Flying Tulip, a decentralized finance platform founded by Andre Cronje, has introduced a circuit breaker mechanism that can delay or queue withdrawals during periods of abnormal outflows, as DeFi losses mounted in April בעקבות a series of major exploits.
According to Flying Tulip’s documentation, the feature is designed to slow the movement of funds when outflow limits are exceeded, giving the team time to investigate suspicious activity and reducing the potential impact of an attack.
The circuit breaker operates differently across products. In its Perpetual PUT product, withdrawals may be temporarily rejected, requiring users to try again later. In contrast, for its stable asset and settlement currency ftUSD, withdrawals are queued and become claimable after a delay rather than being denied outright.
Flying Tulip said the system follows a “fail-open” design, meaning transactions will still proceed if the safety mechanism itself encounters issues. Users can monitor the feature through a dedicated status page.
The addition introduces an extra layer of protection as recent exploits have highlighted vulnerabilities in DeFi that go beyond smart contract code alone.
Recent exploits highlight broader security risks
The growing focus on outflow controls follows a wave of exploits that exposed vulnerabilities beyond smart contract code—particularly in areas like signers, infrastructure, and collateral design.
Amir Hajian, a researcher at Keyrock, said many of April’s largest failures were tied to operational and infrastructure weaknesses, including compromised multisigs, configuration errors, and leaked keys.
The circuit breaker introduced by Flying Tulip is intended to slow abnormal fund outflows and give the protocol time to react—especially in cases where breaches occur outside the smart contract layer.
Hajian noted that DeFi losses surpassed $600 million in just the first 18 days of April, with two major incidents responsible for roughly 95% of the total.
On April 2, Drift Protocol on Solana was exploited for an estimated $280 million. Later, on April 19, liquid restaking platform Kelp suffered a roughly $293 million breach, prompting Aave to freeze rsETH markets on its V3 and V4 deployments.
