TLDR
- DeFi’s total value locked dropped to $82.4 billion, a one-year low and 25% fall from January 2026
- The Kelp DAO exploit drained $292 million through a manipulated cross-chain bridge on LayerZero
- The Drift Protocol exploit earlier this month cost roughly $285 million — the largest Solana-based hack ever
- North Korea’s Lazarus Group is linked to both attacks, pointing to a coordinated state-driven campaign
- Kelp DAO, Aave, and LayerZero are in dispute over how losses will be distributed, with some rsETH holders facing up to $267 million in losses
A string of DeFi exploits has pushed sector-wide losses past $600 million in just three weeks, shaking confidence across the crypto lending and staking ecosystem.
The Kelp DAO bridge exploit on Saturday drained $292 million from the protocol. It came less than three weeks after the Drift Protocol hack, which cost roughly $285 million and stands as the largest exploit on the Solana blockchain to date.
⚠️ ALERT: SOLANA LENDING MARKETS UNDER STRAIN AS DEFI OUTFLOWS INTENSIFY
Fallout from the KelpDAO rsETH hack has reached Solana, with Kamino Finance seeing USDC utilization hit 100% in key pools and multiple vaults above 95%, signaling severe liquidity stress. pic.twitter.com/y5uDHc311R
— Coin Bureau (@coinbureau) April 20, 2026
Smaller incidents involving Resolv Labs, Hyperbridge, and Rhea Finance added to the damage. Crypto security firm Halborn had already tracked $86 million in DeFi losses in January, $23.5 million in February, and over $27 million in March before these two major attacks.
Total value locked across DeFi fell to roughly $82.4 billion following the Kelp DAO incident. That is a 25% drop from the $110 billion seen at the start of 2026 and the lowest level in a year.
The single-day drawdown after the Kelp exploit hit 5.6%, placing it just below the 98th percentile of severity since 2024. Lending markets took the hardest hit, with TVL falling about 13%.
How the Kelp DAO Exploit Worked
The attacker manipulated data feeding into Kelp’s cross-chain bridge, which ran on LayerZero infrastructure. The system verified who sent a message but not whether the message was accurate.
Kelp had configured its bridge with a single verifier — one checker to approve cross-chain transactions. This removed a key safety layer in exchange for speed and simplicity.
“The security failure is simple: a signed lie is still a lie,” said Alexander Urbelis, CISO at ENS Labs. “Signatures guarantee authorship; they do not guarantee truth.”
LayerZero has since said the issue was Kelp’s configuration choice and has recommended using multiple independent verifiers. Some in the industry pushed back, noting that LayerZero’s default setup was already a single verifier.
After the exploit, stolen assets were used as collateral on Aave. Aave froze rsETH on its platform to limit exposure, locking up billions in deposits and leaving some stablecoin markets short on liquidity.
What Happens to the Losses
Blockchain analytics firm Arkham Intelligence laid out two options for Kelp DAO. One would spread losses across all rsETH holders, with each taking roughly a 16% cut. The other would protect Ethereum mainnet holders, leaving Layer 2 users to absorb most of the damage, with Aave users facing up to $267 million in losses.
Kelp DAO, Aave, and LayerZero are currently pointing fingers at each other. Yearn Finance developer Banteg wrote on X: “Everyone has lawyered up and going full PvP on each other.”
North Korea’s Lazarus Group has been linked to both the Kelp and Drift attacks through preliminary findings. Security experts say this points to an organized, state-driven campaign rather than isolated incidents.
“This is not a series of incidents; it is a cadence,” Urbelis said.
