TLDR
- Decentralized finance total value locked plummeted to $82.4 billion, marking a 12-month low and representing a 25% decline since January 2026
- Kelp DAO suffered a $292 million breach exploiting vulnerabilities in its LayerZero-based cross-chain bridge infrastructure
- Earlier this month, Drift Protocol lost approximately $285 million in what became Solana’s most devastating security breach to date
- Preliminary evidence connects North Korea’s Lazarus Group to both breaches, suggesting a systematic state-sponsored operation
- Disputes among Kelp DAO, Aave, and LayerZero over loss allocation could leave certain rsETH token holders facing up to $267 million in damages
A devastating wave of decentralized finance breaches has driven industry-wide losses beyond $600 million over a three-week period, severely undermining trust throughout the cryptocurrency lending and staking sectors.
Saturday’s Kelp DAO bridge compromise eliminated $292 million from the platform’s reserves. This disaster followed less than a month after the Drift Protocol breach, which extracted approximately $285 million and now holds the record as Solana’s most catastrophic security failure.
Additional attacks targeting Resolv Labs, Hyperbridge, and Rhea Finance compounded the devastation. Cryptocurrency security specialist Halborn had already documented $86 million in DeFi breaches during January, $23.5 million throughout February, and more than $27 million in March prior to these two catastrophic incidents.
Aggregate value locked within DeFi ecosystems collapsed to approximately $82.4 billion in the aftermath of the Kelp DAO breach. This represents a 25% contraction from the $110 billion recorded at 2026’s opening and marks the sector’s weakest performance in twelve months.
The immediate daily decline following the Kelp compromise reached 5.6%, positioning it just beneath the 98th percentile for severity since 2024. Lending protocols absorbed the most substantial damage, experiencing approximately 13% TVL erosion.
How the Kelp DAO Exploit Worked
The perpetrator exploited weaknesses in the data validation mechanism feeding Kelp’s cross-chain bridge infrastructure, which operated on LayerZero’s technology stack. The architecture authenticated message origin but failed to validate message accuracy.
Kelp had implemented its bridge with only a single verifier — one validation mechanism to authorize cross-chain operations. This design eliminated a critical security layer in pursuit of enhanced speed and reduced complexity.
“The security failure is simple: a signed lie is still a lie,” said Alexander Urbelis, CISO at ENS Labs. “Signatures guarantee authorship; they do not guarantee truth.”
LayerZero has subsequently claimed the vulnerability stemmed from Kelp’s configuration decisions and now advocates deploying multiple independent verification mechanisms. Industry observers have challenged this position, highlighting that LayerZero’s standard configuration already defaulted to single-verifier architecture.
Following the breach, compromised assets were deployed as collateral within Aave. Aave responded by freezing rsETH functionality across its ecosystem to contain exposure, effectively locking billions in user deposits and creating liquidity shortages in certain stablecoin markets.
What Happens to the Losses
Blockchain intelligence provider Arkham Intelligence outlined two potential scenarios for Kelp DAO. The first distributes losses proportionally among all rsETH token holders, imposing approximately a 16% reduction on each participant. The alternative shields Ethereum mainnet participants while concentrating damage on Layer 2 network users, potentially exposing Aave participants to as much as $267 million in losses.
Kelp DAO, Aave, and LayerZero are currently pointing fingers at each other. Yearn Finance developer Banteg wrote on X: “Everyone has lawyered up and going full PvP on each other.”
North Korea’s Lazarus Group has been connected to both the Kelp and Drift breaches based on initial investigative findings. Security analysts characterize this pattern as evidence of a coordinated, state-sponsored offensive rather than random isolated events.
“This is not a series of incidents; it is a cadence,” Urbelis said.
