researchers NECESSARY We recently analyzed a major DeFi ecosystem exploit from April 2026 that highlighted how small technical choices can lead to widespread market disruptions. with title “Butterfly Effect Coming to DeFi” Report details $292 million theft Moss DAOcross-chain bridge and its rapid expansion GhostOne of the largest loan platforms in the industry. On April 18, hackers affiliated with North Korea’s Lazarus Group exploited Kelp DAO’s single validator setup LayerZero bridge.
They spoofed transfer instructions to release 116,500 rsETH tokens; these were liquid restaking tokens backed by staked ETH. ÖzKatman— without compromising Kelp’s core contracts or Aave’s protocol.
The attackers immediately deposited most of them into storage. tokens It borrowed approximately $190 million in the form of ETH (WETH) secured by Aave as collateral.
Panic triggered massive withdrawals within hours, pushing usage across key stablecoin pools to 100 percent. US Dollar USDT borrowing rates increased from 3.5 percent to 14 percent in just 48 hours.
The incident stands out DeFi‘s distinctive composability (the ability to stack protocols for efficiency and low costs) is a double-edged sword. Aave’s management had enabled an “e-mode” configuration months ago, allowing a high 93 percent loan-to-value ratio of rsETH against WETH to attract inflows.
This decision increased exposure by ignoring bridge risks upriver.
Three independent risk and management teams had recently left Aave, leaving decision-making more concentrated among a handful of large token holders.
As a result, $10 billion in assets fled the platform within two days, eroding more than 38 percent of its total value locked in ETH terms and the AAVE token losing 18 percent of its value. Ethereum fell 3.7 percent.
NYDIG researchers highlight four layers of risk that are difficult to manage.
Technical vulnerabilities were caused by opaque infrastructure layers beyond the control of a single protocol.
Economic features such as algorithmic rate adjustments every 12 seconds and quadrupling of costs using unrelated collateral for shared liquidity pools, locked-in depositors and corporate borrowers Bitcoin or Ethereum.
Governance concentrated power without fiduciary duties, and systemic diffusion spread losses among unrelated users.
Different traditional financeWith no counterparty to negotiate relief, it exposed participants to “invisible” risks that were not priced into returns.
Ghost‘s security mechanisms provided limited relief. Umbrella insurance and the DAO treasury face waiting periods and governance hurdles, while legacy disruption tools remain inactive due to conflicts of interest.
In response, the ecosystem launched DeFi United, a voluntary industry bailout on April 23 that will support tens of thousands of people. ETH To recapitalize the rsETH gap.
The results remain uncertain due to potential bad debt ranging from $123 million to $230 million, depending on how Kelp allocates losses.
The report concludes: DeFi It delivers real efficiencies (transparent markets and competitive rates); April events show that they also introduce unquantifiable tail risks from malleability.
Lack of recourse mechanisms for corporate capital seeking reliable borrowing infrastructure, DeFi It is not suitable as a primary venue.
NECESSARY He concluded that the DeFi sector can now be more accurately described as “OpenFi,” with openness being prioritized over true decentralization. As protocols become more intertwined, NYDIG warns future “butterfly” moments could become even more costly risk Visibility and accountability increases.
