The simplest solution after a $290 million exploit and a ~$13 billion drop in total DeFi value locked is that decentralized finance is shut down again. He’s also probably the laziest.
The weekend’s KelpDAO exploit was serious. This appears to have started as a targeted attack on the infrastructure used in LayerZero’s verification stack, not a smart contract bug as commonly seen in other exploits. LayerZero initially linked the incident to the North Korean Lazarus group and said the attack was successful because Kelp opted for a single-verifier configuration despite repeated recommendations to use a more resilient configuration. The exploit left rsETH (a liquid staking token issued by KelpDAO) unsecured and raised fears that bad debts would spill over into lending markets, particularly Aave’s WETH pool (where users borrow wrapped ether against collateral).
And yet the most interesting story is not that DeFi has been hit. That’s because DeFi is still here.
Capital fled quickly after the breach. Aave alone saw $8.45 billion in capital outflows over 48 hours, while broader DeFi TVL fell into the mid-$80 billion range, roughly where the industry was at this point last year. In other words, this is a strong reassessment of risk, not as destructive as some claim.
Aave, the largest DeFi lending marketplace, had accumulated significant rsETH as collateral in the weeks leading up to the exploit as users built leveraged positions. The magnitude of this drop in TVL also warrants some context. A $292 million theft does not directly lead to a $13 billion drop, unless a significant portion of that TVL is already recycled collateral. Much of Aave’s ETH exposure at the start of the weekend was concentrated in looping strategies, in which users deposit liquid takeover tokens, borrow ETH against them, trade for more takeover tokens, and repeat. In other words, the same stack of assets can be counted multiple times in the TVL calculation. This leverage inflates TVL upwards and unwinds abruptly during events like this. The actual net capital loss is likely only a fraction of the overall figure, although the exact amount is difficult to isolate given the depth of loopback strategies built into DeFi’s TVL calculations.
These strategies were themselves partly the product of a performance environment that already no longer made sense. In early April, Aave was offering 2.61% APY on USDC deposits, below the 3.14% available on idle cash at Interactive Brokers, a traditional financial brokerage. The risk premium that historically justified the complexity of DeFi and exposure to smart contracts had largely disappeared. With insufficient organic yield, leverage filled the void, and it was this concentration that made the rsETH contagion as damaging as it was. Data from DefiLlama shows that reETH balances on Aave grew rapidly in the weeks leading up to the exploit, reaching nearly 580,000 tokens ($1.3 billion), evidence that the accumulation of leverage made the subsequent unwinding so brutal.
Crypto has survived worse
The phrase “DeFi is dead” is uttered after every hack because failures are visible and immediate, while recovery is slower and less cinematic. But crypto has had worse. Terra collapsed and vaporized confidence across the entire industry. Wormhole and Ronin lost around $1 billion each. Untangled multichain.
“DeFi didn’t die when Terra collapsed and caused billions in liquidations and losses,” wrote a pseudonymous trader on
Most recently, Bybit suffered what was widely described as the largest crypto theft on record, losing around $1.5 billion last February, but it continued to operate, processed a surge in withdrawals, restored reserves, and still handles billions of dollars in trading volume every day.
The repricing of trust
0xNGMI, founder of DefiLlama, told CoinDesk that the losses are significant but unlikely to be existential. “Aave has ample recourse to cover the loss, including its cash and borrowings, and I believe these will need to be used to protect the protocol,” he said. “Overall, this is a significant loss but one that will be recouped. The biggest issue will be the impact on risk premia assigned to DeFi.”
These risk premiums constitute a real and lasting cost. Capital will demand more compensation for sitting in on-chain systems whose attack surface now extends beyond code
Yet a price overhaul is not the same as a collapse. “Some of the money will come back,” 0xNGMI said. “We’ve seen this before in Aave when hack rumors surfaced. It’s always the best strategy to withdraw and redeposit later because the cost is minimal and the reward is very large.” Some deposits will not return, but historically, deposit outflows during stress events reverse as conditions stabilize, as evidenced by the 2021 Terra collapse.
There is also evidence that capital is not simply leaving DeFi. It turns. Spark offers an example. Spark’s head of strategy, monetsupply.eth, said the protocol delisted rsETH and other low-utilization assets in January, a move that could have cost it business and ETH loop business at Aave at the time. However, under current conditions, SparkLend still has significant ETH withdrawal liquidity, while Aave is experiencing shortages in several markets. Over the weekend, Spark TVL jumped from $1.8 billion to $2.9 billion, demonstrating clear capital turnover.
The most interesting criticism, raised by some builders after the exploit, is not that DeFi failed but that it became too timid. If the industry has to ask users to bear infrastructure risk, smart contract risk, and governance risk for low single-digit returns, the overall product set starts to look less compelling. With this in mind, Kelp is not the end all be all of DeFi. This is a wake-up call for manufacturers to build more secure systems while still providing real-world use cases.
