Decentralized finance has lost more than $600 million in under a month, as a string of major exploits drove total value locked (TVL) to its lowest level in a year and sparked one of the sharpest liquidity events on record for top lending protocol Aave.
The latest and largest hit came over the weekend, when roughly $292 million was drained from Kelp DAO’s cross-chain bridge in an attack that quickly rippled across multiple protocols. Within 24 hours, the broader DeFi market shed an estimated $7 billion to $10 billion in TVL, dropping aggregate value to as low as $82.4 billion—down roughly 25% from around $110 billion at the start of 2026.
A single-day decline of 5.6% marked the sector’s steepest drawdown since 2024, underscoring how quickly confidence evaporated after the exploit.
Aave faces severe liquidity crunch and bad debt
The Kelp DAO breach cascaded directly into Aave, DeFi’s largest lending platform, triggering net outflows of about $9 billion in the days that followed. Aave’s TVL fell by more than a third to roughly $17.5 billion, while its Ethereum utilization rate briefly surged to 100%, signaling an acute shortage of immediately available liquidity.
The stolen rsETH—Kelp DAO’s liquid staking token—was used as collateral on Aave to borrow an estimated $236 million in other assets. That maneuver left Aave with a large bad debt position that it did not originate through its own risk parameters but inherited via compromised collateral.
In response, Aave froze rsETH markets to limit further damage. The move curtailed liquidity in several stablecoin markets and temporarily locked large deposit balances, adding operational stress for users seeking to unwind positions or move capital.
Other protocols move to contain contagion
Concern over knock-on effects spread quickly through the interconnected DeFi ecosystem. Several platforms with exposure to rsETH, including SparkLend, Fluid, and Lido, also froze or restricted related markets in an attempt to ring-fence risk.
Analytics firm Arkham Intelligence warned that options for restoring balance sheets are limited without outside funding. Possible recovery paths under discussion include:
- applying an even reduction of around 16% across all rsETH holders, or
- fully protecting Ethereum mainnet deposits while imposing heavier losses on Layer 2 users, with potential haircuts estimated at up to $267 million.
Both scenarios would crystallize losses for users and formalize the split between different networks’ risk profiles.
Losses pile up across lending, staking, and trading
Lending markets have so far borne the brunt of the recent turmoil. Sector-wide lending TVL fell about 13% following the Kelp DAO exploit, while liquid staking protocols dropped around 3.4%. Decentralized exchanges and derivatives platforms each declined by roughly 2% to 3% over the same period.
These moves come on top of a steady drumbeat of exploits earlier in the year. A crypto security firm estimates:
- $86 million in losses in January
- $23.5 million in February
- more than $27 million in March
Additionally, the breach of Solana-based Drift Protocol earlier this month—totaling about $285 million—stands as the largest exploit on that network so far.
Altogether, the string of incidents has accelerated a repricing of risk across DeFi, as market participants reassess where to park capital and how to price yields that depend on complex, interconnected smart contracts.
How attackers breached Kelp DAO’s LayerZero bridge
Preliminary investigations point to a targeted attack on Kelp DAO’s LayerZero-powered cross-chain bridge, focusing on a controversial “1-of-1” verifier configuration that created a single point of failure.
According to LayerZero’s internal review, Kelp DAO ran a setup with just one verifier, despite repeated warnings from the infrastructure provider against that design. Attackers allegedly:
- compromised data feeds from remote procedure call (RPC) nodes,
- launched a denial-of-service attack to force reliance on corrupted feeds, and
- pushed a fraudulent cross-chain message that was then incorrectly validated.
That manipulated message allowed the attackers to move and drain funds through the bridge. LayerZero emphasized that the vulnerability was specific to Kelp DAO’s configuration and that none of its other integrations were affected.
Links to North Korea’s Lazarus Group
The sophistication and execution of the exploit have drawn attention from cybersecurity teams and national security analysts. Multiple assessments point to possible involvement of North Korea’s Lazarus Group, specifically a subunit commonly referred to as TraderTraitor.
If confirmed, the Kelp DAO incident would be part of a broader campaign in which the same state-sponsored network has been tied to more than $575 million stolen from just two protocols in April 2026 alone. That concentration of losses heightens geopolitical concerns, as digital asset infrastructure increasingly becomes a target for well-resourced, nation-backed hacking teams.
Recovery prospects and legal fallout
As the dust settles, the likelihood of recovering a meaningful portion of the stolen funds appears slim without external capital injections or negotiated settlements with the attackers.
Disagreements have already emerged between Kelp DAO, LayerZero, and other involved parties over responsibility for the failed security configuration and risk controls. Those disputes are expected to evolve into potential legal action, as each organization seeks to limit liability and protect its brand.
At the same time, traders are watching how Aave addresses its bad debt and whether governance processes opt for recapitalization, user haircuts, or a combination of measures. The outcome will likely set a reference point for how future large-scale protocol shortfalls are handled.
Broader impact on DeFi risk and liquidity
The rapid compression in TVL—down roughly $25 billion since the start of the year and up to $10 billion in a single day after the Kelp DAO breach—suggests that a substantial portion of capital has moved to the sidelines rather than simply rotating between protocols.
While some funds appear to have shifted toward platforms perceived as safer or more battle-tested, data indicates that a meaningful slice of liquidity exited the DeFi ecosystem entirely, signaling a clear decline in user confidence.
In the near term, scrutiny is likely to intensify on:
- cross-chain bridge architectures and verifier configurations,
- the treatment of external collateral within lending markets, and
- concentration risks tied to liquid staking tokens and restaking derivatives.
Analysts expect a prolonged period of risk repricing, tighter collateral standards, and more conservative growth assumptions as protocols, auditors, and traders reassess the cost of security failures in an increasingly interconnected DeFi landscape.
Concerned about DeFi risks after this hack? Learn how crypto safety standards can better protect your assets.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
