This past weekend, a security breach targeting KelpDAO sent shockwaves through the decentralized finance (DeFi) sector, erasing approximately $13 billion from total value locked (TVL) across the ecosystem. The attack was directed not at traditional smart contract vulnerabilities, but at a foundational weakness in LayerZero’s verification infrastructure.
KelpDAO breach and its immediate impacts
Initial analysis suggests the notorious Lazarus Group, believed to have ties to North Korea, may have orchestrated the incident. LayerZero representatives emphasized that KelpDAO’s reliance on a single validator in its infrastructure was a critical oversight, especially as experts had previously warned the project to implement multiple validators. In the wake of the breach, KelpDAO’s liquid staking token, rsETH, lost its backing—causing escalating risks on lending platforms, especially within Aave’s ETH pool.
Following the breach, users rushed to exit DeFi positions, producing outflows totaling $8.45 billion from Aave in just 48 hours. As a result, total DeFi assets slipped sharply into the mid-$80 billion range, effectively rolling values back to levels seen one year prior.
Leverage, TVL figures, and market vulnerabilities
In the weeks leading up to the attack, Aave had already grown riskier as users increasingly used rsETH as collateral for leveraged positions. On the eve of the breach, Aave held roughly 580,000 rsETH tokens, equivalent to $1.3 billion. Importantly, the TVL plunge far exceeded the actual stolen amount of $292 million because DeFi leverage strategies cause assets to be counted multiple times, inflating TVL and accelerating unwinding during crises.
Low yields contributed further to risk-taking; on Aave, for example, USDC deposits earned only 2.61% annual yield. Many felt these modest returns no longer justified the complexity and risks DeFi entailed. With lower “risk premiums,” users shifted to higher leverage, turning the rsETH crisis into a significant market event.
Market reaction and capital flows
While declarations of “the death of DeFi” resurfaced in the aftermath, experts noted the industry has weathered even more severe setbacks, citing Terra’s collapse and nine-figure exploits on bridges like Wormhole and Ronin. Despite such loss events, DeFi has managed to recover and evolve each time.
“When Terra collapsed and over $1 billion in assets evaporated in the Wormhole and Ronin hacks—or even when Multichain was breached—DeFi didn’t end; recovery phases have always followed.”
Even after February’s record-setting $1.5 billion loss on the Bybit exchange, the platform continued processing withdrawals and maintained trading activity, illustrating DeFi’s resilience.
DefiLlama founder 0xNGMI explained that Aave has various mechanisms—such as reserves or debt—to absorb losses and protect the protocol. While he acknowledged the scale of the loss, he stressed that the industry can compensate for such blows. “The real issue is that risk premiums are now set to climb.”
Rising risk premiums are expected to make it more costly for capital to remain in on-chain systems with broad attack surfaces. Nonetheless, industry voices emphasize this reflects a repricing of risk, not an existential crisis for DeFi itself.
Instead of an across-the-board exit, capital has started flowing toward different protocols. The Spark protocol, for example, had already discontinued tokens with lower demand like rsETH in January. Consequentially, Spark’s TVL surged from $1.8 billion to $2.9 billion in the past week, indicating a reallocation rather than withdrawal from DeFi.
The attack is being interpreted not as the downfall of decentralized finance, but as a wake-up call highlighting the need for safer and more innovative products. Industry participants agree that DeFi must rethink its roadmap to convince users to accept diverse risks in exchange for single-digit annual returns.
