In the short span of just three weeks before May 2, 2026, the DeFi industry experienced the most severe losses ever recorded in what is termed the "Black Month." According to AiCoin data, at least 12 DeFi protocols were sequentially attacked during this period, with total losses exceeding $606 million. The core of this storm was made up of two massive theft incidents: the Solana perpetual contract exchange Drift lost approximately $285 million, and the re-staking protocol Kelp DAO lost about $292 million. These two incidents alone accounted for over 95% of the total losses during this cycle, and their large scale and widespread impact directly pierced the market's optimistic expectations regarding the security of top DeFi protocols.

Along with the theft of funds came a collapse of trust and a severe liquidity shock across the industry. Within just two days following the attack on Kelp DAO, the total value locked (TVL) in the DeFi market plummeted by over $13 billion, with some analyses indicating that the TVL evaporated by as much as $20 billion within a few days. Due to the attackers converting stolen assets into cash through lending protocols like Aave, Aave was suddenly exposed to approximately $246 million in bad debt of rsETH. Marat Karapetian from Karapetian Private Capital stated that the intensity of attacks in 2026 has shocked the market, with investors deeply realizing the systemic vulnerabilities within the DeFi ecosystem, with this fragility evolving from individual protocol code vulnerabilities into cross-protocol and cross-chain cascading risks.

Drift's Six-Month Ambush: Multi-Signature Compromised by Social Engineering

As the largest decentralized perpetual contract exchange in the Solana ecosystem, Drift's downfall did not originate from a conventional smart contract code vulnerability, but rather from a protracted six-month deep social engineering infiltration targeting human governance processes. According to a retrospective report, the attacker long disguised as a quantitative trading firm and established high trust with the core contributors of the protocol through daily business interactions. The core of this "long-term ambush" strategy was to weaken human vigilance, paving the way for subsequent technical assaults.

The specific execution of the attack precisely utilized Solana's durable nonces feature. The attacker induced security council members to pre-sign a series of seemingly routine maintenance transactions, while at this time, Drift’s internal governance just removed the time lock on transactions and adjusted the multi-signature threshold to a 2-of-5 mode. During this period of reduced security redundancy, the attacker successfully introduced a fictitious asset named "CarbonVote Token" as collateral, manipulating these pre-signed transactions to bypass substantive security reviews. Despite Drift having just completed its most recent audit in February 2026, the failure of human elements concerning device infiltration and signer psychological manipulation clearly exceeded the coverage boundaries of traditional code audits.

This attack ultimately led to the loss of approximately $285 million in assets, accounting for nearly half of the total industry losses within three weeks. Even more disturbing for the market is that this incident has been moderately attributed to a state-sponsored North Korean hacker group. This means that the threats facing DeFi protocols have evolved from simple code geeks to highly professional, patient state-level adversaries. When multi-signature governance and operational security crumble in the face of social engineering, the technical security assumptions that the DeFi industry has long relied upon face unprecedented competitive pressure and set the stage for subsequent cross-chain protocol collapses.

Kelp DAO Cross-Chain Bridge Compromise, rsETH Affected

The attack on Kelp DAO highlighted the vulnerabilities of cross-chain infrastructure under extreme configurations. According to AiCoin data, the core vulnerability of this attack stemmed from its cross-chain bridge via LayerZero, which employed a 1-of-1 validator configuration. This extremely low redundancy design meant that as long as a single validating node failed, the entire protocol's security defense would collapse. The attackers compromised the RPC node upon which the cross-chain bridge depended and tampered with cross-chain data, leading to the erroneous release of 116,500 rsETH. This amount accounted for approximately 18% of the total circulating supply of rsETH at the time, and the massive issuance of assets instantaneously disrupted the supply balance of the re-staking ecosystem.

The illegally obtained rsETH was quickly converted into attack tools and funneled into mainstream lending protocols. The attackers deposited the stolen rsETH into Aave as collateral, borrowing real ETH assets. Due to the lack of underlying asset support for this portion of rsETH, it directly led to the formation of significant bad debt within Aave. There is a certain range of estimates on the scale of bad debt: some security agencies report that Aave incurred around $246 million in rsETH bad debt; meanwhile, analysts from JPMorgan cited data indicating that the attackers minted $292 million of unsecured rsETH in Aave and borrowed ETH, ultimately resulting in a net loss of about $230 million. As risks spread on-chain, mainstream lending markets like Compound and Euler were also affected in turn, raising doubts about the collateral utility of rsETH and causing a significant drop in market trust.

Reviewing the situation with LayerZero and multiple blockchain security researchers indicates that this attack exhibited a high degree of professionalism and is attributed to the North Korean hacker group Lazarus Group. Although some of the stolen funds were frozen through multi-party collaboration after the event, a significant amount of funds continued to circulate on-chain. This incident was not only a singular loss for Kelp DAO but also triggered severe turbulence in the DeFi market. Within just two days after the risk exposure, the total locked value in DeFi (TVL) dropped by over $13 billion. This figure not only reflects the direct outflow of funds but also reveals a deep panic in the market regarding re-staking assets and systemic risks in cross-chain protocols.

TVL Plummets by Billions in Days: Institutions Hit Hard

With Kelp DAO and Drift facing consecutive blows, a significant liquidity withdrawal in the DeFi market was triggered. According to AiCoin data, just two days after the Kelp DAO incident, the total locked value (TVL) in DeFi sharply declined by over $13 billion. JPMorgan further pointed out in a report released on April 24 that, influenced by the Kelp DAO cross-chain bridge attack and other incidents, DeFi TVL actually evaporated by about $20 billion within a few days. This sharp outflow of funds stands in stark contrast to the long-standing sideways movement of DeFi TVL priced in ETH. Analysts at JPMorgan emphasized that this long-term growth stagnation, coupled with recent frequent security breaches, is becoming a significant barrier for institutional investors entering the DeFi space, severely suppressing mainstream capital's enthusiasm for participation.

