'DeFi is dead': crypto community scrambles after this year's biggest hack exposes contagion risks

Developers and traders warn of structural risks as a cross-chain exploit spreads fear and prompts billions to flee DeFi platforms.

What to know:

• A $292 million exploit of Kelp DAO's rsETH token triggered a broad liquidity crunch across DeFi, sparking heavy withdrawals from major lending platforms, including Aave.
• Developers claim the hack stemmed from a misconfigured cross-chain verification setup in LayerZero-based infrastructure, exposing how flexible "modular" security, without strong minimum standards, can create systemic risk.
• The incident, which affected about 18% of the rsETH supply and follows a string of large DeFi hacks this month, has intensified doubts about the sector's resilience and prompted protocols to freeze markets and urgently review their cross-chain configurations.

The $292 million exploit of Kelp DAO has set off a wave of reactions across the crypto industry, with developers and traders warning that the incident exposed deeper flaws in how decentralized finance (DeFi) is built.

Data shared by market participants shows the immediate fallout spread far beyond the hacked protocol.

“The rsETH hack is leading to withdrawals across all lending protocols, even on solana and unaffected protocols,” 0xngmi said in one post on Sunday, pointing to steep outflows including “Aave: -6,200m (-23%) net inflows” and smaller but notable declines across Morpho, Sky and JupLend. rsETH is liquid restaking protocol Kelp DAO's restaked ether and is a Liquid Restaking Token (LRT) that allows users to earn ether staking and restaking rewards while keeping their assets liquid, even when they are locked in staking.

That pressure quickly turned into something more severe. One widely circulated post by Josu San Martin described cascading liquidity stress inside lending markets: “ETH depositors cannot withdraw the ETH so they are borrowing stables to ‘withdraw’ funds… This is a full on run on AAVE.”

While Stani Kulechov, Aave's founder, said the exploit was external and that the protocol's contracts were not compromised, the depositors panicked. The total value locked (or deposits) dropped from $26.4 billion on April 18 to nearly $20 billion in U.S. morning hours on Sunday, per DefiLlama. The AAVE token also fell more than 18% as depositors scrambled to withdraw their money through the weekend.

A 'case study'

The exploit itself has become a focal point for engineers and developers.

Several developers pushed back on early assumptions that the issue stemmed from core infrastructure. “The KelpDAO exploit (~$290M, is NOT a LayerZero protocol bug. It's a configuration issue and a case study every project with a cross-chain token needs to look at today,” one technical breakdown by cryptogoblin read.

The thread detailed how a single verification point enabled the attack. “One signature and 116,500 rsETH materialized out of thin air on Ethereum,” the post said, describing a system where “the [smart] contracts weren't broken. The verification layer was,” the post claimed.

Others argued the problem runs deeper than a single setup choice.

One critique, who goes by Fishy Catfish on X, framed it as a design flaw, alleging that: “there is no security floor… A configuration can be a 1/1 DVN and the DVN you chose can be a single node ran by a single entity.” A DVN (Decentralized Verifier Network) in DeFi, specifically within LayerZero V2, is an independent entity responsible for validating and attesting to the authenticity of messages sent across different blockchain networks. Essentially, DVNs verify message hashes between a source chain and a destination chain.

To make the point clearer, the author drew a real-world comparison: “imagine if a roller coaster manufacturer allowed amusement parks to individually decide what the minimum safety specs were.” Essentially, the author is simply saying that flexibility without guardrails can create hidden risks.

The post went so far as to claim that the setup was the problem within the design. "I personally think this is a flawed design. Modular security is a worthwhile design space, however, the range of security should have a native security floor that is quite strong, and then allow *additional* layering of security on top of that for more high-value use-cases."

'DeFi is dead'

It's not just the amount and complexity of the exploit that drew the harsh, panicked criticism. The scale of the exploit has heightened concerns.

Roughly 116,500 rsETH, about 18% of supply, was affected. The attacker tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address.

Protocols responded by freezing markets and pausing features. Aave halted rsETH activity. Lido paused deposits tied to the asset. Other projects took similar steps to limit exposure as the situation unfolded.

Beyond the technical debate, sentiment across crypto turned sharply negative. One post perhaps captured the mood shift in blunt terms: “DeFi is dead… ‘just use aave’ is dead,” while adding that “The age of crypto is over” and asking, “If you're reading this - why are you still in crypto?”

While the response may sound like an overreaction, that kind of 'knee-jerk' reaction is not unusual after large exploits, but the breadth of this event stands out.

The attack affected cross-chain infrastructure, restaking models and lending markets simultaneously. It also follows a string of recent incidents. The hack lands in an unusually hostile stretch for DeFi, particularly this month. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.

'Check your configs'

Despite all the explanations, there are still more questions than answers.

Even LayerZero is still trying to figure out the full details of the exploit. "We’re fully aware of the rsETH exploit and have been in active remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain safe," it said in a post on X. "We are still identifying the root cause alongside @_SEAL_Org and others. We will publish a complete post-mortem with @KelpDAO as soon as we have all information."

KelpDAO echoed this sentiment. "Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA. We will keep you posted as we learn more about this situation."

Still, some developers see a clearer lesson in the chaos.

The exploit did not rely on breaking encryption or bypassing smart contracts. Instead, it exposed how fragile systems can become when they depend on layered assumptions.

In simple terms, the tools worked as designed. The way they were configured did not.

That distinction may shape what comes next. Builders are now urging projects to review their setups, especially those relying on cross-chain messaging.

As cryptogoblin put it bluntly: “Check your configs. Stay safe out there.”

Read more: DeFi yields are crashing so hard that they can't compete with a traditional savings account

More For You

Odds favor a Democratic rise in Congress next year, when lawmakers who've begun going after firms such as Kalshi and Polymarket may have greater sway.

What to know:

• Prediction markets are having a moment in the U.S., though unfortunately for Polymarket and Kalshi, the moment has drawn more than half a dozen pieces of critical congressional legislation.
• The industry is getting getting tied to accusations of insider trading and sports-betting violations from various critics even as its close...

Stablecoins can help businesses turn costs into revenue, Paxos Labs cofounder says

2 hours ago

Aave sees $6 billion deposit drop as Kelp hack exposes structural risk for DeFi lender

3 hours ago

RaveDAO's RAVE token collapses 90% in a day as exchange probes widen

3 hours ago

Inside the rise of wrench attacks against crypto holders and how France has become the focus

4 hours ago

Nomura study says 65% of institutional investors see crypto as a vital portfolio diversifier

5 hours ago

One person holds the keys to $200 million of a project’s crypto. His co-founder says that has to end

7 hours ago

2026's biggest crypto exploit: $292 million gets drained from Kelp DAO with wrapped ether stranded across 20 chains

21 hours ago

Binance and Bitget to probe RAVE’s 4,500% token surge as claims of insider-orchestrated rally grow

Apr 18, 2026

Why Michael Saylor's Strategy decided to make STRC's dividend bi-monthly

21 hours ago

Bitcoin falls back to $76,000 as Iran shuts Hormuz again

Apr 18, 2026

Strategy proposes semi-monthly dividends on its popular STRC preferred stock

Apr 17, 2026

Sam Altman’s World project launches major upgrade to fight deepfakes and bots

Apr 17, 2026