Non-isolated DeFi lending risks exposed by Kelp breach, say industry leaders
Curve Finance's founder suggests the spread of damage from the Kelp security breach was preventable, though implementing safeguards would have reduced capital efficiency.
The security breach affecting the Kelp liquid restaking protocol demonstrates the dangers of non-isolated lending structures and interconnected systems within decentralized finance (DeFi), revealing how vulnerabilities can spread throughout the ecosystem, crypto industry leaders and blockchain security companies report.
According to Michael Egorov, who founded the Curve Finance DeFi protocol, non-isolated lending structures on DeFi platforms—such as those found in earlier iterations of the Aave lending protocol—create exposure to risks stemming from the diverse range of tokens accepted as collateral across these platforms.
On Saturday, Kelp became the victim of a cybersecurity incident, prompting the platform to suspend smart contracts associated with its restaking token (rsETH) as it launched an investigation into the breach that resulted in approximately $293 million being drained from the platform. According to Egorov's email statement, DeFi development teams must thoroughly evaluate potential digital assets to verify that tokens don't contain single points of failure or vulnerable attack vectors prior to authorizing them as lending collateral on their platforms.
Egorov additionally cautioned against relying on cross-chain bridging infrastructure for moving assets between different blockchain protocols, identifying this as the fundamental vulnerability that enabled this weekend's Kelp security breach.
Cross-chain is hard and potentially risky. Only use cross-chain infrastructure when absolutely necessary, and do it really carefully.
Michael Egorov
According to Egorov, this incident serves as an educational moment for the DeFi sector, providing valuable lessons that can be applied toward strengthening and deploying enhanced cybersecurity measures, particularly as financial losses from cryptocurrency hacks, code vulnerabilities and fraudulent schemes totaled $482 million during Q1 2026.
Kelp exploit triggers "contagion" across the DeFi ecosystem
This was not just a protocol exploit. It immediately became a cross-protocol contagion event.
Cyvers, blockchain security firm
According to Cyvers, a minimum of nine DeFi protocols and platforms, encompassing Aave, Fluid, Compound Finance, SparkLend and Euler, experienced impact from the incident and responded by freezing rsETH markets or implementing measures to minimize the damage resulting from the Kelp exploit.
The challenge is no longer just preventing exploits at the contract level, but understanding how fast they can cascade across integrated protocols.
Deddy Lavid, CEO of Cyvers
The security breach targeting Kelp came after the $280 million Drift Protocol decentralized exchange hack last week and at least 12 other crypto platforms and DeFi hacks earlier this month.