After the $16.5 billion in exploits, DeFi is now being forced toward the controls it once resisted

The rsETH crisis resulted in $200 million in bad debt on Aaves books, despite not a single line of its contracts misbehaving.

On Apr. 18, attackers that Chainalysis preliminarily linked to Lazarus compromised RPC infrastructure, forced a failover to poisoned nodes via DDoS, and injected false data into a 1-of-1 DVN configuration on KelpDAOs rsETH bridge.

The forged message released approximately 116,500 rsETH, and Aaves incident report confirmed that Ethereum accepted nonce 308 while the Unichain source endpoint never advanced past 307.

The attacker supplied the compromised rsETH to Aave and borrowed against it, resulting in bad debt and serving as a frame for the current state of DeFis security.

Exploiters extracted over $635 million across 28 incidents in April, the worst monthly total in over a year. DefiLlama puts the cumulative historical cost of hacks at $16.5 billion, with $7.7 billion specifically targeting DeFi.

The high-profile exploits on Drift and the KelpDAO bridge resulted in DeFi losing nearly $11 bilion in total value locked last month.

That contraction institutional traction in the same capital markets.

DeFi exploiters extracted $635 million across 28 incidents in April, the sectors worst monthly loss in over a year, while cumulative historical hacks reached $16.5 billion.How did DeFi end up here？

Mitchell Amador, CEO of Immunefi, told CryptoSlate that DeFi has historically rewarded growth, integrations, liquidity, and speed over security maturity.

A protocol that adds a new asset, bridge, oracle, adapter, or external dependency gains immediate utility. The risk that integration carries produces no visible price signal until an exploit materializes, because the absence of an incident is invisible while it holds.

That asymmetry kept audit cycles and isolation practices secondary to shipping velocity for years, until April concentrated the consequences into a single month.

Amador said the most overlooked practices were multisig hygiene and management, supply chain hardening, real-time monitoring, and emergency response procedures.

Too many teams treated multisig as a security solution in itself, when its actual strength depends on signer count, the independence of those signers, their operational setup, and the processes around transaction review.

A low-threshold multisig, weak signer security, or a poorly monitored bridge or oracle can become a systemic exposure because DeFi protocols are composable by default. In this landscape, risk travels through integrations as efficiently as liquidity does.

While that culture was forming inside DeFi, a different model was being built in parallel.

Solstice Finance CEO Ben Nadareski assessed:

“The gap in output per person tells you what happens when you strip away everything that isnt the core financial function. The teams that win this round will be the ones built on compliance and security from day one, ready to ship faster than a bank can call a meeting about it.”

DeFi built composable rails for over half a decade before Wall Street recognized them as the actual infrastructure layer of the next financial system.

The cost of that early market position was a security culture calibrated for speed over operational discipline.

Kasper Pawlowski, CTO of Euler Finance, names the governance dimension of the same failure in his post-incident analysis.

He said:

“DeFi treats risk assessment as a one-time onboarding decision, when in reality risk is dynamic.”

The 1-of-1 DVN configuration that enabled the KelpDAO exploit existed in production for years. Kelp says it was the default LayerZero shipped and reviewed across multiple integration meetings, while LayerZero says Kelp downgraded to it.

Whichever account is accurate, the configuration persisted unflagged through every integration with every downstream protocol. LayerZero has since banned the configuration on a protocol-wide basis, acknowledging that allowing its DVN to act as the sole verifier for high-value transactions was a mistake.

The more consequential point is that a critical bridge-security parameter was normalized across the entire dependency chain until a $292 million exploit surfaced it.

Pawlowski argued:

“The operational machinery DeFi has built — DAO governance, external risk service providers, and monthly review cycles — doesn‘t move at the speed the underlying risk surface does. In many cases, the people doing the reviewing aren’t structurally independent of the assets theyre reviewing.”

That structural conflict produced the specific governance failure Pawlowski dissected. Aaves 25,000 ETH treasury recovery proposal was authored by TokenLogic, a paid Aave service provider that publicly lists Kelp as a client and operates an Aave delegate platform.

For reference, TokenLogic is the same firm voting on its own proposals. On the same day Aave expanded rsETH to a 93% loan-to-value ratio in eMode, SparkLend deprecated the asset entirely, bundling the move with routine cleanup of underused positions.

