According to investment bank Standard Chartered, decentralized finance (DeFi) was “bent, not broken” after a $292 million exploit on April 18 exposed systemic risks.
The attack on KelpDAO ended up in $AAVEthe largest DeFi lender, after stolen tokens were used as collateral to borrow other assets. The episode led to a sharp liquidity crisis, with the liquidity protocol causing deposits to fall by around 38% and active loans by 31%, in what the bank described as a bank-run dynamic.
Despite the shock, tokenized real-world assets are still expected to reach a market cap of $2 trillion by the end of 2028, driven by continued growth in DeFi lending and stablecoin liquidity, the report said.
“We still expect tokenized real-world assets (RWAs) to reach a market cap of $2 trillion by the end of 2028, up from $35 billion in October 2025,” Geoff Kendrick, head of digital assets research at Standard Chartered, wrote in the Wednesday report.
Hacks and exploits remain a core risk in crypto, undermining trust in systems built on code rather than intermediaries. Smart contract bugs, phishing, and cross-chain bridge flaws can expose large amounts of locked assets, where a single weak point can cause excessive losses.
These risks are amplified by the complexity and interconnected nature of the blockchain infrastructure. While cross-chain bridges increase functionality, they also increase the attack surface and have caused billions in losses due to complicated designs, shared systems and, in some cases, weak validation.
In addition to the direct damage, repeated exploits undermine confidence in the entire ecosystem. Major hacks can push users and institutions to the sidelines, trigger stricter regulations and slow adoption, making security a major barrier to crypto growth.
$AAVE and a coalition of DeFi companies moved quickly, investing more than $300 million to stabilize the system. According to the report, the intervention has helped normalize conditions, with interest rates easing and deposits recovering.
The bank added that the incident accelerates structural upgrades. $AAVEThe company’s V4 upgrade and the upcoming Ethereum Economic Zone aim to reduce dependence on cross-chain bridges, a frequent target in major crypto hacks, including this one.
Wall Street bank JPMorgan (JPM) said hacks and stagnant capital levels in the decentralized finance sector continue to dampen DeFi’s institutional appeal, highlighted by the $20 billion hit by the KelpDAO exploit.
Read more: JPMorgan says persistent security flaws limit DeFi’s institutional appeal