After 300 million, another 300 million. Do people in the DeFi space still dare to keep their money?

Author: Jae, PANews

The crypto industry in April was full of turbulence. Shortly after Solana ecosystem’s Perp DEX leader Drift was hacked and stolen 285 million USD in the “April Fool’s” attack, the market plunged into a rollercoaster rally driven by the “RAVE” meme coin.

Just as RAVE’s hype cooled down, the DeFi market was hit with a harsh reminder when top Ethereum LRT (liquid staking re-staking) protocol KelpDAO was hacked.

On April 18, KelpDAO was attacked exploiting a LayerZero-based cross-chain bridge vulnerability, resulting in approximately 116,500 rsETH assets being illicitly extracted, with losses reaching 292 million USD. The scale of theft exceeded that of Drift, making it the largest on-chain security incident of 2026 so far.

The hacker did not breach the mainnet staking contract nor leak private keys; it was merely a tiny flaw in cross-chain verification that triggered systemic risks in DeFi.

When re-staking leverage stacking and multi-chain expansion ambitions combine, DeFi, after three years of “yield-first” pursuit, faces a profound question: “Yield above all” or “Security above all”?

Single-point verification vulnerability ignited the LRT crisis, with KelpDAO losing nearly 300 million USD

The main victim of the theft, KelpDAO, was once a star player in the LRT space.

Its business logic precisely targeted market pain points, creating a “one fish, three benefits” model. Users can encapsulate LST (liquid staking tokens) like stETH, rETH into rsETH, which retains ETH staking yields, adds EigenLayer re-staking rewards, and allows holding rsETH to navigate various DeFi lending and yield farming scenarios.

To capture market share, KelpDAO aggressively expanded to 16 blockchains. Thanks to high yields and liquidity, rsETH became a mainstream collateral asset in Layer 2 solutions and Aave, deeply embedded in the Ethereum DeFi ecosystem.

This multi-chain architecture heavily relies on LayerZero’s underlying cross-chain communication protocol, which also became the epicenter of disaster.

On April 20, LayerZero published a retrospective article stating that KelpDAO was attacked, with losses around 290 million USD. Preliminary signs suggest the attack may have been carried out by a highly sophisticated state actor, likely North Korea’s Lazarus Group, specifically TraderTraitor. Since KelpDAO used a single-signature setup, the incident was limited to its rsETH configuration and did not affect other cross-chain assets or applications.

Meanwhile, LayerZero admitted that KelpDAO only used a 1/1 DVN configuration, which posed a “single point of risk.” They are contacting all applications using 1/1 DVN setups to migrate to redundant multi-signature arrangements. However, LayerZero had not previously urged KelpDAO to make such changes or enforce multi-sig, which also bears responsibility.

The hacker targeted LayerZero’s downstream infrastructure, poisoning two independent nodes, causing the DVN to confirm transactions that never occurred.

LayerZero disclosed that the hacker obtained the RPC list used by LayerZero Labs’ DVN, compromised two independent nodes, replaced the op-geth binary, and launched DDoS attacks on uninfected RPCs, triggering failover and confirming transactions that never happened.

In short, the hacker “activated” rsETH withdrawal permissions out of thin air.

Even more frightening, if not for the emergency blacklist mechanism triggered in the last three minutes, the hacker could have stolen an additional 100 million USD, pushing total losses over 400 million USD.

This incident had warning signs long before.

The hacker’s attack path pointed directly to a common industry vulnerability: the fragility of protocol verification mechanisms.

In the frenzy for cross-chain efficiency, KelpDAO ignored its long-standing single-point verification issue, which ultimately became the hacker’s breakthrough.

This was not KelpDAO’s first security flaw. In May last year, due to a unit scaling error during a contract upgrade, it minted 31.2 quintillion (fifty billion billion) rsETH. Although promptly destroyed without losses, it exposed underlying security risks.

The internal competition in the re-staking sector has turned safety into a sacrifice. To keep expanding, KelpDAO continuously added new LST assets and expanded to new L2 networks. But each additional chain and asset exponentially increased the attack surface.

Veteran DeFi players pointed out that the TVL acquisition cost for L2 will likely rise further, with much of the TVL flowing back to L1.

The “double-edged sword” of multi-chain expansion ultimately becomes a dagger piercing the protocol itself and the entire DeFi ecosystem.

