Six years after “DeFi Summer” is the sun already setting on the decentralized finance revolution?

KelpDAO's $292 million rsETH exploit landed at the wrong moment for DeFi. Roughly $10 billion left the sector over the weekend , after confidence had already been shaken by Drift Protocol's April 1 breach and Venus's March post-mortem. That combination makes DeFi's problem harder to ignore. Open DeFi is still alive, but it is losing the case for being the default gateway to on-chain finance. Stablecoins, tokenized Treasuries, and regulated settlement rails continue to scale, while permissionless protocols continue to absorb the trust discount. A hack scoreboard circulating on X captures the mood. Hack scoreboard 2026 (source: Our Crypto Talk) Some incidents are well documented. Some remain live situations. Some blur the line between protocol exploit, bridge failure, and user compromise. The safer route is to anchor the piece to verified 2026 failures and to the competitive shift they expose. This moment feels different from 2021. Back then, DeFi sold the market on openness, speed, and composability. In 2026, those same traits still matter, but they no longer come with automatic narrative prestige. Each large exploit raises the cost of trusting the stack, while the safest and fastest-growing corners of on-chain finance increasingly look like payment rails, Treasury wrappers, and regulated tokenized products rather than reflexive token ecosystems. The live test is whether open DeFi can rebuild trust fast enough to keep default-front-end status. Right now, the sector looks squeezed rather than finished. DeFi's security problem now sits above the smart contract The easiest mistake after a big exploit is to treat every failure as another smart-contract bug. Drift's loss of about $285 million is a good example of why that frame is getting stale. Chainalysis described a breach built around privileged access, pre-signed administrative actions, and fake collateral rather than a simple line-by-line contract failure. The market got another lesson in how much DeFi risk now lives in governance paths, signer workflows, and operational complexity. That detail changes what users are being asked to trust. Audits and battle-tested code still matter, but they do not cover the full path from signer to bridge to oracle to market configuration. Once the system spans multiple chains, admin councils, liquidity venues, and collateral wrappers, the attack surface grows faster than the language around decentralization. Venus's own post-mortem shows a different version of the same problem. The attacker borrowed about $14.9 million against an inflated THE position and left the protocol with just over $2 million in bad debt. That was not the same failure mode as Drift, yet the reader-facing conclusion was similar. A major DeFi venue could still be pushed into emergency accounting around thin liquidity and structural edge cases. Then came KelpDAO's weekend shock . The exploit was severe enough, according to CryptoSlate, to trigger roughly $10 billion in withdrawals across DeFi and to force freezes around rsETH-linked markets. Even if that outflow estimate moves as conditions settle, the signal is clear. Users saw cross-chain complexity, collateral uncertainty, and possible contagion, then pulled capital. Related Reading DeFi users pull $10 billion out of the market as $292 million exploit sparks bank-run optics A single verifier path let a fraudulent cross chain message slip through, and the knock on effects spread fast across the DeFi ecosystem. Apr 20, 2026 · Oluwapelumi Adejumo That reaction lines up with the broader security trend TRM outlined in its 2026 crime-report summary . The firm said infrastructure attacks drove the majority of 2025 hack losses, outpacing smart-contract exploits. DeFi's trust problem is becoming harder to quarantine because the sector is defending the entire operating system around the code, not only the code itself. On-chain finance is still growing, just in safer wrappers The capital base tells a different story from a straight collapse narrative. An April CryptoSlate report pointed out that USDT had reached $185 billion in market capitalization and USDC had reached $78 billion. The same report cited DefiLlama figures showing Tron at $86.958 billion in stablecoins and Solana at $15.726 billion. DefiLlama's Ethereum chain page also shows where the deepest open DeFi capital still sits, which makes the current setup look more like concentration than abandonment. The rotation is even clearer in low-volatility yield products. RWA.xyz's Treasury dashboard shows $10.9 billion in tokenized U.S. Treasuries and 55,144 holders as of March 12, 2026. The user taking risks there is still choosing blockchain-based settlement and ownership rails. What that user is rejecting is the idea that open-ended DeFi complexity deserves an equal share of the balance sheet. A quick way to frame the split is this: Trust and positioning pressure On-chain growth signals KelpDAO's $292M exploit triggered a reported $10B retreat across DeF