coindesk.com
Decentralized finance (DeFi) was “bent, not broken” after a $292 million exploit on April 18 exposed systemic risks, according to investment bank Standard Chartered.
The attack on KelpDAO spilled into $AAVE, the largest DeFi lender, after stolen tokens were used as collateral to borrow other assets. The episode sparked a sharp liquidity crunch, with the liquidity protocol seeing deposits fall by roughly 38% and active loans by 31%, in what the bank described as a bank-run dynamic.
Despite the shock, tokenized real-world assets are still expected to reach a $2 trillion market cap by end-2028, driven by continued growth in DeFi lending and stablecoin liquidity, the report said.
"We still project that tokenised real-world assets (RWAs) will reach a market cap of $2 trillion by end-2028, up from $35 billion in October 2025," wrote Geoff Kendrick, head of digital assets research at Standard Chartered, in the Wednesday report.
Hacks and exploits remain a core risk in crypto, undermining trust in systems built on code rather than intermediaries. Smart contract bugs, phishing and cross-chain bridge flaws can expose large pools of locked assets, where a single weak point can trigger outsized losses.
These risks are amplified by the complexity and interconnected nature of blockchain infrastructure. Cross-chain bridges, while expanding functionality, also widen the attack surface and have accounted for billions in losses due to intricate designs, shared systems and, in some cases, weak validation.
Beyond the immediate damage, repeated exploits erode confidence across the ecosystem. Major hacks can push users and institutions to the sidelines, invite tighter regulation and slow adoption, making security a key constraint on crypto’s growth.
$AAVE and a coalition of DeFi firms moved quickly, committing more than $300 million to stabilize the system. According to the report, the intervention helped normalize conditions, with yields easing and deposits recovering.
The bank added that the incident is accelerating structural upgrades. $AAVE’s V4 upgrade and the forthcoming Ethereum Economic Zone aim to reduce reliance on cross-chain bridges, a frequent target in major crypto hacks, including this one.
Wall Street bank JPMorgan (JPM) said hacks and stagnant capital levels in decentralized finance continue to weigh on DeFi’s institutional appeal, highlighted by a $20 billion hit from the KelpDAO exploit.
Read more: JPMorgan says persistent security flaws curb DeFi’s institutional appeal