Decentralized finance (DeFi) was left “bent, not broken” after a $292 million exploit on April 18 exposed systemic risks, according to investment bank Standard Chartered.
The attack on KelpDAO spread to AAVE, the largest DeFi lender, after stolen tokens were used as collateral to borrow other assets. The episode caused a strong liquidity crisis: the liquidity protocol saw deposits fall by approximately 38% and active loans by 31%, in what the bank described as a bank run dynamic.
Despite the shock, real-world tokenized assets are still expected to reach a market capitalization of $2 trillion by the end of 2028, driven by continued growth in DeFi lending and stablecoin liquidity, according to the report.
“We still project that tokenized real-world assets (RWA) will reach a market capitalization of $2 trillion by the end of 2028, up from $35 billion in October 2025,” Geoff Kendrick, head of digital asset research at Standard Chartered, wrote in Wednesday’s report.
Hacks and exploits remain a central risk in the crypto sector, undermining trust in code-based systems rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge failures can expose large pools of locked assets, where a single weak point can lead to massive losses.
These risks are amplified by the complexity and interconnected nature of blockchain infrastructure. Cross-chain bridges, while expanding functionality, also expand the attack surface and have accounted for billions in losses due to intricate designs, shared systems, and, in some cases, weak validation.
Beyond the immediate damage, repeated attacks erode trust throughout the ecosystem. Large attacks can sideline users and institutions, lead to tighter regulation and slow adoption, making security a key constraint to the growth of cryptocurrencies.
AAVE and a coalition of DeFi companies acted quickly and committed more than $300 million to stabilize the system. According to the report, the intervention helped normalize conditions, with yields declining and deposits recovering.
The bank added that the incident is accelerating structural improvements. AAVE’s V4 update and the upcoming Ethereum Economic Zone aim to reduce reliance on cross-chain bridges, a frequent target in major crypto attacks, including this one.
Wall Street bank JPMorgan (JPM) said hacks and stagnant capital levels in decentralized finance continue to weigh on DeFi’s institutional appeal, highlighted by a $20 billion hit from the KelpDAO exploit.
Read more: JPMorgan Says Persistent Security Flaws Curb DeFi’s Institutional Appeal
