Overall value locked (TVL, meaning the total assets deposited across a protocol's smart contracts) across decentralized finance has fallen 14% since a sophisticated infrastructure attack exploited KelpDAO on April 18, according to data reported by The Block on May 26. The decline reflects not just the immediate shock but a sustained withdrawal of capital that has outlasted KelpDAO's own operational recovery. The protocol announced on May 26 that its ETH backing ratio has returned to 100.01% and that minting, redemptions, bridging, and rewards are functioning again.

The broader market has not followed.

What Happened and How

KelpDAO is a liquid restaking protocol on Ethereum. Users deposit staked ETH assets (such as stETH or rETH) into EigenLayer and receive rsETH, a liquid restaked token, in return. The arrangement lets users earn both staking and restaking yields while keeping their assets transferable. By early 2026, the protocol had accumulated significant deposits within the restaking sector. EigenLayer's restaking ecosystem held approximately $18.5 billion in TVL at the time, representing roughly 68% of the restaking market, providing context for the scale at which KelpDAO operated.

The attack was not a flaw in a smart contract. It was an infrastructure compromise that took six weeks to execute. On March 6, a LayerZero developer was targeted in a social engineering attack that yielded stolen session keys. By April 18, the attackers had quietly embedded themselves in LayerZero's systems. At 17:35 UTC that day, they compromised two internal RPC nodes (the servers that relay transaction data) while simultaneously flooding external RPC providers with traffic to knock them offline. That forced the bridge to rely entirely on the attackers' own nodes.

The critical vulnerability was configuration. KelpDAO's rsETH bridge used a single Decentralized Verifier Network node to authenticate cross-chain messages. With that one node feeding falsified data, the bridge released 116,500 rsETH tokens on Ethereum with no corresponding assets locked or burned on Unichain, the source chain. As Chainalysis noted, assets released on the destination chain must equal assets burned or locked on the source chain; violating that invariant allowed roughly 18% of rsETH's circulating supply to be effectively conjured from nothing. Malicious code deleted itself after the theft, destroying forensic evidence. KelpDAO's emergency multisig froze core contracts 46 minutes later, blocking what Chainalysis estimates would have been a second theft of approximately $95 million.

LayerZero's initial response placed responsibility on KelpDAO's configuration choices. The protocol's full statement at the time read: "KelpDAO chose to utilize a 1/1 DVN configuration. A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised."

By May 9, LayerZero reversed that position and acknowledged it had made a mistake by allowing high-value protocols to operate on single-verifier setups without enforcing minimum security standards. The company published a joint post-mortem with Mandiant and CrowdStrike on May 20. According to LayerZero, Mandiant, CrowdStrike, and Chainalysis, the attack has been attributed to North Korea's Lazarus Group, specifically the TraderTraitor sub-group.

Market Damage by the Numbers

Within 48 hours of the exploit, DeFi's total value locked dropped $13.21 billion, falling from $99.5 billion to $86.3 billion. Aave, the largest decentralized lending protocol, shed approximately $6 billion in deposits in that window, according to CoinDesk.

By May 18, Aave's TVL stood at $14.49 billion, a 52% decline from its peak of $30.25 billion six months earlier. Thirty-one of the top 50 DeFi protocols recorded TVL losses over the past 30 days, and nine of the top ten DeFi applications posted declines. Ethereum's DeFi TVL fell 17.91% over the past month, a figure that measures Ethereum specifically; the broader 14% decline covers the full sector over the five weeks since the April 18 attack.

Aave, SparkLend, and Fluid all froze their rsETH markets within hours of the hack. A secondary exploit hit Volo Protocol days later for $3.5 million, according to Chainalysis and CoinDesk.

The Arbitrum Security Council froze 30,765 ETH (roughly $70 million) linked to the attacker, and an Arbitrum DAO vote to release those funds for recovery passed with 90.96% support. That frozen sum is separate from the broader industry recovery effort: a coalition called DeFi United raised more than $300 million in ETH to cover approximately $190 million in bad debt left on Aave. That mechanism was coordinated at the industry level and was not directly accessible to individual retail users, a distinction that matters particularly for those in regions with limited coordination infrastructure.

Regional Stakes

For users in Africa and South Asia, the incident carries specific weight. Aave functions as a primary savings and yield tool for DeFi-active users across Nigeria, Kenya, and South Africa, where stablecoin deposits in non-custodial lending protocols serve as a key savings option for those seeking alternatives to the traditional banking system. Aave's prolonged instability following the rsETH market freeze directly disrupted that use case. Kenya's BitcoinKE covered the Aave TVL collapse at the time of the hack, reflecting active monitoring across East Africa's crypto community.

The incident also surfaced specific risks for emerging market retail users who held positions in yield products combining staking and restaking returns. Those users may not have been positioned to monitor or respond to the compounded liquid restaking token collateral exposure as markets moved. The 90.96% Arbitrum DAO vote to release frozen attacker funds also carries a signal for South Asian developers building governance-dependent protocols: large DAO coalitions can act decisively, but only when the governance infrastructure exists to coordinate them.

Africa's growing use of DeFi for remittance-adjacent transfers adds a further dimension. Cross-chain bridge fragility poses a direct threat to use cases that depend on low-cost, reliable value movement across chains. For developers and users in regions where resilience matters more than maximizing yield, the KelpDAO exploit strengthens the case for simpler, single-chain architectures that are easier to audit and harder to subvert.

In South Asia, where India ranks among the top five countries globally for grassroots crypto adoption according to Chainalysis, developers building on EigenLayer's restaking stack now face intensified audit scrutiny. Any project using LayerZero's DVN infrastructure will likely need to document its multi-verifier setup to satisfy investors and security reviewers.

What Comes Next

KelpDAO has upgraded its bridge configuration to four independent DVNs (up from one) and increased block confirmation requirements from 42 to 64. Aave confirmed on May 25 that rsETH and all Aave markets are operating normally.

The operational recovery is real. Whether broader DeFi confidence follows is the open question. Capital that fled in April has not returned at scale, and with 31 of the top 50 protocols still showing monthly TVL declines, the sector is working against a backdrop of sustained caution rather than a clean rebound.