Aave poisoned with rsETH, $200 million bad debt sparks a $6.6 billion capital flight

DeFi is like a Lego set—if one piece breaks, the whole structure collapses.

After acquiring illicit rsETH, the hacker did not dump it directly on DEXs but adopted an “asset poisoning” strategy: depositing rsETH as “high-quality collateral” into Aave to borrow high-liquidity assets.

Aave V3/V4 on Ethereum and Arbitrum accept rsETH as eligible collateral. The hacker deposited rsETH and borrowed large amounts of WETH, USDC, and USDT, turning illicit assets into protocol bad debt.

According to Chaos Labs’ estimates, the bad debt faced by Aave far exceeds market expectations, approaching 200 million USD.

News of bad debt caused AAVE tokens to plummet about 18%.

Since the end of last year, Aave has seemed to be in a “bad luck streak.” After experiencing governance chaos and service provider departures, it now faces a new risk: the integration of rsETH markets makes it an attractive liquidity exit for hackers.

On-chain data further worsened the situation.

Sun Yuchen was observed to have urgently redeemed 53,665 ETH from Aave, worth 126 million USD. His withdrawal is seen as a whale’s loss of confidence in the protocol’s security.

This was followed by a massive capital outflow across the market. DeFiLlama data shows that Aave experienced a net outflow of up to 6.6 billion USD in a single day, with funds shrinking by 23%.

Although Aave itself was not the root cause, this incident posed a profound challenge to its risk management.

Some community members pointed out that over 15 months ago, warnings about KelpDAO’s single-point verification risk had been raised on the Aave governance forum. Yet, the Aave team did not implement any solutions.

In contrast, Spark had delisted rsETH as early as January this year. DeFi researcher CM bluntly stated: the entire Sky system is based on a proactive risk tightening philosophy. Although it may slow protocol growth, it has proven its value at critical moments.

Sun Yuchen’s withdrawal of 53,665 ETH was also stored in Spark. Within two days, SPARK tokens surged over 50%, starkly contrasting with AAVE.

Todd, co-founder of Nothing Research, believes that facing nearly 200 million USD in bad debt, Aave might activate its “Umbrella” insurance module.

While the Umbrella module provides a first line of defense, its fund pool is clearly insufficient to fully cover the roughly 200 million USD loss.

In the short term, Aave’s self-rescue is merely delaying the crisis, not solving it properly. The remaining gap must be filled through protocol profits or token issuance, with further details to be discussed by the community.

Isolation pools + mandatory insurance + risk re-pricing—security is no longer a “free lunch”

The KelpDAO incident marked the end of the LRT frenzy, and the DeFi market will usher in three irreversible risk control reforms.

Isolation of lending markets: Aave’s non-isolated lending model is history. Assets will be confined within fully independent “Siloed Pools.” Even if one asset encounters issues, it won’t affect other liquidity pools.

Curve founder Michael Egorov pointed out that non-isolated lending models are scalable but riskier. He recommends adopting fully isolated or hybrid models.

While fully isolated architecture may reduce capital efficiency, it will significantly enhance systemic resilience.

Mandatory insurance modules: The Umbrella module will push protocol insurance from an “optional feature” to a “necessary component.”

In the future, any new asset wishing to list on major lending platforms like Aave may be required to deposit a certain proportion of collateral into an insurance vault, serving as the first recourse in case of market default or theft.

Risk re-pricing of DeFi assets: Yishi, founder of OneKey, bluntly states that DeFi yields and risks are currently completely disproportionate, and security entails rigid costs.

Markets will re-evaluate risks. Protocol fees and infrastructure costs will face upward pressure; otherwise, security investments cannot be sustained.

Therefore, DeFi assets need to be re-priced based on their underlying security. Encapsulated assets like LRT are significantly riskier than native assets, and lending platforms should incorporate risk discounts for such assets into their risk models.

The KelpDAO theft is a brutal mirror reflecting the collective neglect of security bottom lines in DeFi’s pursuit of maximum yields and multi-chain expansion.

Nearly 300 million USD in losses is costly, but if it prompts DeFi to shift from blindly chasing composability to emphasizing robustness, it may be the industry’s necessary tuition for maturity.

In the aftermath of the KelpDAO incident, the market is gradually realizing that DeFi’s true value lies in providing a more transparent, safer, and resilient financial infrastructure.

And when the tide recedes, what remains will be a stronger foundation.