What Happens to Your Portfolio When a DeFi Protocol Gets Hacked

Drift Protocol lost $285 million on April 1, 2026. Twelve more protocols were exploited in the two weeks that followed. Then on April 18, 2026, Kelp DAO was drained for roughly $292 million in the largest DeFi exploit of 2026. If you had funds deposited in any of these protocols, your portfolio tracker probably still showed the same balance the next morning.

That is the problem. When a protocol gets hacked, most trackers do not know anything happened. Your dashboard looks the same. Your P&L has not changed. The numbers are frozen at whatever they were before the exploit. Meanwhile your tokens are locked in a paused contract, drained to an attacker's wallet, or stuck in a depegged asset trading at a fraction of its former value.

The hack itself is out of your control. How you track it, classify it, and report it is not.

What Actually Happens to Your Tokens

A DeFi exploit can hit your portfolio in several ways depending on the type of attack and the protocol's response.

Your tokens might be drained directly. If an attacker gains access to the protocol's vaults or liquidity pools, your deposited assets can be moved to wallets you have no access to. This happened with Drift, where attackers siphoned $285 million from the platform's primary vault, including JLP tokens, USDC, wrapped ETH, and wrapped BTC. If you were providing liquidity, your tokens left the protocol. They are gone unless there is a recovery or reimbursement.

The protocol might pause. After Kelp DAO detected the exploit, the team activated a protocol-wide pause at 18:21 UTC, freezing deposits, withdrawals, and the rsETH token itself. Your tokens still exist in the contract. You can see them on-chain. But you cannot move them, sell them, or do anything with them until the protocol resumes. Your portfolio tracker likely still shows them at their pre-hack value.

A token might depeg or collapse in value. When rsETH was exploited, the attacker drained roughly 18% of the entire circulating supply. That kind of supply shock can crash the token's price on secondary markets. Your tracker might update the price but still show the same quantity, meaning your displayed balance drops without any transaction appearing in your history.

The protocol might negotiate or reimburse. Some exploited protocols have recovered funds, either partially or fully. Others have issued IOUs or governance tokens as compensation. Each of these outcomes creates a different transaction that needs to be recorded correctly for your P&L and your taxes.

What Your Tracker Gets Wrong

Most portfolio trackers pull balance data from the blockchain. If your tokens are sitting in a smart contract that was paused, the balance still reads the same on-chain. The tracker sees no change. Your dashboard looks fine.

The problems show up in layers. If the protocol paused and your tokens are frozen, your tracker shows an asset you cannot actually access. Your net worth number includes value you cannot liquidate. You are making decisions based on a portfolio that is partially fictional.

If tokens were drained, your tracker might still show the original deposit because the contract's internal accounting has not been updated. Or it might show a zero balance with no corresponding transaction, which means your P&L just dropped without any disposal being recorded. Your cost basis for those tokens is still sitting in your lot queue even though the tokens are gone.

If a token depegs, the price updates but the tracker has no way to classify why it happened. A token that drops 95% because of a hack looks the same in your portfolio as a token that drops 95% because the market moved. The difference matters for taxes.

If the protocol issues recovery tokens or compensation, those arrive as new assets with no cost basis assignment unless your tracker knows to classify them as hack recovery. Most trackers record them as incoming tokens with an unknown origin, which throws off your income reporting. For more on how unrecognized tokens get misclassified, see our guide to tracking DeFi positions across protocols.

The Tax Side

The tax treatment of DeFi hack losses depends on whether the loss qualifies as a theft, a capital loss, or a worthless asset. Each one is reported differently and has different deduction rules.

Theft losses from investment property may be deductible under IRC §165(c)(2) if you can demonstrate three things: the loss resulted from criminal activity under applicable law, you held the crypto in a profit-motivated transaction, and there is no reasonable prospect of recovery. The IRS clarified this in Chief Counsel Advice Memorandum 202511015, issued in March 2025. A DeFi protocol exploit where an attacker steals funds through an unauthorized smart contract manipulation would likely meet the criminal activity requirement, but the “no reasonable prospect of recovery” condition means you may need to wait until it is clear the funds will not be returned before claiming the deduction.

Capital losses apply when you sell or dispose of an asset below your cost basis. If a hacked token is still trading on secondary markets at a fraction of its former value, you could sell it to realize the loss. That sale is reported on Form 8949 like any other disposal. Your loss is the difference between what you paid and what you received.

