Volo Protocol confirmed a $3.5 million exploit on the Sui blockchain on April 21, draining WBTC, XAUm, and USDC from three of its vaults. The team froze all vault operations within hours. As of April 22, roughly $2M of those stolen assets have been locked down.
The protocol had passed audits with Ottersec, Movebit, and Hacken before the incident. A live bug bounty program was also in place. None of that stopped what happened.
Private Key, Not Code
In a community status report posted on X, the Volo team said the attack came from a private key compromise, not a flaw in the smart contracts. According to @volo_sui on X, the Sui blockchain and its infrastructure performed as intended throughout the entire incident.
That distinction matters. Most DeFi security audits focus on on-chain logic. Private key management lives outside that scope. Three separate audit firms reviewed Volo’s code, and not one of them could have caught this.
The remaining $28 million in TVL across unaffected vaults was never at risk, the team confirmed. No shared vulnerability exists between the three breached vaults and the rest of the protocol.
$2M Frozen, $1.5M Still in Play
The recovery moved fast. In an initial update posted on X shortly after detection, @volo_sui announced the team had immediately notified the Sui Foundation and ecosystem partners to contain the damage. Vaults were frozen to stop further exposure.
Hours later, a recovery update on X from @volo_sui confirmed that roughly $500K in assets had already been frozen through close coordination with ecosystem partners.
By April 22, that number climbed to approximately $2M. The Volo team said the recovery was the result of a round-the-clock effort running through EST business hours on Wednesday, working directly with the Sui Foundation.
For the remaining ~$1.5M, Volo’s position is direct. No user will be left out of pocket. According to the April 22 community status report on X by @volo_sui:
“We are fully prepared to make every affected user whole.”
The team added that the reimbursement process will be communicated in full before any funds move, so users know the steps in advance.
The Audit Gap Nobody Talks About
Private key exploits are not new. They have accounted for hundreds of millions in DeFi losses across 2025 and 2026. What makes Volo’s case worth examining is how clean its security posture looked on paper before April 21.
Three named audit firms. An active bug bounty. None of it flagged the attack vector that was eventually used. That is not a failure unique to Volo. It reflects a gap in how the industry assesses security, where on-chain code gets scrutinized and off-chain key management does not.
Volo has not named the attacker or linked the exploit to any known group. The investigation is still running.
Vaults Stay Frozen for Now
All 16 vaults remain frozen pending a full post-mortem. Volo said the report will be published once the investigation concludes and that a detailed remediation plan will follow. The team is also working to return blocked WBTC to the protocol.
“We are deeply sorry this happened. The Volo Team is working without pause to resolve it and to rebuild the trust you have placed in us,”
the team wrote in its April 22 update on X.
Users have been directed to the official @volo_sui account for real-time updates as the situation develops.
