Aave loses $290m in major DeFi hack, exposing insurance gaps

The Aave protocol sustained a $290 million theft on April 18, 2026, marking one of decentralized finance's costliest breaches. Attackers exploited unpatched smart contract vulnerabilities to drain liquidity pools across multiple blockchain networks. The incident exposed critical gaps in DeFi insurance coverage and platform risk controls.

• The number: $290 million in cryptocurrency losses, with no recovery mechanism or insurance payout initiated by platform operators.
• Timeline: Breach discovered April 18, 2026. Aave governance initiated emergency protocol shutdown within four hours but could not prevent fund withdrawal.
• Security issue: Exploit targeted unaudited code paths in the lending smart contract, suggesting gaps between audit scope and live deployment.
• For compliance teams: DeFi platform operators face mounting pressure to maintain segregated insurance reserves or purchase parametric coverage products.

This breach amplifies regulatory scrutiny of DeFi platforms operating without traditional deposit protection. Unlike CeFi exchanges holding fiat-equivalent reserves, Aave relied on community governance and external insurance providers with capped coverage limits. Compliance teams managing DeFi exposure should audit platform insurance terms, verify audit scopes match deployed code, and model loss scenarios assuming zero recovery. Regulators are signalling that voluntary risk standards in DeFi will not satisfy future licensing requirements.

FinCEN and the SEC issued a combined $80 million penalty against Canaccord Genuity LLC on 6 March 2026 for willful Bank Secrecy Act violations. The broker-dealer failed to maintain an adequate AML programme for OTC market-making activities and neglected to file approximately 150 Suspicious Activity Reports over the enforcement period.

• Regulator's line: FinCEN flagged the absence of proper AML controls in OTC operations, a market segment compliance teams frequently under-resource relative to listed trading.
• The number: Canaccord failed to file 150 SARs, indicating either poor transaction monitoring or deliberate avoidance of reporting obligations to FinCEN.
• SEC action: The SEC issued a cease-and-desist order under Section 17(a) of the Exchange Act and Rule 17a-8, restricting future conduct violations.

This penalty signals FinCEN's focus on market-making desks where transaction volumes mask weak AML governance. Compliance teams should audit OTC workflows now, verify SAR thresholds match deal complexity, and document who owns escalation decisions. Expect increased FinCEN examination letters on this topic within six months.

The US Treasury's Office of Foreign Assets Control imposed a $7.5 million civil penalty on State Street Bank and Trust Company on 22 January for violating Russia-related sanctions restrictions. The settlement resolved breaches spanning multiple years involving transactions tied to Russian entities subject to OFAC prohibitions.

• Regulator's line: OFAC stated State Street failed to apply proper controls to transactions with sanctioned Russian parties despite its compliance obligations.
• The number: $7.5 million represents the second significant sanctions fine against a major custody bank in twelve months, signalling tougher enforcement momentum.
• For compliance teams: The case underscores gaps in transaction screening and entity identification protocols that persist even at systemically important financial institutions.

Custody banks handle vast volumes of cross-border flows, making sanctions compliance technically complex at scale. This fine suggests OFAC is scrutinising whether naming conventions, entity matching, and negative list protocols adequately capture Russian aliases and beneficial ownership structures. Compliance teams should audit their transaction screening rules against historical Russia SDN list versions and test screening failure rates in customer onboarding and transaction monitoring workflows.

The US Treasury's Office of Foreign Assets Control designated five individuals and seven companies operating in Nicaragua's gold sector on 14 January 2025, targeting government officials and family members of co-presidents Daniel Ortega and Rosario Murillo. All US property and interests held by the designees have been blocked, including those where targets own 50 percent or more.

• Regulator's line: OFAC cited support for the Murillo-Ortega regime through the gold sector as the basis for the action, extending sanctions beyond direct government roles to commercial networks.
• The number: Five individuals and seven companies now face asset freezes, with the 50 percent ownership threshold capturing entities where designees hold majority stakes.
• For compliance teams: Review Nicaragua gold sector exposure immediately, including subsidiary structures and joint ventures where your clients or counterparties may hold minority or majority positions.

This action signals OFAC's focus on sectoral sanctions and beneficial ownership capture in Latin America. Compliance teams must audit existing Nicaragua relationships against the full list, paying particular attention to shell companies and family-controlled entities in extractive industries. Check your transaction screening layers for coverage of 50 percent thresholds, not just 100 percent control designations.