In the face of the spread of systemic risks, the industry internally began attempting self-rescue through a risk-sharing mechanism. After the risk exposure of Kelp DAO, a coordinating initiative named "DeFi United" was quickly formed, raising over $300 million in funds aimed at providing necessary liquidity support for affected protocols and markets to stabilize the situation. This is seen as a significant attempt by the industry to digest bad debts and hedge systemic vulnerabilities through internal collaboration, in the absence of external rescue environments.

Meanwhile, the risk-averse sentiment in on-chain funds significantly intensified after the security event. According to on-chain data, whenever a security incident breaks out, users generally tend to swap risk assets for USDT to mitigate volatility. However, this flow of funds currently only manifests as a structural adjustment of existing assets, without significantly boosting USDT's overall market cap. This phenomenon reflects a fundamental shift in the risk preferences of current market participants: funds are no longer pursuing the excess returns brought by cross-chain or re-staking; instead, they prioritize holding assets on-chain and observing the market. This characteristic of "defensive adjustment" rather than "total withdrawal" further confirms investors' extreme distrust in the existing DeFi security defense system.

Cross-Chain Projects Hit the Brakes: Morpho Pauses for Now

On April 19, shortly after Kelp DAO was attacked and the security risks of the LayerZero cross-chain bridge were exposed, the lending protocol Morpho swiftly responded. According to a related announcement, Morpho Association has officially suspended the cross-chain bridge functionality of the MORPHO token on the Arbitrum network. The direct impetus for this decision was the underlying architectural vulnerabilities exposed in the Kelp DAO incident: the protocol used a fragile 1-of-1 validator configuration for cross-chain communication via LayerZero. The attacker exploited this single point of failure to compromise the RPC node depended on by the cross-chain bridge and tampered with the data, leading to the illegal release of 116,500 rsETH, which accounted for approximately 18% of the total circulating supply of rsETH at the time.

This "emergency brake" by Morpho reflects the heightened alertness of core DeFi protocols in extreme risk environments. According to their official statement, the Arbitrum cross-chain functionality will remain suspended until the root causes of the rsETH incident are fully confirmed. This approach of prioritizing control over potential attack surfaces, even at the expense of cross-chain convenience, reflects a significant contraction in market risk preferences. Against the painful backdrop of over $600 million lost in three weeks, protocol parties are no longer blindly trusting the "default security" of infrastructures but are opting for a more prudent defensive posture by actively severing connections with affected ecosystems or high-risk components, preventing risks from further spreading to core assets through cross-chain message transmission.

This "defensive halt" is triggering a chain reaction, forcing many projects relying on third-party infrastructure and cross-chain communication protocols into deep self-examination and contraction. For Morpho, the Kelp DAO incident is not merely a singular protocol loss but a systemic questioning of the security of re-staking assets (LRT) and cross-chain bridge combinations. As the industry recognizes the single-point risks posed by configurations like 1-of-1 validators, more projects are expected to reassess their cross-chain landscapes in the short term, either by adding time locks or strengthening multi-signature governance as remedial measures. This transition from the pursuit of extreme interoperability to a pursuit of certainty marks the DeFi industry’s attempt to exchange some liquidity efficiency for more solid security boundaries after experiencing severe shocks.

From Case to System: Rewriting DeFi Risk Pricing

Considering the core events of both Drift and Kelp DAO, security threats in DeFi are no longer limited to single code logic vulnerabilities. In less than three weeks, at least 12 protocols were consecutively breached, accumulating losses exceeding $606 million. This high frequency of dense attacks combined with the involvement of state-level attackers has shifted risks from contract levels to more complex governance multi-signatures, cross-chain bridge validation designs, and peripheral infrastructures. The Drift incident revealed the covert destructive power resulting from the combination of social engineering and pre-signature processes, while Kelp DAO's 1-of-1 validator configuration exposed the protocol's excessive reliance on a single RPC node. When the stolen rsETH quickly flowed into core lending protocols like Aave and Compound, transforming into hundreds of millions in bad debts, the systemic fragility of DeFi evolved into a cross-protocol credit crisis.

This fragility is directly reshaping the market's pricing logic for DeFi. According to AiCoin data, the total locked value (TVL) in DeFi plummeted by over $13 billion within two days of the Kelp DAO incident, and this short-term shock combined with the long-term horizontal trend of TVL priced in ETH further suppressed institutional funding willingness to enter the market. Although the industry has launched the "DeFi United" coordinating initiative, raising over $300 million to stabilize the market, demonstrating the self-rescue capabilities of leading protocols, investors’ recognition of risks has fundamentally shifted. Subsequent market focus will emphasize the redundancy of governance multi-signatures, validation models of cross-chain bridges, and risk isolation of re-staking assets in lending protocols. In the absence of more quantitative on-chain indicators for support, this series of current security signals should be viewed as the starting point for the repricing of DeFi risks rather than the endpoint of emotional fluctuations.

Join our community to discuss together and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-chain: https://aicoin.com/hyperliquid
Exclusive Hyperliquid benefits for AiCoin: https://app.hyperliquid.xyz/join/AICOIN88
Exclusive Aster benefits for AiCoin: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。