Last week we titled “Will Aave Win?“. Seven days later, your entry price into the thesis has gotten a lot cheaper.
We won’t spoil much because we dedicate today’s top story to the KelpDAO exploit, one of the biggest crises in DeFi history.
But while trust has once again taken a big hit, there’s an advantage to DeFi bank runs happening in public and in real time. Everybody can study what went wrong.
And if there’s a silver lining, it’s two things.
First, the industry has learnt more in the last six days than in the past two years. Lending markets will get stricter on collateral. Risk frameworks will tighten across the stack. The shift toward more modular, isolated lending architectures will accelerate. The protocols that survive this will harden.
Second, in DeFi you don't just get to witness the crisis in real time. Sometimes you also get to watch the industry bail out its own users, without a single taxpayer stepping in. That's what's happening with Aave right now.
Taken together, it most likely means that DeFi will still win.
In today’s Briefing:
DoorDash teams up with Tempo for stablecoin payouts
DeFi’s biggest crisis: Inside the KelpDAO hack
HIGH SIGNAL NEWS
Payward acquires crypto exchange Bitnomial. The $550 million deal gives Kraken’s parent company control of a fully CFTC-licensed U.S. crypto derivatives stack, spanning exchange, clearing, and brokerage. 💰
Polymarket and Kalshi are expanding into perps. Reportedly, the the two leading U.S. prediction market platforms are preparing to offer perpetual futures trading to their users. 💸
DoorDash announces stablecoin integration. Build on Stripe's Layer-1 network Tempo, the food delivery giant aims to bring stabelcoin-powered payouts to its marketplace. 💵
Coinbase lists tGBP stablecoin. Powered by issuer BCP Markets, it is the first GBP-backed stablecoin available globally on Coinbase. 💷
Onchain vault provider Upshift partners with Securitize. For the first time, onchain vaults will be supported by a third-party fund administrator, enabling independent reporting, auditing, and performance transparency. 🤝
TOP STORY
Inside the KelpDAO Hack: Dissecting DeFi's Biggest Crisis
Exploit: Late Saturday night, the DeFi ecosystem was hit by another major exploit. By compromising the infrastructure of the cross-chain protocol LayerZero, an attacker minted 116,000 unbacked rsETH tokens from the restaking protocol KelpDAO. Rather than selling them on a decentralized exchange, which would have crashed the price and limited the payout, the attacker deposited them as collateral on Aave and borrowed ~$190 million in ETH against them. Five days later, a coordinated industry effort has already closed around 80% of the resulting shortfall.
Why it matters: The incident marks the second nine-figure DeFi hack in the past three weeks. On April 1, Solana-based protocol Drift was exploited for around $285 million, bringing the total amount exploited this month to more than $500 million. For perspective, both incidents rank among the ten largest exploits in DeFi’s eight year history.
Known perpetrator: As in many high-profile DeFi attacks, the attacker is reportedly linked to the North Korean state-backed Lazarus Group.
How it happened: This time, the weak point was the configuration of KelpDAO’s cross-chain bridge, which is used to move its restaking token rsETH across chains. Through a sophisticated attack, the attacker submitted a forged message to the bridge, releasing around 116,000 rsETH (~18% of circulating supply) on Ethereum without burning any corresponding tokens on the source chain.
Draining Aave: The attacker then quickly deployed the stolen funds on Aave across multiple chains, using them as collateral to borrow ~$190 million in ETH from the protocol.
Immediate response: To limit contagion, Aave froze its rsETH and ETH markets across all chains and disabled new deposits and borrows for these assets. This effectively locked user funds in the protocol, some of which remain frozen pending a resolution. To protect leveraged ETH positions and avoid excessive losses, the protocol also artificially lowered interest rates.
Liquidity crunch: But the freezes weren't enough to prevent what followed. In Aave V3, all lenders supply into a shared liquidity pool, from which any borrower can draw regardless of the collateral they post. As news of the exploit spread, this design set off the following dynamic:
Depositors began withdrawing their ETH as a precaution.
As available ETH liquidity approached zero, remaining depositors borrowed stablecoins against their positions to effectively exit Aave.
This, in turn, drained Aave’s stablecoin liquidity on Ethereum.
Trapped depositors: As of today, roughly $8 billion in Aave positions across ETH, USDC, and USDT are effectively trapped in the protocol, including funds from lenders who never had any connection to rsETH.
Arbitrum intervenes: The first step towards recovery came from an unexpected direction. A significant portion of the stolen rsETH had been deposited on Aave’s Arbitrum market, where the attacker borrowed additional ETH. On Monday night, Arbitrum’s Security Council invoked its emergency powers for the first time in the Layer-2's history, freezing roughly 30,000 ETH (~$70 million) linked to the attacker.
Blame games: While much of the industry agreed with Arbitrum’s decision, views diverged sharply on who should bear primary responsibility for the actual attack:
Some, including KelpDAO, place the blame on LayerZero, arguing it did not push strongly enough for a more secure configuration of the rsETH bridge.
Others, such as LayerZero, reject this framing and instead point to weaknesses in KelpDAO’s security setup.
Aave has also come under scrutiny, as its risk teams did not assess the bridge’s configuration before allowing rsETH to be used as collateral.
