No safe harbours left in DeFi? Lessons from Aave and Kelp

Aave and Kelp show how little safety remains in DeFi.

For years, DeFi users would say: «Just use Aave». A protocol with a TVL above $26bn, dozens of audits and a finely tuned risk framework looked like a “safe harbour”. But on April 18th the project’s long-standing reputation—already dogged in recent months by various conflicts and disagreements—took a heavy blow: hackers stole $293m from the liquid restaking protocol Kelp DAO and within a day users’ funds on Aave were frozen.

Here is how it happened, why Umbrella’s $55m insurance may not suffice, and whether DeFi still has any safe places.

How the hackers cracked Kelp DAO

On April 18th the attackers drained 116,500 rsETH worth $293m via the cross-chain bridge of Kelp DAO built on LayerZero. The attack is preliminarily linked to North Korea’s TraderTraitor—part of the Lazarus Group, behind the breaches of Bybit ($1.5bn), Ronin ($625m) and Drift Protocol ($280m).

The scheme was multi-stage. The hackers gained access to the list of RPC servers used by LayerZero Labs’ decentralised verified network (DVN). They then compromised two of them by installing modified versions of op-geth. In parallel they launched a DDoS attack on the “clean” servers so the system would fail over to the poisoned nodes.

According to LayerZero’s account, the attackers compromised two RPC servers and spoofed the responses seen only by the verifier, concealing traces from monitoring systems. After the attack concluded, the malicious code self-destructed, deleting the logs.

The key detail was Kelp’s security configuration. The protocol used a 1/1 DVN scheme— a single verifier with no redundancy. LayerZero had recommended that all integrators configure multiple DVNs, but Kelp ignored the advice. With multi-verification, the forged cross-chain message would not have cleared: independent DVNs would have rejected it.

“Exploitation of a single point of failure meant that an independent verifier could not intercept and reject the forgery. LayerZero and other parties had previously informed the project about best practices for DVN diversification. Despite the recommendations, Kelp chose a 1/1 DVN scheme,” — stressed LayerZero Labs.

Dragonfly Capital partner Haseeb Qureshi noted a contradiction in LayerZero’s stance: the protocol washes its hands of responsibility even though the compromised DVN was operated by LayerZero Labs itself.

The Kelp team responded 46 minutes after spotting suspicious activity. In that time the attackers deposited the stolen tokens on Aave v3 as collateral and borrowed wETH against them. On Aave alone they took roughly $196m; their total positions across Aave, Compound and Euler reached about $236m.

How Aave was hit

Within two days the TVL of the largest lending protocol plunged from $26.3bn to $17.7bn—investors withdrew more than $8.6bn. The AAVE token fell 15% to $91. Its market capitalisation slid from $1.8bn to $1.3bn.

The USDT and USDC pools on Aave v3 were completely exhausted. Around $5.1bn of assets were temporarily locked—withdrawals are possible only after fresh liquidity arrives or loans are repaid. rsETH markets were frozen in v3 and v4. wETH reserves were locked on Ethereum, Arbitrum, Base, Mantle and Linea.

The freeze triggered a cascade. Users with stuck USDT deposits began borrowing against them in other pools—borrowing against USDT collateral rose by $300m in a day. That pushed utilisation on USDC and USDe markets to 100%.

“Aave should immediately ban new borrowing against illiquid collateral assets—for example, set LTV=0 for USDT, USDC and USDe on Aave Core or suspend borrowing entirely,” wrote the strategy director of rival lending platform Spark, who goes by monetsupply.eth.

Umbrella’s first real test

Umbrella is the updated Safety Module of the Aave protocol. Unlike the old system, where slashing decisions were taken by DAO vote, Umbrella acts automatically: when bad debt arises, the smart contract burns staked aTokens without delay.

Users stake tokens to earn protocol yield plus extra rewards in GHO or AAVE. In return they take on slashing risk—forced deductions to cover deficits.

At the time of the incident, about $55m in ETH was staked in Umbrella. The Aave DAO treasury holds roughly $85m in assets, including $51m in AAVE. The old Safety Module never triggered slashing.

The Kelp case became the mechanism’s first real-world trial. The Aave team initially said Umbrella would cover any shortfall, then softened the wording to “studying avenues for compensation”.

Who will foot the bill?

The DefiLlama founder known as 0xngmi outlined three possible paths.

