Explore more conversations like this From the Block.
For the crypto sector, big enough operational crises can be viewed as industry-wide reputational crises.
And by any measure, the April 18 exploit of the Kelp DAO decentralized finance (DeFi) platform, which saw roughly $292 million siphoned from a cross-chain restaking protocol and set off a chain reaction that erased nearly $9 billion from the largest DeFi lending platform, is fast becoming a reputational, even existential, crisis for DeFi.
In the latest episode of the “From the Block” podcast, PYMNTS CEO Karen Webster and Ryan Rugg, global head of digital assets for Citi Treasury and Trade Solutions, sat down to unpack why the weekend’s DeFi exploit was not just a technical failure, but a behavioral one.
Unlike earlier attacks that targeted private keys or flawed smart contracts, this breach struck at the connective tissue of blockchain ecosystems: the messaging layer that enables interoperability across chains.
Advertisement: Scroll to Continue
“Past hacks were due to stolen keys or bugs in smart contracts, this one was convincing the vault the thief was actually the owner,” Rugg said.
As Webster put it, “We’re learning, literally hour by hour, what happened.”
DeFi Industry’s Existential Question
At the heart of the issues being surfaced by the DeFi exploit are the unavoidable tensions between crypto’s push for open, interoperable systems versus the institutional demand for security and control that has long defined, and in some places limited, blockchain’s evolution.
“Does this delay the institutional adoption of DeFi? Maybe,” Rugg said. “It is going to take some of the confidence out of the market.”
But she stopped short of calling the incident a defining setback, noting that any institutionally driven decision will likely hinge on whether firms can implement “proper redundancy and security at every layer where the trust resides.”
In other words, the future of DeFi could look less like a radical departure from mainstream finance and more like an extension of it. After all, the weekend’s exploit maneuver struck at the heart of DeFi’s design, its composability.
But this incident reveals the flip side: Composability also creates tightly coupled risk. A failure in one protocol can cascade across many, not because of direct exposure, but because assets are reused and rehypothecated across the system.
In practical terms, the Kelp DAO attackers forged a cross-chain message that triggered the bridge to release funds that had never been legitimately burned. The exploit hinged on a weakness in the validation process by isolating a single validator acting as a point of failure.
But the same features that allow assets to flow seamlessly between platforms, the attack revealed, can also allow compromised collateral to propagate risk system-wide. A failure in one protocol can cascade across many, not because of direct exposure, but because assets are reused and rehypothecated across the system.
While DeFi’s promise has long rested on the idea that transparency substitutes for trust, in moments of stress, that transparency can also accelerate panic as users see risk materializing in real time and exit instantly.
“You have to rebuild the confidence,” Rugg said, outlining the standard response playbook: containment, patching vulnerabilities, increasing validator redundancy and engaging enforcement agencies.
Interoperability Meets Institutional Reality
The paradox of DeFi is that it was built to eliminate intermediaries, yet now faces the same challenges that define modern finance: how to manage systemic risk in a highly interconnected system. And the Kelp DAO incident underscored a critical asymmetry afflicting blockchain applications. Despite capital moving instantly across chains, risk signals can often lag.
Interoperability, for example, is widely seen as essential for scaling digital assets across banks, FinTechs and enterprises. But the very bridges that enable that connectivity are also emerging as the most vulnerable points in the system.
In the case of the Kelp DAO exploit, the compromised asset (rsETH) continued to be priced near its expected value by on-chain oracles even after the underlying system had been breached. That mismatch allowed the attacker to extract additional value from downstream protocols, effectively turning a single exploit into a multiplatform liquidity event.
“There’s a reason we are still on a permissioned blockchain. We want interoperability and are driving toward that, we’ve heard our clients loud and clear around their desire for multi-bank, multi-asset-like solutions … but we need to make sure that what we’ve done in our traditional world to ensure safety and soundness now comes into this space as well,” Rugg said.
“Safety and soundness are first and foremost to large institutions like us,” she stressed, drawing a parallel between DeFi protocols and early internet routing before modern security standards were established.
Still, the road ahead is a long one. The question for institutional blockchain may not be one of whether true interoperability will arrive, but whether it can do so without compromising the very trust in the financial system it aims to decentralize.