Ripple effects: This misstep may have contributed to one of the largest capital flights in Aave’s history. Since the attack, the leading DeFi lending platform has seen around $12 billion in outflows, or roughly 46% of its TVL. While other major lending protocols such as Morpho were also marginally affected — despite having limited direct exposure to rsETH — one protocol stood out by attracting fresh inflows: Spark. Over the past few days, the protocol attracted $1.2 billion in deposits, 40% of which can be attributed to capital that left Aave.
DeFi’s TVL, Winners, and Losers since Sunday. Source: DefiLlama
A safe haven? One explanation lies in how Spark managed the market stress. Beyond having no exposure to rsETH, the protocol demonstrated stronger liquidity management, continuing to provide stablecoin liquidity while others faced constraints.
What’s next: Yesterday, leading DeFi and DAOs protocols launched "DeFi United," a coordinated effort to restore rsETH's backing and prevent losses for depositors. The shortfall stands at roughly 118,400 ETH. Within 48 hours, contributions from Mantle (30,000 ETH), Ether.fi (5,000 ETH), Aave founder Stani Kulechov personally (5,000 ETH), Lido (2,500 stETH), and others, combined with the Arbitrum freeze and recovered collateral, have narrowed the gap to an estimated 23,600 ETH. It is the largest coordinated rescue effort in DeFi history, and it is not done yet.
Ernesto Olmedo Pereira is Head of Strategy & DeFi at Qivalis, the European banking consortium aiming to launch a euro-denominated stablecoin in the second half of 2026. The initiative brings together 12 banks, including BNP Paribas, ING, DekaBank, and UniCredit.
Do recent exploits affect TradFi’s confidence in DeFi?
I don’t think so. For many institutional players, this space is still seen as experimental, so incidents are not entirely surprising. What is harder to ignore, however, is the scale. When more than $500 million is stolen within a matter of weeks by a state-backed actor, the narrative shifts. It moves beyond “DeFi has bugs” to “DeFi is a major target for nation-state attacks,” and that has consequences for how regulators and institutions assess the space.
That is exactly why we believe the focus for DeFi now has to be on learning from TradFi. One key area is risk management. Many protocols today are highly sophisticated on the technical side but often lack the risk expertise that is standard in traditional finance, especially in how counterparty risks are evaluated.
There is also a broader gap when it comes to operational standards. In TradFi, frameworks such as DORA in Europe define clear expectations around resilience, governance, and incident handling. In DeFi, comparable structures are still largely missing.
Closing these gaps is a core priority for us, which is why we continue to actively engage with major DeFi players and invite them to collaborate.
Chris Cameron is Economics Lead at MegaETH, a high-performance Ethereum Layer-2.
What second-order effects on the DeFi ecosystem do you expect this exploit to have?
I expect to see much more focus on explicitly defining claim structures and seniority. In the case of rsETH, it was never clearly specified whether mainnet rsETH and its bridged versions are pari passu or whether one has a senior claim over the other. That ambiguity is now at the core of the conflict.
At a higher level, the situation will lead to a broader maturation of disclosure frameworks in DeFi. In traditional markets, 80-page prospectuses exist because every edge case has already happened to someone over the last hundreds of years. This is also what enables more orderly resolution processes like bankruptcy proceedings, where parties come together and claims are worked through based on clearly defined priorities. DeFi is now simply repeating TradFi's learning process.
Isaac Patka is a Lead at the Security Alliance (SEAL), a nonprofit focused on crypto cybersecurity, incident response, and open-source security standards. The organization was also closely involved in the handling of the rsETH exploit.
Is there a credible path to making DeFi systems resilient against persistent, high-capital attackers?
Absolutely. That path starts with understanding where attack vectors actually sit today.
The rsETH exploit made this very clear. While risk management played a role, the real vulnerabilities now sit in key management, bridge configurations, and the APIs and RPC endpoints that connect systems. These layers are harder to see, harder to audit, and often treated as secondary. The result is a growing class of systems that are technically secure onchain, but fragile at the edges where integrations and operations live.
At the same time, many protocols are still designed in a way where things can unravel in an instant. Entire systems can flip upside down in a single transaction because basic controls are missing. Rate limits, circuit breakers, time delays, and independent data verification are necessary to contain damage. This may introduce some UX frictions, but if it helps to avoid total losses, it is a trade-off worth taking.
All of this is to say that DeFi needs to take operational security more seriously. Some teams do this well, but across the ecosystem it remains inconsistent and often deprioritized. After an exploit, my inbox fills up with protocols asking for help to review their setups. A few weeks later, that urgency fades. That cycle needs to break if DeFi wants to be taken seriously by larger allocators.
1inch: Chief Product & Technology Officer (CPTO), Madrid 🇪🇸
21X: Senior Director - US Operations, New York 🇺🇸
Bitget: Head of Technology (EU), Vienna 🇦🇹
Bybit: MiFID Product Governance Lead, Vienna 🇦🇹
Chainlink Labs: Product Manager - Compliance, Global 🌐
Circle: Treasury Manager, France 🇫🇷
Fireblocks: Sales Engineer - TRES, EMEA 🌍
Ledger: Strategy Manager - Consumer, Paris 🇫🇷
Morpho: Events Lead, Paris 🇫🇷
KAIO | $8 million | Strategic : Fund tokenization platform.
3F | $4 million | Seed : Platform that allows investors to create leveraged RWA positions across a wide range of RWAs in one click.
What do you think of today's briefing?
Disclaimer: The information provided in the Crypto Briefing by Blockstories does not constitute investment advice. Accordingly, we assume no liability for any investment decisions made based on the content presented herein.
