital Finance Cooperative Research Centre announced the selected use cases for Project Acacia, a wholesale digital money project exploring settlement in tokenized asset markets. 

The RBA said proposed settlement assets for the use cases included stablecoins, bank deposit tokens, a pilot wholesale central bank digital currency and new ways of using banks’ existing exchange settlement accounts at the RBA. 

Related: Australian crypto execs upbeat on progress despite lingering issues

On March 25, RBA Assistant Governor Brad Jones said the next phase of financial system innovation would require moving beyond short-term pilots toward longer-term, staged environments where industry and regulators can test new technologies and adjust policy settings.

He said the interaction of wholesale CBDC with bank deposit tokens and stablecoins, as well as the synchronization of tokenized asset ledgers with Australia’s settlement infrastructure, would be areas of interest.

Australia has also moved to bring parts of the digital asset sector into its financial services framework. In November, the Treasury said proposed digital asset laws would introduce two new financial products, digital asset platforms and tokenized custody platforms, requiring them to hold an Australian Financial Services Licence.

Magazine: Bitcoin will not hit $1M by 2030, says veteran trader Peter Brandt

Andre Cronje says much of decentralized finance is “no longer DeFi” in the strict sense, as builders debate whether circuit breakers and other emergency controls are now necessary to protect users from exploits.

The Flying Tulip founder told Cointelegraph in an interview that many protocols are no longer immutable public goods, but rather “teams running for-profit businesses” with upgradeable contracts, offchain infrastructure and operational controls.

That shift changes the security model, he said. While early DeFi protocols were mostly defined by immutable smart contracts, newer systems often depend on proxy upgrades, multisigs, infrastructure providers, admin processes and human response teams, according to Cronje. 

“I think what we have today, Flying Tulip included, is no longer DeFi. It’s not decentralized finance. It’s not immutable code,” Cronje said. “It’s teams running for-profit businesses.” 

The comments come as April’s DeFi exploits pushed security narratives beyond smart contract audits and into questions of operational risk. On Thursday, Flying Tulip added a withdrawal circuit breaker designed to delay or queue withdrawals during abnormal outflows. The move follows major incidents involving decentralized exchange Drift Protocol and restaking platform Kelp, with estimated losses of about $280 million and $293 million, respectively. 

Flying Tulip’s Andre Cronje (left) and Cointelegraph’s Ezra Reguerra (right). Source: Cointelegraph

DeFi risks move beyond smart contracts

Cronje said the industry focuses on audits when many systems can be changed by developers or controlled through administrative processes. 

“The focus over all of the industry is still very much so on the contract side and not sort of the more TradFi side,” Cronje told Cointelegraph, adding that many recent exploits have involved “traditional Web2 stuff” such as infrastructure access, compromises and social engineering.

He said protocols with upgradeable contracts need traditional checks and balances around who can upgrade code, who approves changes and whether there are proper timelocks and multisig controls. 

Related: Ethereum backers pledge up to 30,000 ETH to rsETH recovery after bridge incident

Curve Finance and Yield Basis founder Michael Egorov shared the view that recent incidents show the risks are increasingly tied to centralization and offchain dependencies rather than only smart contract bugs.

“The vast majority of the most recent DeFi exploits happened not due to errors in code,” Egorov told Cointelegraph. “They happened because of centralization risks — single points of failure which live off-chain.”

Egorov said Aave, Kelp and LayerZero smart contracts were not hacked in the recent rsETH incident, arguing that the compromise came from offchain infrastructure. He said DeFi protocols can be exposed to “a whole tree of risks,” with the largest risks often tied to humans rather than code. 

Circuit breakers divide DeFi builders

Cronje said Flying Tulip’s circuit breaker is not designed to permanently block withdrawals, but to create a response window when outflows exceed normal parameters. “Our circuit breaker isn’t actually designed so that we can stop or prevent anything from happening,” he said. “It’s to give us time to react.”

Flying Tulip’s system gives the team about six hours, although Cronje said smaller or less geographically distributed teams may need 12 to 24 hours, or even longer. He said the tool makes sense for contracts that hold user funds, but should be viewed as one layer among audits, distributed multisigs, timelocks and other controls.

“Security is always a layered approach,” Cronje said. “It’s never a ‘this is the one thing’ that makes you invulnerable.”

Related: Aave asks Arbitrum to send 30K ETH from Kelp exploiter to ‘DeFi United’

Egorov was more cautious. He said circuit breakers can make sense in theory, but only if they are implemented in a way that does not create a new privileged attack surface. “The circuit breakers are controlled by humans, which means they could become a potential vulnerability themselves,” Egorov told Cointelegraph. 

He warned that if emergency controls allow signers to change contract code or block withdrawals, compromised signers could turn the safeguard into a drainer or a centralized freeze mechanism. In his view, the better long-term answer is to design systems that can keep running safely without manual intervention. 

“The goal of DeFi design should be to minimize human-centric points of failure, not add to them,” Egorov said. “DeFi needs to be safe, and safety comes from decentralization.” 

Standard Chartered says Kelp episode shows DeFi resilience 

Standard Chartered framed the Kelp episode as a sign of DeFi’s growing pains rather than a fatal failure. 

In a Wednesday research note seen by Cointelegraph, the bank said the April 18 theft exposed systemic risks after the impact spread to Aave, but said the more than $300 million raised by the DeFi United coalition and structural changes such as Aave V4 and the Ethereum Economic Zone suggest the sector is developing stronger defenses. 

DeFi United site shows over $321 million raised or committed. Source: DeFi United

The bank said those upgrades could reduce reliance on bridges, which it described as a major attack vector in recent crypto hacks.

Magazine: AI-driven hacks could kill DeFi — unless projects act now