A $292 million exploit targeting KelpDAO’s infrastructure has shaken decentralized finance, sending total value locked across DeFi protocols down roughly $13 billion over the weekend. The supporting evidence appears in the cited X post.
The breach has been preliminarily linked by LayerZero to North Korea’s Lazarus Group, marking one of the most technically sophisticated attacks the sector has faced in years.
The attack did not originate from a smart contract bug. LayerZero said the incident targeted infrastructure within its verification stack, and that KelpDAO had opted for a single-verifier configuration despite repeated recommendations to adopt a more resilient setup.
That choice proved costly, leaving rsETH, KelpDAO’s liquid staking token, unbacked and stoking fears of bad debt spreading through major lending markets.
Leveraged Loops Amplified the TVL Collapse
Aave, the largest DeFi lending protocol, recorded roughly $8.45 billion in outflows within 48 hours of the breach. Broader DeFi TVL fell into the mid-$80 billion range, retreating to levels last seen around this time in 2025.
The scale of that decline, however, requires context that the headline figure does not provide.
A significant share of Aave’s ETH exposure heading into the weekend was concentrated in looping strategies. In these setups, users deposit liquid restaking tokens, borrow ETH against them, swap that ETH for more restaking tokens, and repeat the cycle.
Because the same underlying assets get counted at each layer, TVL inflates sharply during calm periods and collapses just as fast when stress forces those positions to unwind.
The $292 million theft does not arithmetically produce a $13 billion TVL decline unless a large portion of that locked value was already recycled collateral counted multiple times.
The actual net capital destruction is likely a fraction of the headline number, though the precise figure remains difficult to calculate given how opaque looping strategies can be across protocols.
Not all capital fled to the sidelines. Spark, a lending protocol connected to the MakerDAO ecosystem, saw its TVL climb from $1.8 billion to $2.9 billion over the same weekend, as users rotated away from Aave seeking lower perceived counterparty risk. One pseudonymous trader flagged on X that the migration reflected a broader reassessment of collateral quality rather than a loss of confidence in DeFi as a whole.
Attack Surface Expands Beyond Smart Contracts
DeFi has absorbed larger nominal losses before. The Ronin bridge hack, the Wormhole exploit, and the Poly Network breach each erased more in raw dollar terms at the time.
The sector rebuilt after each of those incidents, and user activity eventually returned to prior levels or beyond.
What makes the KelpDAO incident structurally different is the attack vector. Infrastructure layer vulnerabilities, specifically within cross-chain messaging and verification systems, represent a broader and harder-to-audit attack surface than a single flawed smart contract.
That shift will likely push risk premiums higher for protocols relying on bridge or oracle infrastructure with minimal verification redundancy.
The episode is damaging, but it is also a data point rather than a verdict. Capital repriced quickly, some of it rotated rather than exited entirely, and the underlying protocols continued to function.
DeFi’s resilience has always been tested by exactly these kinds of events, and so far the structure is still standing.
Not Financial Advice: This article is for informational purposes only. Crypto investments are highly volatile. Always do your own research.
