The $293 million Kelp exploit rippled far beyond the target protocol. Aave, the largest DeFi lending platform, saw users attempt to pull $6.2 billion in withdrawals within hours. The AAVE token dropped 12.7% to $90.52. Curve Finance founder Michael Egorov pointed to the core problem: non-isolated DeFi architecture turns a single exploit into a chain reaction across multiple protocols.
One exploit, nine casualties
Attackers hit Kelp's cross-chain bridge on Saturday, April 19, draining roughly $293 million. Kelp paused smart contracts for its rsETH restaking token and halted all operations. The effects kept going anyway.
Blockchain security firm Cyvers called it a "cross-protocol contagion event." At least nine platforms were hit: Aave, Fluid, Compound Finance, SparkLend, Euler, and others. Each one froze rsETH markets or took emergency action as the rsETH price collapsed.
The scale drew comparisons to last week's $280 million Drift Protocol hack. April 2026 is shaping up as one of the worst months for DeFi security on record.
Aave under pressure: $6.2 billion heads for the exit
Aave ended up at the center of the panic for a direct reason: rsETH was widely used on the platform as loan collateral. When Kelp's exploit tanked the rsETH price, borrowers who had pledged rsETH as collateral suddenly faced forced liquidations on their positions.
Market reaction was fast. Within hours, users attempted to withdraw a combined $6.2 billion from Aave. The protocol held up under the pressure, but AAVE the token lost nearly 13% in 24 hours, dropping to $90.52.
The same pattern played out across other affected platforms: wherever rsETH had been integrated, trading pairs and lending markets were frozen until the situation became clear.
Curve Finance founder: where the root problem lies
Michael Egorov published a public breakdown after the exploit. Non-isolated lending on DeFi platforms creates systemic exposure: each token accepted as collateral becomes a potential attack vector for the entire platform, not just individual borrowers.
He also identified the root cause of the Kelp hack: the cross-chain architecture. "Cross-chain is hard and potentially risky. Only use cross-chain infrastructure when absolutely necessary, and do it really carefully," Egorov wrote. He advised DeFi teams to vet every asset before approving it as collateral, paying close attention to single points of failure.
DeFi security gets a hard lesson
Cyvers CEO Deddy Lavid put the new challenge plainly: "The task is no longer just preventing exploits at the contract level, but understanding how fast they can cascade across integrated protocols." That capacity for self-propagating damage is emerging as the defining security challenge for DeFi in 2026.
Ethereum, where most of these protocols are built, faces a fresh round of debate on architecture. After two major exploits in two weeks, calls for tighter isolation between protocols have moved from theory to practical necessity.
Safety vs. efficiency: DeFi picks a side
Egorov stopped short of calling for an end to integrations. More isolated protocols are safer, but they need more capital to support the same level of liquidity. That is a trade-off between safety and capital efficiency that the DeFi market has not yet settled.
Several protocols announced plans to revisit their white-list criteria for new collateral tokens after the incident. Aave's governance forum is now debating new rules for cross-chain assets and stricter security audit requirements. With $482 million in Q1 2026 hack losses, the industry has little room left for learning on the job.
Comments
Your email address will not be published. Required fields are marked *