After a $290 million vulnerability was exploited and the total value locked in DeFi fell by approximately $13 billion, the simplest view is that decentralized finance is broken again. It’s also probably the laziest.
The KelpDAO vulnerability over the weekend was serious. It appears to have started with a targeted attack on the infrastructure used in the LayerZero verification stack, rather than a smart contract error common in other vulnerabilities. LayerZero initially linked the incident to North Korea’s Lazarus Group and said the attack was successful because Kelp chose a single-authenticator setup, despite repeated recommendations to use a more resistant configuration. The vulnerability took away support for rsETH, a liquid pledged token issued by KelpDAO, and raised concerns that bad debt would spread to the lending market, particularly Aave’s WETH pool (where users borrow wrapped ether against collateral).
The more interesting story, however, is not that DeFi is taking a hit. It’s just that DeFi is still here.
He quickly fled after the funds were leaked. Aave alone experienced $8.45 billion in outflows in 48 hours, while broader DeFi TVL fell to around $80 billion, roughly back to where the industry was last year. In other words, this is a sharp repricing of risk that is not as disruptive as some believe.
Aave, the largest DeFi lending market, accumulated a large amount of rsETH as collateral in the weeks before the breach as users established leveraged positions. There is also some context to the magnitude of the TVL decline. The $292 million theft would not directly result in a $13 billion loss unless a significant portion of that TVL had been recovered as collateral. Heading into the weekend, the majority of Aave’s ETH exposure was focused on a rotation strategy, where users deposit liquid re-staking tokens, borrow ETH against them, exchange for more re-staking tokens, and repeat. In other words, the same set of assets may be counted multiple times in TVL calculations. This leverage will push TVL higher on the way up and unwind sharply during such events. Actual net capital losses are likely a fraction of the overall figure, but given the depth of looping strategies embedded in DeFi’s TVL calculations, the exact amount is difficult to isolate.
The strategies themselves are partly the product of an earnings environment that no longer makes sense. As of early April, Aave was offering an annual interest rate of 2.61% on USDC deposits, lower than the 3.14% annual interest rate on idle cash at traditional financial brokerage Interactive Brokers. The risk premiums that historically justified the complexity and smart contract risks of DeFi have largely disappeared. With organic yields lacking, leverage fills the gap, and this concentration is why the rsETH contagion is so damaging. Data from DefiLlama shows that reETH balances on Aave grew rapidly in the weeks leading up to the attack, reaching nearly 580,000 tokens ($1.3 billion), proving that the accumulation of leverage caused the subsequent liquidation to be so dramatic.
Cryptocurrencies are in worse shape
The phrase “DeFi is dead” comes up after every hack because the failure is obvious and immediate, while the recovery is slower and less dramatic. But the situation with cryptocurrencies is even worse. Terra collapsed and destroyed confidence across the industry. Wormhole and Ronin each lost about $1 billion. Multiple chain disintegration.
An anonymous trader wrote on
Most recently, Bybit suffered what is widely considered the largest cryptocurrency theft on record, losing approximately $1.5 billion last February, but the company has continued to operate, handling a surge in withdrawals, restoring reserves, and still processing billions of dollars in daily transaction volume.
repricing of trusts
DefiLlama founder 0xNGMI told CoinDesk the losses were significant but unlikely. “Aave has a lot of resources to cover losses, including its finances and loans, and I think those resources have to be used to protect the agreement,” he said. “Overall, this is a significant loss, but one that can be recouped. The biggest question will be the impact on the risk premium allocated to DeFi.”
These risk premiums are real and lasting costs. Capital will demand more compensation for on-chain systems whose attack surface now extends beyond the code
However, repricing does not equate to collapse. “Some of the money will come back,” 0xNGMI said. “We see this with Aave when rumors of a hack arise. Withdrawing and depositing later is always the best strategy as the costs are small but the rewards are large.” Some deposits will not return, but historically deposit outflows during stress events reverse as conditions stabilize, as evidenced after the 2021 Terra collapse.
There is also evidence that capital is not simply leaving DeFi. It’s spinning. Spark provides an example. Head of Strategy at Spark via monetsupply.eth, It stated that the protocol delisted rsETH and other low-utilization assets in January, a move that may have caused damage to Aave’s business and ETH recycling activity at the time. However, under the current circumstances, SparkLend still has ample ETH withdrawal liquidity, while Aave is experiencing shortages in multiple markets. Spark TVL jumped from $1.8 billion to $2.9 billion over the weekend, showing a clear capital rotation.
The more interesting criticism some developers leveled after the exploit was not that DeFi failed, but that it became too timid. If the industry requires users to take on infrastructure risk, smart contract risk, and governance risk with low single-digit returns, then the product portfolio starts to look less attractive. With this in mind, Kelp is not the end of DeFi. This is a wake-up call for builders to build more secure systems while continuing to deliver real-world use cases.