Kelp DAO's $292M Exploit Highlights DeFi's Security Gaps as Institutions Move Onchain

Kelp DAO's $292 million exploit and the ripple effects it triggered across crypto lending have hit decentralized finance at a sensitive juncture. As major Wall Street players expand their presence in onchain markets, the episode has underscored how brittle parts of DeFi still are—and how much work remains before institutional money can scale meaningfully. In the weeks before the hack, private credit heavyweight Apollo Global Management (APO), which oversees about $900 billion, struck a strategic partnership with Morpho to support lending markets, with an option to acquire the protocol's governance tokens. Around the same time, BlackRock (BK), the world's largest asset manager, brought its tokenized money market fund to the decentralized exchange Uniswap. Industry participants said the Kelp DAO incident is unlikely to halt traditional finance's push deeper into onchain finance. It does, though, sharpen the list of fixes DeFi must make before larger pools of capital can step in. "DeFi platforms are pioneering new ways for investors to utilize their capital more efficiently," said Nick Cherney, head of innovation at Janus Henderson, an asset manager overseeing roughly $500 billion. "Pioneers will always face risks." He added that failures like the Kelp DAO exploit can slow momentum, but also force upgrades that tend to strengthen systems over time. "This is a speed bump for sure, but not a roadblock," Cherney said. Cherney argued a longer-term shift is already underway: tokenized real-world assets—including funds, bonds and credit—are beginning to anchor DeFi markets, importing legal frameworks and risk controls refined over decades in traditional finance. Episodes like the Kelp DAO exploit could accelerate that transition, he said. Security experts drew a more immediate conclusion: the current defensive posture is insufficient. "DeFi and onchain asset management operate in a highly adversarial environment," said Paul Vijender, head of security at Gauntlet. "Systems are only as secure as their weakest links." He said the industry is being pushed toward broader defenses, including zero-trust architectures that assume no component is inherently safe. In practice, that means layered protection—continuous monitoring, stricter controls and built-in redundancies—rather than reliance on any single safeguard. Evgeny Gokhberg, founder of digital asset manager Re7 Capital, said measures often framed as "best practices" now need to become minimum standards. He cited timelocks for key governance actions, tighter multisignature controls, stricter collateral requirements and stronger protections around bridges, a frequent point of failure in DeFi. "The industry needs to treat them as baseline requirements, not best practice," he said. Bhaji Illuminati, CEO of Centrifuge Labs, said the shift reflects a broader compression of financial evolution. "TradFi has had decades to build up layers of protections," she said. "DeFi is doing that too, but on a vastly accelerated timeline." For institutions to deploy capital at scale, Illuminati said several conditions must be met. Clarity is first: investors need to know precisely what they own, backed by verifiable collateral and legal structures aligned with real-world risk. Reliability comes next: smart contracts, oracles and governance must operate predictably and be auditable. Third is resilient liquidity that holds up under stress, allowing capital to enter and exit without destabilizing markets. "Being open and secure is not mutually exclusive," Illuminati said. "The goal is to make trust explicit and verifiable." She added that "every layer of the DeFi stack" must put security first, a priority she said is becoming more urgent in the age of artificial intelligence. Read more: AI is making crypto's security problem even worse, Ledger CTO warns