Three months later, that routine pruning was the only separation between Sparks depositors and the bad debt Aave now carries.

One protocol‘s independent risk judgment outperformed another’s full-stack risk advisory apparatus. DeFis review machinery generated worse outcomes than a single asset manager doing portfolio hygiene.

What “here” means

Before the exploit, Aave was the largest DeFi protocol by total value locked, with over $26 billion in deposits.

Pawlowski noted:

“Aave was the gold standard. If Aave can carry $200 million-plus in bad debt from a bridge exploit on a different protocol, the market has to recalibrate what ‘safe’ actually means in DeFi lending.”

The pooled lending model is only as strong as its weakest accepted collateral, and when that collateral breaks, the entire shared pool absorbs the damage. The exposure reaches every depositor in the broader market, extending well past the vault that held the position.

Pawlowski pointed out that the structural reality had been “muted by years of ‘battle-tested’ and ‘blue-chip’ marketing.”

Amador broadened the exposure map beyond the mechanics of KelpDAO. The attack surface in DeFi now covers governance, signers, privileged roles, integrations, bridges, oracles, custody arrangements, and every external system a protocol depends on.

The most dangerous operational assumption a team can hold is that audited smart contracts equal a safe protocol. Immunefis own research shows that DeFi losses declined by as much as 80% over the last several years, because the sector hardened its code and attackers adapted.

Amador added that they now study the entire risk chain for the weakest points, and those points are now off-chain, governance-adjacent, or buried in dependency stacks that no single audit covers.

For institutions, April forced a specific reset. Amador described the checklist now: how admin keys are managed, who can pause markets, what dependencies exist, what the incident response process looks like, and how quickly a threat can be contained.

Pawlowski made the same point from the capital side, saying institutions will continue to enter on-chain credit because the demand for tokenized markets, transparent settlement, and programmable financial infrastructure is real.

However, the institutional investors will move toward isolated markets, permissioned or curated vaults, stricter asset onboarding, better insurance, continuous monitoring, and formalized emergency controls.

DeFi exploiters extracted $635 million across 28 incidents in April, the sectors worst monthly loss in over a year, while cumulative historical hacks reached $16.5 billion.

Aave Horizon, a permissioned market for tokenized securities and RWAs launched in August 2025, has grown to more than $440 million in deposits.

Morphos vault ecosystem added ARCHITECT, the first FINMA-licensed investment manager to curate vaults at scale, and Flowdesk launched an institutional AUSD vault in March 2026, using tokenized equities as collateral.

EY-Parthenon and Coinbases 2026 survey found 73% of institutional respondents plan to increase digital asset allocations this year, but 81% prefer registered vehicles. Capital is moving on-chain through curated, governed, and compliance-aware structures.

The regulated alternative is accelerating on the other side of that same preference.

The GENIUS Act created the first federal framework for US stablecoins, with mandatory 100% reserve backing, no rehypothecation, and custody standards that Nadareski said “read like something a compliance desk could approve.”

A Goldman Sachs survey found 35% of institutional investors named regulatory uncertainty their biggest blocker, and 71% said they would increase exposure once clarity arrived.

Daily signals, zero noise.

Market-moving headlines and context delivered every morning in one tight read.

Free. No spam. Unsubscribe any time.

Nadareski said, “The floor is in place, the capital is waiting.” The CLARITY Act, which would define jurisdictional and custodian standards for digital assets, including tokenized securities, awaits consideration by the Senate Banking Committee as of May 14.

When that passes, Nadareski argued that “the last item on most institutional checklists gets checked off. The waiting ends.” DeFi is competing for institutional capital against a nearly complete regulatory framework.

How DeFi resurges

Pawlowski named the full list of DeFi recovery tools: governance combined with proper market isolation, automated and AI-assisted risk monitoring, selective timelocks on parameters that warrant them, circuit breakers, KYC when required by regulation, application-specific sequencing, and policy-aware block builders.

He added:

“Whats been missing is the willingness to use them, because every one [of the tools] involves a tradeoff against the maximalist version of decentralization the industry has marketed itself on.”

Abandoning that marketing position is the starting point, but its not easy.

