Hackers stole between $292 million [2] and $300 million [1] from the KelpDAO protocol during the weekend preceding April 29, 2026.

The event highlights the systemic fragility of decentralized finance, where a breach in one small project can trigger panic across the largest lending platforms. This contagion effect led to a massive exodus of capital from the broader Ethereum ecosystem.

The attack occurred after hackers exploited a vulnerability in the smart-contract code of KelpDAO [1, 4]. While KelpDAO is a relatively small project, the resulting instability rippled through the market. This volatility prompted a run on Aave, the largest DeFi lending platform, with outflows estimated between $9 billion [3] and $10 billion [3].

In response to the crisis, the DeFi community organized a relief effort to stabilize the market. A fund totaling $300 million [1] was raised to cover the losses resulting from the exploit.

Separate from the KelpDAO event, another exploit involving the creation of fake stablecoins resulted in $80 million being siphoned from the system [6]. These combined events have intensified scrutiny over the security of smart contracts on the Ethereum blockchain.

Industry participants said the rapid mobilization of the relief fund demonstrates the resilience of the DeFi community. However, the scale of the Aave outflows suggests that investor confidence remains precarious when security breaches occur in interconnected protocols.

A breach in one small project can trigger panic across the largest lending platforms.

The KelpDAO incident illustrates the 'interconnectedness risk' inherent in DeFi. Because many protocols rely on the same liquidity pools or assets as collateral, a failure in a minor project can create a liquidity crisis for a major platform like Aave. The event underscores that smart-contract security is not just a project-specific concern but a systemic risk to the entire decentralized financial infrastructure.