Socialise losses across all rsETH holders. In this case, every holder would, in his words, be “haircut by 18.5%”. Aave has frozen 666,000 rsETH; most positions at maximum leverage are near the liquidation threshold (LTV 95%). Under “socialised losses”, all capital in those positions would be wiped out. That would create around $216m of bad debt. Umbrella would cover $55m, the DAO treasury up to another $85m. $76m of losses would remain uncovered.

Losses fall on L2 networks. Aave said rsETH on Ethereum is “fully collateralised”. If mainnet avoids a haircut, users on L2s take the hit. By monetsupply.eth’s estimates, there is $361m of rsETH on second-layer networks: Base — $71m, Arbitrum — $152m, Mantle — $116m, Ink — $21m, Linea — $1.4m. The $341m in bad debt would land on wETH suppliers in those networks, and Umbrella would cover nothing—the module operates only on Ethereum.

“Concentrating losses on external chains is the worst outcome for Aave. With even distribution, Umbrella for $50m is engaged and there is an opportunity to use rsETH collateral on Aave Core to partially repay the debt. Losses on L2 networks become manageable,” believes monetsupply.eth.

Revert to a pre-hack snapshot. Technically hard: funds moved actively after the attack. The hacker borrowed $124m on Ethereum and $18m on Arbitrum. If only those sums are returned, the final loss after Umbrella’s coverage would be $91m.

A chain reaction and the search for a “safe harbour”

The fallout reached beyond Aave. The DeFi sector’s total TVL tumbled from $99.4bn to $85.8bn—a 12% drop in a day.

Data: DefiLlama.

The biggest protocols lost ground: Lido — 2.26%, EigenLayer — 2.42%, Morpho — 7.51%, Ethena — 3.04%. Aave suffered most—down 21.54%.

Some in the community pointed to Morpho as a safer alternative, since its isolated Morpho Blue markets can ring-fence damage to a specific asset pair.

Web3 researcher Vladimir Menaskop called that argument superficial. In his view, isolated markets do not remove risk—they reshape it.

“Borrower risks in Morpho are not eliminated by isolated markets. They appear in a different form: from technical aspects we shift to economic ones. Markets are isolated at the smart-contract level, but not at the level of asset connectedness, interactions with vaults and exposures across assets,” believes Menaskop.

He described an attack vector specific to isolated markets. Each Morpho Blue market pairs a “collateral” with a “borrow” asset. Liquidity is fragmented. To trigger liquidations, it is enough to manipulate the price of one of the two assets—either knock down the collateral’s value or push up the borrowed asset’s price.

“Isolation works against you here: each market is independent, right? Yes. Which means if you apply the scheme to one, you can apply it to another, and the next, until all markets ‘close’. With global protections at DAO level, the defence switches on for everyone at once,” explained Menaskop.

Morpho has already seen incidents: manipulation of the LP-pool oracle on Aerodrome, a $230,000 exploit in 2024, and an MEV-bot incident in April 2025.

Before the hack, Morpho’s TVL stood at $6bn, compared with Aave’s $26bn. The less liquid a protocol, the less attractive a target—but also the less resilient its structure in a major attack.

Lessons for DeFi users

Cross-chain bridges remain a weak link. Kelp is the latest reminder: a single point of failure is an open invitation.

Pooled lending creates contagion. Toxic collateral in one pool can lock the funds of all liquidity providers. Aave users who never touched rsETH cannot withdraw their USDT and USDC.

Isolated markets hedge some risks while creating others. Morpho limits damage to a given pair, but fragments liquidity and opens vectors for economic attacks.

Diversification is basic hygiene. Menaskop outlined his own approach: size positions at 1–3% of the portfolio and spread assets across protocols.

Security is not a property of a protocol, but a process. Aave was audited by Certora, MixBytes, Ackee Blockchain and StErMi. Kelp was also reviewed. LayerZero Labs maintained SOC2 and ran EDR on every device. None of this prevented an attack on the infrastructure of RPC servers.

“The loss will matter not in terms of money, but in the fact that there is now no tier-1 lending protocol,” — concluded Menaskop.

What next

The Aave team continues to consider compensation options. LayerZero is working with law-enforcement agencies and tracking the stolen funds. Kelp DAO is determining the final allocation of losses.

The decision will shape the future of lending in DeFi. If losses are socialised across all users, trust in pooled protocols will be damaged.

The coming weeks will test how resilient the biggest DeFi protocols are to real-world stress and whether the market is willing to pay for these lessons.

Text: Sasha Kosovan