DeFi Suffers $13 Billion Loss in 48 Hours Following KelpDAO Security Breach

A massive exodus of capital from the decentralized finance sector has occurred in the wake of a recent exploit targeting the KelpDAO protocol. Over the past two days, prominent DeFi lending platform Aave has seen a substantial decline of $8.45 billion in deposits, contributing to a broader $13.21 billion decrease in total value locked across the DeFi ecosystem. Total value locked, a key metric for assessing liquidity and market activity, plummeted from $99.497 billion to $86.286 billion. Aave's TVL alone dropped by $8.45 billion to $17.947 billion during this period, according to data from DefiLlama. Other platforms, including Euler and Sentora, have also reported double-digit percentage declines. The root cause of this downturn stems from a $292 million exploit of Kelp's bridge, which allowed attackers to misuse stolen rsETH tokens as collateral for borrowing on lending platforms. As these stolen tokens lacked legitimate backing, lending against them posed significant risks for lenders, akin to a traditional bank being deceived with fake fiat deposits. In response, protocols have frozen affected markets, prompting users to withdraw funds en masse and resulting in a sharp decline in total value locked. Notably, token prices have been less affected, with AAVE down approximately 2.5% over 24 hours and UNI and LINK down less than 1% over the same period. According to Peter Chung, head of research at Presto Research, this incident highlights the vulnerabilities inherent in cross-chain infrastructure, particularly in verification systems used by bridges. Preliminary analysis suggests that the issue may have originated in the verification layer rather than the smart contracts themselves. Furthermore, Chung notes that this episode demonstrates how interconnected DeFi protocols can transmit shocks beyond the initial point of failure, with withdrawal activity and market freezes extending to platforms without direct exposure to the exploit.