April broke a new record in Crypto, except not one that anyone would have hoped for - the largest number of hacks in DeFi. 28 incidents in 30 days for a total $635 million lost. Two projects made up the bulk of this - Drift, a decentralised perpetual futures exchange built on Solana, for $285 million and KelpDAO, a re-staking protocol built on Ethereum, for $290 million. It is for this reason April may be remembered as an inflection point for DeFi security. Even more important than the number of hacks was the manner of these exploits which were largely attributed to poor risk management and human errors.

On April 18, 2026, attackers drained approximately $290 million of rsETH from KelpDAO’s LayerZero-based bridge. Thankfully, through a number of measures including pausing relevant contracts and blacklisting attacker addresses, KelpDAO was able to block a second attempted drain of roughly 40,000 rsETH ($95 million). A post-mortem from Chainalysis detailed the mechanism: attackers DDoS’d an external node and compromised two internal RPC nodes hosted by LayerZero, using them to feed false data to the 1-of-1 LayerZero DVN and ultimately forge a cross-chain message of 116,500 rsETH being burned on Unichain. Correspondingly, 116,500 rsETH was released on Ethereum and deposited on Aave, Euler and Compound, used as collateral to borrow an estimated $236 million in WETH and wstETH and leaving significant knock-on effects. The KelpDAO rsETH exploit shows that, in the age of exponentially improving AI, DeFi risk is moving beyond audited smart contracts into configurations, infrastructure and cross-protocol dependencies. Even though the attacker did not break KelpDAO’s re-staking contracts or Aave’s lending contracts, they were still able to leave lending markets cross-chain completely frozen, with approximately $236 million in bad debt.

As a pooled liquidity system, Aave depositors were on the hook for the bad debt. Utilisation on WETH quickly hit 100% as depositors raced for the exit, and at full utilisation withdrawals could no longer process because there was no idle liquidity available to redeem against. This created a bank-run dynamic, whereby stranded depositors began borrowing any assets they could including USDC, USDT etc. Economically, this functioned like a synthetical withdrawal, extracting value from Aave without redeeming the original deposited asset. Liquidity drained from markets that were not initially the core problem, reinforcing the panic loop until Aave’s core liquidity markets were functionally locked. During this time, as constituted by their interest rate model, variable borrow rates hit caps of 14% on USDC and USDT.

Led by Aave service providers, the recovery effort ‘DeFi United’ collectively raised 137,717 ETH ($317 million) to improve the backing of rsETH and normalise market conditions. It is a hybrid recovery stack made up of donations, credit facilities and strategic token buying but the end result is that Aave has begun normalizing affected WETH markets and previously stranded depositors are able to now withdraw their funds. The largest part of this recovery effort came thanks to the Arbitrum Security Council, which was able to freeze 30,766 ETH connected to the attacker. Circle Ventures also acquired an undetermined amount of AAVE tokens, noting that ‘strong DeFi infrastructure does not build itself’.

Beyond the answer of how this specific deficit was addressed emerges the question of how similar shortfalls will be handled in the future. The KelpDAO exploit originated outside of Aave, yet Aave became the venue where the loss was most immediately socialized. Prior to DeFi United, Aave’s own incident report modelled two potential bad-debt outcomes: roughly $123.7 million if losses were spread uniformly, or $230.1million if losses were isolated to L2 rsETH, with the latter scenario concentrating severe shortfalls on Mantle, Arbitrum and Base WETH markets. What is the correct answer to the question of how the burden should be shouldered? Is it the path through which loss is minimized? Or is it based on holding those who willingly accepted additional risk factors responsible? Rather than answering the question, the conclusion revealed Aave’s balance sheet and governance credibility as a form of implicit, protocol-level insurance. The recovery sought to preserve user confidence, but it also made the protocol token look more equity-like: upside comes from fees and market share while downside includes contingent claims on the treasury when risk management fails.

From pre-exploit levels to time of writing, total DeFi TVL has fallen from $98.3 billion to $86.0 billion, with the lending category absorbing the bulk at −$9.6 billion ($52.7 billion → $43.1 billion). The story is almost entirely Aave: its TVL fell from $26.1 billion to $15.3 billion, which meant Aave's share of lending TVL has dropped from 49.5% to 35.4% in just 25 days. During this time, capital moved decisively toward isolated-market architectures: SparkLend gained +$1.34billion (+66% TVL, share up from 3.8% to 7.7%) as Aave depositors found a venue with similar risk parameters but cleaner exposure, while Morpho was roughly flat at $60 million but grew its share from 14.4% to 17.6%. Notably, the rotation was already in motion: Morpho had been gaining roughly 0.8 pp of share per month since November while Aave plateaued from early February. The exploit accelerated five months of pre-existing trend into 25 days; the post-event ~35% Aave share has the look of a new equilibrium rather than a panic low. Looking forward, without the necessary borrowing demand required to drive on-chain lending, it is difficult to argue the bull case for wider TVL growth beyond stablecoins.

Significant shifts in lending TVLs since the exploit

Source: DeFiLlama

This situation has drawn scrutiny on the two involved parties, KelpDAO and LayerZero as to who is ultimately responsible. KelpDAO argues 1) it was LayerZero’s internal RPC nodes which were compromised and 2) the 1 of 1 DVN configuration they had was the default offering at the time. On the other hand, LayerZero argues it recommended a multi-DVN setup to Kelp, which could have prevented this attack were it in place. Ultimately, each party holds some responsibility - LayerZero’s internal nodes were indeed compromised and KelpDAO should not have been running a single point of failure security setup. Moving forward, LayerZero Labs DVN no longer services 1-of-1 DVN configurations and defaults are being migrated to 5-of-5 where possible, and no less than 3-of-3 where only three DVNs are available. In light of the incident, Kelp, alongside Solv Protocol and Re.xyz have migrated from LayerZero DVN to Chainlink’s CCIP.

April’s record number of hacks serves as a wake-up call for the industry. Hackers are using more advanced AI tools to their advantage. With the Clarity Act due to pass in the coming months, more institutional capital is coming into the space which is less tolerant of any risk management lapses. Institutions regularly underwrite volatility, liquidity risk and even smart-contract risk when the parameters are clear. They are far less tolerant of ambiguous loss allocation, unclear bridge assumptions and emergency recoveries that depend on goodwill after the fact. Teams who can demonstrate an ability to stay one step ahead are likely to gain market share and compound network effects.