A Stunning $293 Million Heist Exposes DeFi's Coming of Age Moment

For years, decentralized finance sold itself on a simple promise: code is law. Smart contracts, immutable and transparent, would remove the human weaknesses that plague traditional finance.

But the $293 million KelpDAO exploit that occurred last month exposed an uncomfortable reality for crypto’s infrastructure builders: the industry’s biggest vulnerabilities increasingly have little to do with the smart contracts themselves.

Instead, the danger now lies in the sprawling web of bridges, governance systems, operational security and third-party dependencies that sit around the code, the messy human and infrastructural layer underpinning modern DeFi.

“The contracts in most of these cases did exactly what their authors told them to do,” said Eugene Mamin, the chief technical master at Lido Labs Foundation, to CoinDesk. “The authors just weren’t the legitimate people in that case.”

The KelpDAO exploit, linked to a vulnerability involving LayerZero’s bridge infrastructure, is becoming a defining moment for a DeFi industry wrestling with its own maturity.

For protocol founders and security researchers, the incident reinforced a broader shift underway across crypto: DeFi is no longer primarily battling coding bugs. It’s battling its own complexity.

In DeFi’s early years, exploits typically stemmed from flaws in smart contract code, reentrancy bugs, oracle manipulation or faulty logic. Today, many of the industry’s largest failures happen somewhere else entirely.

“Smart contract risk is largely a solved problem,” said Sam MacPherson, CEO of Phoenix Labs, the developer behind decentralized finance platform Spark. “Recently, all the hacks have been from bad operational security.”

That doesn’t mean smart contracts are perfect. But auditing tools, formal verification, bug bounty programs and AI-assisted code review have made the underlying contracts significantly more robust than they were during DeFi’s explosive growth cycle, according to both executives.

The problem is that DeFi itself has evolved into a highly interconnected financial machine. Protocols depend on bridges. Bridges depend on validators and messaging systems. Governance systems rely on multisigs, cloud infrastructure, SaaS providers and teams spread across jurisdictions.

Every added layer creates another point of failure. “When you reuse someone else’s infrastructure, you inherit their threat model,” Mamin of Lido said.

The KelpDAO exploit demonstrated exactly how dangerous those inherited risks can become. A weakness in shared bridge infrastructure didn’t remain isolated, it cascaded outward into protocols built on top of it.

“Concentration can quietly become systemic risk,” MacPherson of Phoenix Labs said. “If too much of the market depends on the same infrastructure, failures stop being isolated and start cascading.”

“Boring” as an appealing feature for DeFi

The exploit also lands at a moment when crypto investors are becoming less tolerant of risk-heavy experimentation, Mamin said he believes.

“The protocols people actually trust with serious capital are the ones doing the same thing the same way, predictably, for years,” Mamin said. “Boring is a feature.”

DeFi protocols typically have rewarded maximized growth, leverage and yield. Complexity was often viewed as innovation. Now, after years of exploits, liquidations and cascading failures, users appear to be gravitating toward something far less exciting: predictability.

MacPherson said the market is beginning to reward systems designed for resilience rather than maximum upside.

“For a long time, DeFi rewarded growth at all costs,” he said. “But when conditions tighten, the hidden trade-offs become visible.”

Spark has recently seen deposits rise partly because users are rotating into more conservative lending markets and simpler collateral structures, according to MacPherson.

Another consequential lesson from the KelpDAO incident is that many of DeFi’s most dangerous attack vectors now resemble ordinary cybersecurity problems.

Mamin pointed to vulnerabilities in personal laptops, SaaS platforms, key management systems and software supply chains as some of the industry’s biggest unresolved risks.

“The attack surface has rotated back to the web2 roots rather than shrunk,” he said.

That creates a strange contradiction at the heart of crypto. The onchain layer may be radically transparent, but much of the infrastructure supporting it remains opaque and difficult to audit externally.

The implication is becoming harder for users to ignore: security in DeFi increasingly depends less on whether a protocol was audited and more on whether the people operating it are disciplined. That means geographically distributed multisigs, timelocks, rehearsed incident response plans, strict operational security practices and governance systems that reduce reliance on any single actor.

Despite the string of exploits, neither Mamin nor MacPherson believes the incidents invalidate DeFi altogether. In some ways, they argue, the industry is finally entering a more sustainable phase.MacPherson sees DeFi’s long-term advantage not as eliminating risk, but making risk visible.

“Collateral, liquidity and exposures are visible onchain in real time,” he said. “The challenge is pairing that transparency with mature risk management.”

That may ultimately become the sector’s defining challenge over the next several years: transforming crypto from a high-speed experimentation layer into financial infrastructure capable of surviving stress.

Read more: The $292 million Kelp DAO exploit shows why crypto bridges are still one of the industry's weakest links