What started out as the Kelp DAO exploit is no longer just a bridge story, but is now a crypto referendum on how DeFi handles security, contagion, and accountability.

The immediate damage was already severe. The roughly$292 million exploit hit Kelp DAO’s rsETH bridge, triggered bad-debt concerns at Aave, and spilled into a fresh round of finger-pointing between protocols and infrastructure providers.

The market reaction was brutal. Onchain analysts Lookonchain said Aave’s total value locked fell by nearly $8 billion after the attacker used stolen Kelp DAO-linked assets as collateral, leaving about $195 million in bad debt.

The Block's data now shows Aave’s TVL has suffered a steep drawdown over 48 hours as funds rotated elsewhere, including to Spark.

Expand Chart

The Block later reported that Aave had modeled two possible bad-debt scenarios tied to the fallout.

Meanwhile, funds stolen in the exploit began moving across chains after Arbitrum froze a large chunk of linked ETH.

DeFi security debate

A sharp question now circulating across the industry debates not whether DeFi still works, but what kind of risks it is still tolerating in 2026.

Curve founder Michael Egorov put it in the bluntest terms. "WTF? Are we industry of clowns?" he wrote on X, arguing that recent failures tied to centralized points of failure are damaging an industry that still claims to be building the future of finance.

His broader point is landing. The Kelp breach did not just hit one protocol, but traveled through composability.

A single bridge failure turned into multi-protocol collateral risk. Collateral risk turned into lending stress. Lending stress turned into withdrawals. In DeFi, code may be modular, but panic is shared.

Wenzhao Dong, a blockchain analyst at CertiK, told The Block the problem is not that DeFi is inherently broken. Rather, It is that too many teams still treat security as overhead.

"The protocols that survive the next cycle will be the ones that view security as TradFi views counterparty risk — as a crucial factor, not an afterthought," Dong said.

Brian Trunzo, chief growth officer at Succinct Labs, shared a similar point. He said that bridges should no longer rely on trust-heavy validator models when proof-based systems exist.

In his telling, the Kelp exploit was a failure in the bridge verification layer, not a typical smart contract bug, and it showed how dangerous single-signer assumptions remain.

"At this point, if your trust model is less than ZK, you are being grossly negligent. Maybe even reckless," Trunzo told The Block.

Others pushed the critique further.

Sergej Kunz, co-founder of 1inch, said the episode exposed how fragile the shared-pool model can become when one bad asset drives full utilization and effectively traps user funds. Matthew Pinnock, COO at Altura DeFi, added that the speed of the withdrawals showed how fast confidence can unwind once collateral assumptions break.

Bullish view

Still, not everyone came away more bearish.

Metamask security expert Taylor Monahan called Arbitrum’s emergency freeze of stolen ETH a sign that "DeFi f*cking wins," praising the coordination it took to stop more damage.

Haseeb Qureshi of Dragonfly said DeFi has always learned through failure, comparing the current moment to earlier crises such as Terra, the March 2020 auction breakdowns, and the stETH depeg. Erik Voorhees made a similar case from first principles: in crypto, he argued, failures stay close to the source instead of being socialized across society the way they often are in traditional finance.

A slightly different spin was offered by Neil May, CEO of defi.com. Speaking to The Block, May surmised that DeFi’s weakness, is not just technical, but it is also experiential. Users are still expected to understand too much, expose too much, and recover too poorly when things go wrong.

"People need to understand what they're signing, limit what they expose, and have a clear recovery path when things go wrong. This is simply enterprise-grade that is missing in DeFi today,” May said. "The products that earn mainstream trust will be the ones that make security invisible, not ones that ask users to be their own security team."

For some, that may be the most important takeaway from Kelp's incident.

The exploit has revived an old DeFi argument about decentralization versus convenience, but it has also sharpened a newer one: security no longer ends at a protocol’s own contracts.

A lending market can be healthy on its own terms and still get hit by a bridge upstream.

A bridge can call itself decentralized and still depend on one weak link.

An emergency freeze can save funds and still reopen uncomfortable questions about governance and intervention.

Nation-state adversary

Lukas Schor, president of the Safe Ecosystem Foundation, told The Block the larger pattern matters more than the blame game over who ultimately fills Aave’s hole.

Lazarus-linked actors, he said, have accelerated the cadence of attacks this month, while AI is starting to amplify reconnaissance and social engineering risk.

In Schor’s view, the DeFi industry is facing a nation-state-grade adversary with defenses still built for a softer era.

"What's clear now is that even the most established DeFi protocols have a target on their back," he told The Block. "Cybersecurity has always been a cat-and-mouse game. But right now it's clear that we, as an industry, have to level up our defenses. Otherwise, trust in DeFi will be very quickly and irrecoverably eroded."

He posited that this very point why the numbers matter beyond headlines. The Block reported earlier this week that DeFi losses had already topped $600 million in just weeks. Add in the roughly $285 million Drift exploit and Hyperbridge’s revised $2.5 million loss estimate, and April is shaping up as another month that forces the sector to answer hard questions about trust assumptions and operational discipline.