Binance Research said April’s DeFi exploits triggered about $13 billion in total value locked outflows, cutting liquidity across on-chain protocols.
- April exploits compressed DeFi TVL, pushing leverage higher without clear evidence of stronger borrowing demand.
- Drift and KelpDAO attacks made April the worst recent month for DeFi security losses tracked.
- Recent Humanity, Aztec, and Raydium incidents show exploit risks remained active after April across DeFi.
The research arm said the on-chain leverage ratio rose to about 38%, a level last seen in 2021, as TVL fell faster than borrowing.
The move did not come from a clear return in real borrowing demand. Binance Research said “meaningful deleveraging has yet to materialize,” even after a wider crypto market pullback. That means the ratio moved higher because the base of locked capital became smaller. When TVL falls, each dollar of debt weighs more on the system.
Drift and KelpDAO drive April losses
Binance’s May market report said DeFi TVL fell 10.7% month over month to $82.7 billion in April. It also said protocols suffered $635.24 million in exploits during the month, the highest monthly total since the Bybit incident in February 2025. DefiLlama counted 28 hack events during April, which Binance called a record monthly count.
As crypto.news reported, the first 18 days of April already saw more than $606 million stolen across 12 incidents. The two largest attacks were Drift Protocol, at about $285 million, and KelpDAO, at about $292 million. Later, crypto.news reported that the two attacks together represented $577 million in losses and were linked to North Korea’s Lazarus Group.
Those two cases carried most of April’s reported losses. They also showed that DeFi exploit risk no longer comes only from code bugs. Reports tied the attacks to social engineering, compromised systems, governance weaknesses, and bridge infrastructure.
Aave and KelpDAO recovery stay in focus
The KelpDAO incident also spread pressure across connected lending markets. Binance Research said the KelpDAO exploit created about $230 million in bad debt on Aave and cut Aave’s TVL by half. The event showed how one bridge failure can move through DeFi when stolen collateral enters lending markets.
KelpDAO later completed the operational part of its rsETH recovery plan. As previously reported, the protocol sent a final batch of 20,373.7 rsETH to the LayerZero smart contract used for cross-chain transfers. The protocol said minting, redemptions, and reward functions were operating normally again after earlier restart steps.
The recovery steps reduced some direct pressure on KelpDAO users. They did not remove the wider concern around DeFi leverage. Binance Research’s data suggests that the market still carries debt against a smaller pool of locked assets.
Recent exploits show risks remain active
Security incidents continued after April, though reported losses dropped in May. CertiK put May hack losses at $68.3 million, down nearly 90% from April’s roughly $650 million, as reported. Still, DeFi projects kept facing attacks tied to bridges, old contracts, private keys, and operational controls.
Recent cases include Humanity Protocol, Aztec Connect, and Raydium. Humanity Protocol said more than $36 million was stolen after attackers compromised administrative keys linked to its bridge systems. Aztec Connect lost about $2.1 million from an old immutable contract, while Raydium said it would reimburse users after a $1.3 million exploit hit five legacy Solana liquidity pools.
The latest cases keep DeFi security in focus as leverage remains elevated and liquidity remains weaker than before April’s exploit wave. Binance Research’s reading points to a market where TVL has fallen, borrowing has not recovered strongly, and deleveraging remains incomplete.
