The decentralized finance (DeFi) sector experienced a significant liquidity shock in April after a surge in security breaches triggered approximately $13 billion in total value locked (TVL) outflows, according to a new report from Binance Research. The capital flight reduced liquidity across major on-chain protocols and pushed leverage metrics to levels not seen since the peak of the 2021 crypto bull market.
Binance Research noted that the on-chain leverage ratio climbed to roughly 38%, matching levels last recorded five years ago. However, the increase was not driven by a resurgence in borrowing demand. Instead, it reflected a sharp decline in TVL, which caused existing debt to represent a larger share of the remaining locked capital.
The report emphasized that meaningful deleveraging has yet to occur despite broader weakness across cryptocurrency markets. As TVL continues to contract faster than outstanding borrowing balances, leverage remains elevated throughout the DeFi ecosystem.
April Security Breaches Trigger Massive TVL Outflows
According to Binance Research’s May market analysis, total DeFi TVL declined by 10.7% month-over-month, falling to $82.7 billion during April. At the same time, protocols suffered approximately $635.24 million in exploit-related losses, marking the largest monthly total since the Bybit security incident in February 2025.
Data from DefiLlama recorded 28 separate hacking incidents during the month, establishing a new monthly record for exploit frequency. Security researchers highlighted that the first 18 days of April alone accounted for more than $606 million in stolen assets across 12 attacks.
The two largest incidents involved Drift Protocol and KelpDAO, which together accounted for nearly $577 million in losses. Investigations later linked both attacks to the notorious Lazarus Group, a North Korean cybercrime organization known for targeting cryptocurrency platforms.
Attack Vectors Extend Beyond Smart Contract Vulnerabilities
The April exploit wave demonstrated that DeFi security risks now extend far beyond traditional coding errors. Analysts found that attackers increasingly exploited weaknesses in operational security, governance systems, bridge infrastructure, and internal controls.
Social engineering attacks, compromised administrative credentials, and cross-chain bridge vulnerabilities played major roles in several of the month’s largest incidents. These developments underscore the growing complexity of security challenges facing decentralized finance projects as they expand across multiple blockchain ecosystems.
The findings suggest that even protocols with audited smart contracts remain vulnerable if broader operational and governance protections are insufficient.
KelpDAO Incident Sends Shockwaves Through Aave
One of the most significant consequences of the April exploit wave was its impact on interconnected lending markets. Binance Research reported that the KelpDAO breach generated approximately $230 million in bad debt for Aave, one of the largest lending protocols in DeFi.
The incident reportedly reduced Aave’s TVL by nearly 50%, highlighting how security failures in one protocol can rapidly spread throughout the broader decentralized finance ecosystem. The event also exposed the risks associated with using bridged assets as collateral in lending markets.
Industry observers noted that the situation provided a real-world example of systemic contagion, where vulnerabilities in a single protocol can create cascading effects across multiple platforms.
KelpDAO Advances rsETH Recovery Efforts
Despite the damage caused by the exploit, KelpDAO has continued implementing its rsETH recovery strategy. The protocol recently completed a key operational milestone by transferring a final batch of 20,373.7 rsETH to the LayerZero smart contract responsible for cross-chain asset transfers.
Following the recovery process, KelpDAO confirmed that core functions, including minting, redemptions, and reward distribution, have resumed normal operations. While these measures have helped restore confidence among affected users, concerns surrounding DeFi leverage and liquidity conditions remain unresolved.
Binance Research noted that the broader market still carries significant debt exposure against a smaller base of locked capital, leaving the sector vulnerable to future shocks.
Security Threats Persist Despite Decline in May Losses
Although exploit-related losses fell sharply in May, security threats continue to challenge decentralized finance platforms. Blockchain security firm CertiK estimated total losses for May at approximately $68.3 million, representing a nearly 90% decline compared to April.
However, several notable incidents still occurred. Humanity Protocol reportedly lost more than $36 million after attackers compromised administrative keys connected to bridge infrastructure. Meanwhile, Aztec Connect suffered a $2.1 million exploit linked to an older immutable contract, and Raydium announced plans to reimburse users impacted by a $1.3 million attack targeting legacy Solana liquidity pools.
These incidents reinforce concerns that bridge systems, private key management, legacy contracts, and operational security remain among the most critical risk areas in decentralized finance.
DeFi Faces Ongoing Leverage and Liquidity Challenges
While exploit-related losses have moderated since April, Binance Research’s latest findings suggest that the DeFi sector remains in a fragile position. TVL has yet to fully recover, leverage ratios remain historically elevated, and borrowing activity has not contracted enough to reduce systemic risk.
As protocols continue strengthening security frameworks and recovery efforts progress, market participants will be closely monitoring whether meaningful deleveraging finally emerges. Until then, the combination of reduced liquidity and elevated leverage could leave the DeFi ecosystem exposed to further volatility and security-driven disruptions.
