DeFi suffered its worst month in over a year this April, with exploiters siphoning $635 million across 28 separate incidents, according to data compiled by blockchain security firms. The total brings cumulative historical losses to $16.5 billion, with $7.7 billion of that targeting DeFi specifically. The month’s most damaging single event — the rsETH bridge attack — left Aave holding $200 million in bad debt and reopened a debate about how the industry prioritizes speed over security.
The rsETH attack: a one-of-one config that lived for years
The attack on KelpDAO’s rsETH bridge exploited a 1-of-1 decentralized verifier network (DVN) configuration — a setting that required only a single validator to approve a message. Attackers compromised the RPC infrastructure, forced a failover to poisoned nodes via DDoS, and injected false data into that lone DVN. The forged message released roughly 116,500 rsETH, which was then deposited as collateral on Aave.
Aave’s incident report confirmed that the Ethereum chain accepted nonce 308 from the attack, while the Unichain source endpoint never advanced beyond 307 — a mismatch that should have been caught by better monitoring. KelpDAO says the 1-of-1 DVN was the default that LayerZero itself shipped. LayerZero counters that KelpDAO downgraded to that setting. Regardless, LayerZero has since banned the 1-of-1 DVN configuration protocol-wide.
Blame, responsibility, and the Lazarus link
Chainalysis preliminarily linked the attack to the North Korean Lazarus group, though attribution is still ongoing. For the industry, the incident is less about who did it and more about how it happened. “DeFi has historically rewarded growth, integrations, liquidity, and speed over security maturity,” said Mitchell Amador, CEO of Immunefi. He pointed to overlooked practices like multisig hygiene, supply chain hardening, real-time monitoring, and emergency response procedures that many protocols still skip.
Ben Nadareski, CEO of Solstice Finance, put it bluntly: “Winning teams will be built on compliance and security from day one.” And Euler Finance CTO Kasper Pawlowski noted that risk assessment in DeFi is often treated as a one-time checkbox, but “risk is dynamic.”
$11 billion in TVL wiped out in a single month
Beyond the rsETH affair, DeFi lost nearly $11 billion in total value locked last month due to high-profile exploits on Drift and the KelpDAO bridge. The numbers underscore a trend that security researchers have been warning about: as protocols chase integrations and liquidity, the attack surface expands faster than defenses can keep up. The April tally is the highest monthly loss since early 2024.
The question now is whether the industry will finally treat security as a continuous process rather than a launch-day checklist — or wait for another $200 million hole to appear.
