DeFi-nitely Troubling
DeFi's total value locked has remained under sustained pressure this week, and the Kelp DAO bridge exploit has further eroded trust in DeFi platforms. On April 18, an attacker drained 116,500 rsETH from Kelp DAO's LayerZero-powered bridge, worth roughly $292 million and representing approximately 18% of the token's circulating supply.
The attacker manipulated LayerZero's cross-chain messaging layer into processing a fraudulent transfer instruction, moving funds to a wallet pre-funded through Tornado Cash hours earlier.
The downstream effects moved quickly. The attacker deposited stolen rsETH onto Aave V3 as collateral and borrowed wrapped ether against it, generating over $196 million in bad debt concentrated in the dominant rsETH-WETH pair. Aave's TVL dropped roughly $6.6 billion as a result, with its token falling 16%.
This exploit was felt throughout DeFi. Across categories, the day after the exploit, lending TVL is down 13.09%, liquid staking 3.38%, DEXs 2.65%, and derivatives 3.01%. The Kelp exploit is the largest single contributor, but it did not arrive in isolation.
Total DeFi TVL recorded a single-day drawdown of 5.61%, placing it at roughly the 97.9th percentile of severity since 2024, though three separate days in 2025 and early 2026 saw drawdowns exceeding 10%.
Total DeFi exploits in the past three weeks now exceed $1 billion, following the $285 million Drift Protocol attack on April 1, attributed to North Korean actors.
The frequency and scale of recent attacks are prompting harder questions about cross-chain infrastructure. Bridges remain among the highest-risk components in DeFi, and successive failures across different protocols suggest the problem is structural rather than isolated.
With seemingly more risks uncovered in DeFi, some users are questioning whether the yield opportunities available onchain justify the security risks.