DeFi lending platforms have hit an on-chain leverage ratio of roughly 38%, matching the peak of the 2021 bull market.
Data from Binance Research shows this spike is not due to a surge in new borrowing. Instead, it stems from a sharp drop in Total Value Locked (TVL) after a wave of exploits wiped out $13 billion from the ecosystem.
On-chain leverage ratio climbed to ~38%, matching 2021 levels, driven largely by TVL compression rather than renewed borrowing demand.
April’s DeFi exploits triggered ~US$13B in TVL outflows. Despite the broader market pullback, meaningful deleveraging has yet to materialize. pic.twitter.com/8KTBIUdRQ0
— Binance Research (@BinanceResearch) June 16, 2026
Why was April 2026 a record month for security losses?
April 2026 was the worst month for DeFi security losses in recent memory. According to a CertiK report, crypto-related exploits in April 2026 caused total losses exceeding $650 million, led by KelpDAO at $292 million and Drift Protocol at $285 million.
Drift Protocol, Solana’s leading decentralized perpetual futures exchange, was drained of approximately $285 million in twelve minutes on April 1. Attackers posed as a quantitative trading firm, met Drift contributors at conferences across multiple jurisdictions, and even deposited over $1 million of their own capital to build trust.
Less than three weeks later, KelpDAO suffered a different but equally damaging attack. The KelpDAO bridge exploit on April 18 started from a single-DVN (Decentralized Verifier Network) configuration, KelpDAO’s rsETH deployment used only one LayerZero verifier, meaning a single poisoned data source was enough to approve a fraudulent transaction at scale.
How far did the damage from KelpDAO extend beyond the protocol?
Aave’s total value locked fell by about $6.6 billion, and its token fell 16% after attackers used $292 million in stolen rsETH from KelpDAO’s bridge as collateral on Aave V3, leaving roughly $196 million in bad debt.
Users who had staked ETH to receive rsETH, then borrowed against that rsETH in lending markets, found their collateral had lost its peg. Nine protocols froze their rsETH markets simultaneously, while borrowers faced immediate liquidations or discovered they could not exit positions because markets were locked.
What are the most recent DeFi exploits?
Humanity Protocol’s H token fell more than 80% after attackers stole private keys tied to the project and drained over $30 million from at least 17 wallets. The hacker dumped stolen H tokens for ether and minted additional H on BNB Chain, adding selling pressure as the token fell from roughly $0.67 to near $0.13 and briefly touched $0.05.
Meanwhile, two smaller but telling incidents landed in June. On June 10, Raydium disclosed that attackers exploited a validation flaw in its deprecated AMM V3 program, phased out in 2021, to drain approximately $1.34 million from five inactive liquidity pools that had remained on-chain. No current users or active programs were affected.
Enjoyed this? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads and CoinMarketCap Community for seamless access to high-quality industry insights
Take control of your crypto portfolio with DEFI PLANET PRO, DeFi Planet’s suite of analytics tools
