Decentralized finance (DeFi) has been “bent, not broken” after a $292 million exploit on April 18 revealed systemic risks, according to investment bank Standard Chartered.
The attack on KelpDAO spread to AAVE, the largest DeFi lender, after stolen tokens were used as collateral to borrow other assets. The episode triggered a sharp liquidity crisis, with the liquidity protocol causing deposits to fall by around 38% and active loans by 31%, in what the bank described as bank run dynamics.
Despite the shock, real-world tokenized assets are still expected to reach a market capitalization of $2 trillion by the end of 2028, driven by continued growth in DeFi lending and stable coin liquidity, the report said.
“We still expect tokenized real-world assets (RWA) to reach a market capitalization of $2 trillion by the end of 2028, up from $35 billion in October 2025,” Geoff Kendrick, head of digital assets research at Standard Chartered, wrote in Wednesday’s report.
Hacks and exploits remain a major risk in crypto, undermining trust in systems built on code rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge flaws can expose large pools of locked assets, where a single weak point can trigger outsized losses.
These risks are amplified by the complexity and interconnected nature of blockchain infrastructure. Cross-chain bridges, while expanding functionality, also expand the attack surface and have caused billions in losses due to complex designs, shared systems, and in some cases weak validation.
Beyond the immediate damage, repeated exploits erode trust in the entire ecosystem. Major hacks can sideline users and institutions, invite stricter regulation and slow adoption, making security a key constraint for crypto growth.
AAVE and a coalition of DeFi companies acted quickly, committing more than $300 million to stabilize the system. According to the report, the intervention helped normalize the situation, with a drop in yields and a recovery in deposits.
The bank added that the incident is accelerating structural upgrades. AAVE’s V4 upgrade and upcoming Ethereum Economic Zone aim to reduce reliance on cross-chain bridges, a frequent target in major crypto hacks, including this one.
Wall Street bank JPMorgan (JPM) said hacks and stagnant capital levels in decentralized finance continue to weigh on DeFi’s institutional appeal, highlighted by a $20 billion impact from the KelpDAO exploit.
Learn more: JPMorgan Says Persistent Security Flaws Are Holding Back DeFi’s Institutional Appeal
