Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.
Evgeny Gaevoy, CEO of Wintermute, has given a frank evaluation of decentralized finance's current situation, highlighting structural risks that still impede innovation.
DeFi not doing well
Gaevoy expressed concerns about composability and how interconnected protocols increase risk rather than distribute it, saying that things appear pretty bleak for DeFi innovation at this stage, in response to recent developments.
His argument is based on a fundamental tenet of DeFi. Protocols can build upon one another thanks to composability, which is frequently touted as one of the industry's greatest advantages. In reality, the same characteristic produces tightly coupled systems in which a single failure can spread to several layers.
According to Gaevoy, the way risk should be assessed has changed since exploits' spillover effects are no longer contained within a single protocol.
Series of attacks
His comments come at an opportune moment. On April 18, 2026, KelpDAO was the victim of an exploit valued at approximately $290 million. Initial signs point to a highly skilled, state-affiliated actor, most likely connected to the DPRK's Lazarus Group.
The attack itself was not a simple smart contract malfunction. Rather, it specifically poisoned downstream RPC nodes utilized in the LayerZero Labs Decentralized Verifier Network. Under very specific circumstances, this made it possible for attackers to alter verification pathways.
What counts in the bigger picture is how the system design influenced the result. Because of a 1-of-1 DVN configuration, the incident was limited to KelpDAO's rsETH configuration, thereby creating a single point of failure. Although it is explicitly supported by LayerZero's architecture, multi-DVN configurations with redundancy were not implemented.
Consequently, once the attack path was established, there was no independent validation layer that could reject forged messages.
The event strengthens Gaevoy's position, despite the technical containment and lack of contagion to other assets or applications. The complexity needed to secure interconnected systems keeps growing, even when damage is isolated. With every new integration, the attack surface grows, and highly skilled actors are beginning to take advantage of this fact.
Dan Burgin
U.Today Editorial Team