Pawlowski noted that “the crypto industry has spent years pretending it can have everything”, such as full decentralization, censorship resistance, institutional-grade safety, and retail accessibility, without tradeoffs.

It was “that fantasy that produced the conditions for these exploits.” A regulated institutional credit facility on-chain is a different product from a permissionless retail lending market, and governing both under the same orthodoxy created the conditions that let aggressive rsETH listings clear governance while structural bridge-security parameters sat unflagged for years.

Pawlowski believes the structural fix requires ending “the conflicts that let aggressive listings get waved through low-turnout governance votes by service providers with commercial relationships on both sides of the trade.”

SparkLend‘s independent pruning, versus Aave’s eMode expansion on the same day, is proof that different risk philosophies yield different outcomes.

DeFi needs to institutionalize that distinction, build governance structures around it, and make the tradeoffs explicit to every user and institution evaluating the protocol.

Amadors operational prescription attacks the same problem from the execution layer.

DeFi must professionalize security in the same way it professionalized liquidity incentives via continuous audits, live bug bounty programs, formal verification where appropriate, independent security councils, stronger multisig thresholds, hardware-backed key management, real-time monitoring, public incident response playbooks, and mandatory risk reviews for every major integration.

Circuit breakers and isolation mechanisms should be built so that losses from a compromised asset, adapter, or dependency stay bounded within the affected market.

The benchmark for evaluating protocols should expand to cover security posture alongside yield and total value locked: who audited it, what the active bounty size is, how admin keys are managed, what dependencies exist, what the emergency procedure covers, and how quickly a threat can be contained.

Users and institutions should be able to compare protocols on those dimensions the way they compare APR.

A reform is already underway, as KelpDAO has begun migrating rsETH to Chainlink CCIP, LayerZero has banned 1-of-1 verifier configurations protocol-wide, and Aave Proposal 477 authorized liquidation of attacker positions, with recovered assets routed to a Recovery Guardian multisig.

Phase II of that proposal covers burning excess rsETH on Arbitrum, restoring bridge backing, reopening withdrawals, and compensating affected users.

Arbitrum‘s Security Council separately froze 30,766 ETH tied to the attacker’s downstream funds.

That recovery required emergency councils, DAO votes, multisigs, and court proceedings, comprising a crisis-management stack drawn from the institutional finance playbook, deployed within a system that describes itself as permissionless.

DeFi reaches for those tools when losses get large enough, and protocols can embed them in advance or reconstruct them while a crisis unfolds.

DeFis case for composability

Nadareski identified the specific prize at stake for institutions choosing between DeFi and regulated alternatives.

Compliance officers want circuit breakers, time-locks, and custody standards that match their existing playbooks, and Wall Street has been building that wrapper for years.

Nadareski said:

“The banks that move fastest will be the ones that stop trying to build everything in-house. Spinning up on-chain settlement with legacy teams puts you at 2028 if everything goes right. The play that ships this year is pairing established distribution and customer relationships with teams who already have the rails built.”

Composability is DeFis strongest argument for keeping the rails it built. A single protocol that executes a trade, manages collateral, routes liquidity, and automatically settles a transaction within seconds represents a capability that traditional finance can only replicate by rebuilding from the ground up.

Composability works as an institutional argument only if failures stay local. Once a bridge verifier, a governance vote, or a compromised oracle can transmit losses across shared liquidity pools at scale, composability operates as contagion infrastructure.

Amador noted:

“Trust the code is not enough when protocols depend on bridges, multisigs, governance processes, or external assets. The new standard has to be: assume every layer can fail, and design systems so one failure does not cascade into the entire market.”

Pawlowski framed the necessary changes as “growing up,” describing a sector that must accept and publish explicit tradeoffs, build genuinely independent governance structures, and make security a product feature that users and institutions can evaluate and compare.

DeFi built the composable infrastructure that tokenized markets are now adopting. Stablecoin rails, lending primitives, and liquidity mechanisms that originated inside permissionless DeFi are being packaged into products that Wall Street is shipping under regulatory cover.

If DeFi builds the operational maturity to match its technical architecture, composability remains the one capability beyond the reach of regulated wrappers. If DeFi fails to build that maturity, Wall Street captures the stablecoin and tokenization layer and, with it, the argument that open composable finance lacked the operational discipline serious capital requires.