Decentralized finance (DeFi) was “bent, not broken” after a $292 million tap on April 18 exposed systemic risks, according to investment bank Standard Chartered.
The attack on KelpDAO spilled over into AAVE, the largest DeFi lender, after stolen tokens were used as collateral to borrow other assets. The episode triggered a sharp liquidity crisis, with the liquidity protocol seeing deposits fall by around 38% and active loans by 31%, in what the bank described as a bank-driven dynamic.
Despite the shock, real-world tokenized assets are still expected to reach a market cap of $2 trillion by the end of 2028, driven by continued growth in DeFi lending and stablecoin liquidity, the report said.
“We still expect tokenized real-world assets (RWAs) to reach a market value of $2 trillion by the end of 2028, up from $35 billion in October 2025,” Geoff Kendrick, head of digital assets research at Standard Chartered, wrote in Wednesday’s report.
Hacks and exploits remain a core risk in crypto, undermining trust in systems built on code rather than intermediaries. Smart contract failures, phishing and cross-chain bridge failures can expose large pools of locked assets, where a single weak point can trigger large losses.
These risks are compounded by the complexity and interconnected nature of blockchain infrastructure. Cross-chain bridges expand functionality but also expand the attack surface and have accounted for billions in losses due to convoluted designs, shared systems, and in some cases weak validation.
Beyond the immediate damage, repeated exploits erode trust across the ecosystem. Major hacks can sideline users and institutions, invite tighter regulation and slow adoption, making security a key constraint on crypto’s growth.
AAVE and a coalition of DeFi firms moved quickly, committing more than $300 million to stabilize the system. According to the report, the intervention helped normalize conditions, with yields easing and deposits recovering.
The bank added that the incident is accelerating structural upgrades. AAVE’s V4 upgrade and the upcoming Ethereum Economic Zone aim to reduce reliance on cross-chain bridges, a frequent target in major crypto hacks, including this one.
Wall Street bank JPMorgan ( JPM ) said hacks and stagnant capital levels in decentralized finance continue to weigh on DeFi’s institutional appeal, highlighted by a $20 billion hit from the KelpDAO exploit.
Read more: JPMorgan says persistent security flaws slow DeFi’s institutional appeal