The Tax Cuts and Jobs Act suspended the category of deduction that §165(a) worthlessness losses fall into under IRC §67(g). That suspension was originally set to expire at the end of 2025. It did not. The One Big Beautiful Bill Act, signed July 4, 2025, amended §67(g) to make the suspension permanent. Worthlessness deductions for cryptocurrency remain blocked in 2026 and beyond.

The practical path for a holder with tokens that went to near-zero is to sell or exchange them for any amount, even a fractional cent, which triggers a capital loss on Form 8949 and Schedule D. Capital losses are not affected by §67(g) and remain deductible against gains and up to $3,000 of ordinary income per year, with unlimited carryforward. Once a capital loss is realized on crypto, it can offset gains from any capital asset including stocks. See how the netting works.

Theft losses under §165(c)(2) are also excluded from the §67(g) suspension and remain potentially deductible when profit-motivated, caused by criminal activity, and when there is no reasonable prospect of recovery (per IRS CCA 202511015, March 2025).

Stablecoin collapses like Terra UST follow the same rules but with their own twist. See our stablecoin tax guide for the full picture.

Regardless of which category applies, you need records: your cost basis in the lost tokens, the date you became aware of the loss, the fair market value at the time of the exploit, and any recovery or compensation you received. Your tracker should be generating those records for you. If it is not, you are reconstructing them after the fact from block explorers and transaction logs. For more on why records matter and how cost basis works through DeFi, see our DeFi cost basis guide.

What to Check After a Protocol Exploit

If you have funds in a protocol that was exploited, there are a few things to check immediately.

Verify whether your tokens are still in the contract. Check the protocol's official channels for status updates on the pause, recovery efforts, and any planned compensation. Do not interact with any links or contracts claiming to offer refunds unless confirmed by the protocol team. Scam attempts are common immediately after exploits. After the CoinStats breach in 2024, fake refund schemes appeared within hours. We covered how attackers exploit breaches for secondary scams in our tracker security guide.

Check your tracker. Does it reflect the exploit? If your dashboard still shows the pre-hack balance, that number is wrong and any P&L calculated from it is wrong too. Flag or manually adjust the position until your tracker can classify the event correctly.

Document everything now. Save the protocol's announcement, the block number of the exploit, your deposit transaction hashes, and the current status of your tokens. If you need to claim a loss on your taxes, you will need this documentation to establish when the loss occurred and whether recovery is possible.

Review your token approvals. If you gave the exploited protocol unlimited approval to spend your tokens, that approval may still be active. Revoke it. A protocol that was exploited once has already demonstrated a vulnerability, and outstanding approvals can be a vector for further losses.

How Cryptofolio Handles This

Cryptofolio tracks DeFi positions by reading on-chain data directly from the protocol contracts. When a protocol pauses or tokens are drained, the on-chain state changes. Cryptofolio flags positions that show unexpected changes rather than continuing to display stale data.

If tokens are frozen in a paused contract, the position is flagged so you know the balance is inaccessible. If tokens were drained, the outgoing transaction is recorded and classified. If a recovery or compensation token arrives, it is tracked as a new incoming asset and flagged for your review so you can classify it correctly.

The cost basis on your lost tokens stays in your records. If you later sell worthless tokens to realize a capital loss, the original cost basis is what determines the size of that loss. If you receive compensation, the cost basis on the recovery tokens is separate from the basis on what you lost. Cryptofolio maintains both. For the full product walkthrough, see What Is Cryptofolio and How Does It Work.

The goal is that when something goes wrong in DeFi, your tracker does not pretend it did not happen.

The Bottom Line

DeFi exploits are not slowing down. April 2026 alone has seen over $600 million drained from protocols, and the pace of attacks has accelerated in the weeks since Drift. If you have assets deployed in DeFi, you are exposed to protocol risk that your portfolio tracker may not be equipped to handle.

When a hack happens, the financial impact is immediate. The tracking impact is slower and often invisible. Your dashboard shows the same number. Your P&L does not update. Your tax records do not reflect the loss. A tracker that cannot handle protocol exploits is not tracking your portfolio. It is showing you a snapshot from before things went wrong.

Disclaimer: This article is for informational purposes only and does not constitute legal, tax, financial, or investment advice. Cryptocurrency tax rules are complex, depend on your specific situation, and are subject to frequent regulatory changes. While we strive to keep our content accurate and up to date, information in this article may become outdated as policies evolve. Consult a qualified professional for advice on your individual circumstances.