After Kelp, DeFi Faces an AI Problem It Has Not Begun to Price
A $292 million exploit at Kelp DAO has drained $6 billion from Aave and pushed DeFi's April losses past $580 million — but the configuration errors behind this month's hacks are the easy problem. The harder one, already visible in AI red-team research, is that autonomous exploit generation is becoming cheap enough to industrialise.
Decentralised finance has just had its worst fortnight in memory. A $292 million drain of Kelp DAO’s restaked-ether bridge over the weekend, on the heels of the $285 million Drift Protocol exploit on 1 April, has pushed April’s cumulative DeFi losses past $580 million — and triggered a $6 billion outflow from Aave alone as depositors scrambled for the exits.
Bitcoin, for its part, has barely flinched, trading near $75,000 as the contagion played out. But the sector’s composure masks a deeper problem. The Kelp attacker did not break cryptography or find a zero-day in a smart contract. They exploited a configuration choice in a cross-chain verifier, tricked LayerZero’s messaging layer into waving through a forged instruction, and minted 116,500 rsETH out of thin air on Ethereum. The contracts, as one developer-oriented post-mortem put it, were not broken — the verification layer was. That distinction matters, because the next class of attackers will not need the configuration errors. They will have AI.
Aave dumped on the news, Source: BNC
A hostile stretch, and a thinning edge
The immediate picture is ugly. Kelp’s exploit is now the largest DeFi hack of 2026, edging out Drift by roughly $7 million. Smaller drains at CoW Swap, Zerion, Rhea Finance and Silo Finance have filled in the weeks between. Blockchain security firm Cyvers put total Q1 crypto losses at about $482 million; that figure is already badly dated. Aave’s total value locked fell from $26.4 billion on 18 April to under $20 billion by Sunday morning in U.S. trading hours, per DefiLlama, and the AAVE token shed more than 18% over the weekend as depositors tried to borrow their way out of frozen rsETH markets.
Stani Kulechov, Aave’s founder, was quick to note that the protocol’s own contracts were not compromised. That is true, and it is also cold comfort: Aave accepted rsETH as collateral, the backing of that collateral evaporated on a bridge Aave does not control, and some $196 million in bad debt is now sitting in the largest lender in DeFi. Protocols including SparkLend, Fluid and Lido’s earnETH have suspended rsETH markets or paused new deposits while they work out their exposure.
The wider lesson builders are drawing is structural. Flexible, modular cross-chain security — where individual projects pick their own verifier sets — can collapse to a single point of failure if the configuration slips. “We observe repeated, identical exploit attempts across multiple contracts simultaneously,” Stephen Ajayi, dapp audit technical lead at blockchain security firm Hacken, told DL News earlier this month, describing a pattern he said was consistent with scripted, agent-driven probing of DeFi contracts.
What AI has already done in a lab
Ajayi’s language matters. The fear in DeFi security circles is no longer that attackers will eventually automate. It is that they already have, and that the economics of the arms race have quietly inverted.
Anthropic’s red team published research late last year in which frontier models — Claude Opus 4.5, Claude Sonnet 4.5 and OpenAI’s GPT-5 — were set loose on a benchmark of 405 real-world smart contracts previously exploited between 2020 and 2025. The agents collectively produced working exploits worth $4.6 million against contracts that post-dated their training cutoffs. Pushed further, the same models were pointed at 2,849 newly deployed contracts with no known vulnerabilities and found two novel bugs, producing exploits worth $3,694 for an inference spend of $3,476. The researchers described the result as a proof-of-concept that autonomous, profitable exploitation is now technically feasible.
Anthropic shows that AI models are increasingly finding more DeFi exploits, Source: Anthropic
A separate benchmark from AI security firm Cecuro, covering 90 DeFi contracts exploited between late 2024 and early 2026, found that a purpose-built security agent detected vulnerabilities in 92% of them, compared with 34% for a general-purpose coding agent running the same underlying model. The average cost of an AI-powered scan, according to the study, is now around $1.22 per contract. Exploit capability, by the same measure, appears to be roughly doubling every 1.3 months.
That is the number that should rattle allocators. A market in which every live contract holding funds can be probed for pennies, by software that keeps getting better, is not a market in which a one-time audit before deployment provides meaningful protection.
The model Anthropic will not sell
The risk is not only theoretical, because of what already sits inside the labs. Anthropic’s Claude Mythos Preview — unveiled earlier this month and restricted to a coalition of roughly 40 vetted enterprise and government partners under Project Glasswing — has already identified thousands of previously undetected zero-days in every major operating system and every major browser, including a 27-year-old flaw in OpenBSD that had survived millions of prior scans. BNC detailed at the time why that capability is a more pressing concern for DeFi than the long-running quantum-computing debate: DeFi codebases are open-source by design, making them precisely the kind of target Mythos-class models can read end-to-end at machine speed.
Anthropic’s own framing is telling. The company declined to release Mythos to the public and last week shipped a commercial model, Claude Opus 4.7, explicitly described as “less broadly capable” on cybersecurity tasks than the system held inside Glasswing. That is a concession that a public release would shift the attacker–defender balance in the wrong direction.
Pricing the asymmetry
DeFi’s security posture has not caught up. On-chain insurance capacity remains measured in the hundreds of millions of dollars, set against a sector with roughly $100 billion in total value locked. The audit market cannot keep pace with the volume of contract deployments, and composability keeps widening the surface that defenders must cover. Regulators, including the EU under MiCA, have begun to formalise disclosure requirements, but none yet mandates continuous adversarial testing or runtime enforcement for high-TVL protocols.
Builders worth listening to are converging on the same short list. Treat every upgrade and integration as a fresh attack surface. Make adversarial testing continuous rather than a one-off audit milestone. Segment trust boundaries so that a single compromise — whether a misconfigured verifier, as at Kelp, or a model-assisted exploit tomorrow — cannot cascade across the lending stack. And price security posture into allocation decisions the way credit managers price default risk.
The Kelp fallout will resolve one way or another. Some percentage of the stolen ether may yet be recovered, and Aave’s Umbrella reserve may be forced to absorb the deficit. Depositors will eventually come back. What will not reverse is the cost curve. For the first time, a capable adversary no longer needs a research team, a zero-day and a six-figure budget to drain a DeFi protocol. They need a few hundred dollars of inference credits and a list of targets.
The industry’s question for the rest of 2026 is whether its defences can compound faster than that capability does.
Brave New Coin reaches 1M+ engaged crypto enthusiasts a month through our website, podcast, newsletters, and YouTube. Get your brand in front of key decision-makers and early adopters in 2026. Limited slots remaining! Find out more today!
