After the $16.5 billion in exploits, DeFi is now being forced toward the controls it once resisted

The rsETH crisis resulted in $200 million in bad debt on Aave's books, despite not a single line of its contracts misbehaving. On Apr. 18, attackers that Chainalysis preliminarily linked to Lazarus compromised RPC infrastructure, forced a failover to poisoned nodes via DDoS, and injected false data into a 1-of-1 DVN configuration on KelpDAO's rsETH bridge. The forged message released approximately 116,500 rsETH, and Aave's incident report confirmed that Ethereum accepted nonce 308 while the Unichain source endpoint never advanced past 307. The attacker supplied the compromised rsETH to Aave and borrowed against it, resulting in bad debt and serving as a frame for the current state of DeFi's security. Exploiters extracted over $635 million across 28 incidents in April, the worst monthly total in over a year. DefiLlama puts the cumulative historical cost of hacks at $16.5 billion, with $7.7 billion specifically targeting DeFi. The high-profile exploits on Drift and the KelpDAO bridge resulted in DeFi losing nearly $11 bilion in total value locked last month. That contraction occurred as stablecoin rails, tokenized treasuries, and regulated settlement layers gained institutional traction in the same capital markets. DeFi exploiters extracted $635 million across 28 incidents in April, the sector's worst monthly loss in over a year, while cumulative historical hacks reached $16.5 billion. How did DeFi end up here? Mitchell Amador, CEO of Immunefi, told CryptoSlate that DeFi has historically rewarded growth, integrations, liquidity, and speed over security maturity. A protocol that adds a new asset, bridge, oracle, adapter, or external dependency gains immediate utility. The risk that integration carries produces no visible price signal until an exploit materializes, because the absence of an incident is invisible while it holds. That asymmetry kept audit cycles and isolation practices secondary to shipping velocity for years, until April concentrated the consequences into a single month. Amador said the most overlooked practices were multisig hygiene and management, supply chain hardening, real-time monitoring, and emergency response procedures. Too many teams treated multisig as a security solution in itself, when its actual strength depends on signer count, the independence of those signers, their operational setup, and the processes around transaction review. A low-threshold multisig, weak signer security, or a poorly monitored bridge or oracle can become a systemic exposure because DeFi protocols are composable by default. In this landscape, risk travels through integrations as efficiently as liquidity does. While that culture was forming inside DeFi, a different model was being built in parallel. Solstice Finance CEO Ben Nadareski assessed: “The gap in output per person tells you what happens when you strip away everything that isn't the core financial function. The teams that win this round will be the ones built on compliance and security from day one, ready to ship faster than a bank can call a meeting about it.” DeFi built composable rails for over half a decade before Wall Street recognized them as the actual infrastructure layer of the next financial system. The cost of that early market position was a security culture calibrated for speed over operational discipline. Kasper Pawlowski, CTO of Euler Finance, names the governance dimension of the same failure in his post-incident analysis. He said: “DeFi treats risk assessment as a one-time onboarding decision, when in reality risk is dynamic.” The 1-of-1 DVN configuration that enabled the KelpDAO exploit existed in production for years. Kelp says it was the default LayerZero shipped and reviewed across multiple integration meetings, while LayerZero says Kelp downgraded to it. Whichever account is accurate, the configuration persisted unflagged through every integration with every downstream protocol. LayerZero has since banned the configuration on a protocol-wide basis, acknowledging that allowing its DVN to act as the sole verifier for high-value transactions was a mistake. Stage What happened Why it mattered RPC infrastructure compromised Attackers compromised RPC infrastructure tied to the rsETH bridge setup The attack began outside the core smart contracts, showing how off-chain infrastructure can become the entry point DDoS forced failover Traffic was pushed onto poisoned nodes through a forced failover That let attackers control the data environment seen by the bridge verifier False data injected into 1-of-1 DVN Poisoned nodes fed false data into a single-verifier DVN configuration A 1-of-1 verifier setup meant there was no independent check to stop the forged message Forged bridge message accepted The forged message released about 116,500 rsETH Fake collateral was effectively minted into circulation Fake rsETH supplied to Aave The attacker deposited compromised rsETH into Aave as collateral Aave treated the asset as valid and allowed borrowing a