What started out as the Kelp DAO exploit is no longer just a bridge story, but is now a crypto referendum on how DeFi handles security, contagion, and accountability.
The immediate damage was already severe. The roughly $292 million exploit hit Kelp DAO’s rsETH bridge, triggered bad-debt concerns at Aave, and spilled into a fresh round of finger-pointing between protocols and infrastructure providers.
The market reaction was brutal. Onchain analysts Lookonchain said Aave’s total value locked fell by nearly $8 billion after the attacker used stolen Kelp DAO-linked assets as collateral, leaving about $195 million in bad debt.
The Block's data now shows Aave’s TVL has suffered a steep drawdown over 48 hours as funds rotated elsewhere, including to Spark
The Block later reported that Aave had modeled two possible bad-debt scenarios tied to the fallout.
Meanwhile, funds stolen in the exploit began moving across chains after Arbitrum froze a large chunk of linked ETH.
A sharp question now circulating across the industry debates not whether DeFi still works, but what kind of risks it is still tolerating in 2026.
Curve founder Michael Egorov put it in the bluntest terms. "WTF? Are we industry of clowns?" he wrote on X, arguing that recent failures tied to centralized points of failure are damaging an industry that still claims to be building the future of finance.
His broader point is landing. The Kelp breach did not just hit one protocol, but traveled through composability.
A single bridge failure turned into multi-protocol collateral risk. Collateral risk turned into lending stress. Lending stress turned into withdrawals. In DeFi, code may be modular, but panic is shared.
Wenzhao Dong, a blockchain analyst at CertiK, told The Block the problem is not that DeFi is inherently broken. Rather, It is that too many teams still treat security as overhead.
The protocols that survive the next cycle will be the ones that view security as TradFi views counterparty risk — as a crucial factor, not an afterthought," Dong said.
Brian Trunzo, chief growth officer at Succinct Labs, shared a similar point. He said that bridges should no longer rely on trust-heavy validator models when proof-based systems exist.
In his telling, the Kelp exploit was a failure in the bridge verification layer, not a typical smart contract bug, and it showed how dangerous single-signer assumptions remain
At this point, if your trust model is less than ZK, you are being grossly negligent. Maybe even reckless," Trunzo told The Block
Sergej Kunz, co-founder of 1inch, said the episode exposed how fragile the shared-pool model can become when one bad asset drives full utilization and effectively traps user funds. Matthew Pinnock, COO at Altura DeFi, added that the speed of the withdrawals showed how fast confidence can unwind once collateral assumptions break.
Metamask security expert Taylor Monahan called Arbitrum’s emergency freeze of stolen ETH a sign that "DeFi f*cking wins," praising the coordination it took to stop more damage.
People need to understand what they're signing, limit what they expose, and have a clear recovery path when things go wrong. This is simply enterprise-grade that is missing in DeFi today,” May said. "The products that earn mainstream trust will be the ones that make security invisible, not ones that ask users to be their own security team."
A lending market can be healthy on its own terms and still get hit by a bridge upstream.
He posited that this very point why the numbers matter beyond headlines. The Block reported earlier this week that DeFi losses had already topped $600 million in just weeks. Add in the roughly $285 million Drift exploit and Hyperbridge’s revised $2.5 million loss estimate, and April is shaping up as another month that forces the sector to answer hard questions about trust assumptions and operational discipline.
#TrumpSaysIranConflictHasEnded