April became crypto's most-hacked month by number of incidents, with nearly 30 reported cases, and one of the largest by dollar value, with total losses topping $630 million. Most of that came from two DeFi exploits, Drift Protocol and KelpDAO, which together accounted for more than 90% of the stolen funds. But the impact of an attack can also be felt beyond the hacked protocols. These incidents can hurt token prices, weaken confidence in DeFi, and put more pressure on liquid and yield-focused funds that have already been struggling since the Oct. 10 record liquidation event.

I reached out to multiple investors and analysts to understand why DeFi hacks are rising and what they could mean for crypto funds. Most said the latest incidents are unlikely to break DeFi, but they could still add pressure on funds through weaker token prices and portfolio exposure.

Amid widespread concern that advancing AI tools helped drive April’s record number of hacks, Igor Igamberdiev, my former analyst colleague and now head of research at Wintermute, said its role should not be overstated. Igamberdiev, who is also part of SEAL 911, a crypto emergency response group that helps teams during active hacks and security incidents, said large language models have improved a lot recently and can now help attackers find easier vulnerabilities faster. But he said it is still hard to call AI the main catalyst for the latest exploit wave, especially when many incidents still involved admin-function abuse and social engineering.

Blockchain analytics firm TRM Labs this week said its analysts have begun to speculate that North Korean hackers are using AI tools for research and social engineering, as attacks like Drift appear more targeted and complex than earlier private key compromises. Several other investors shared a similar view, saying AI may be assisting in attacks, but it isn't yet autonomously discovering zero-days or executing novel exploits. (A zero-day vulnerability is a software flaw unknown to the vendor, giving them zero days to patch it before hackers exploit it.)

Some investors said DeFi is bigger and more connected now, so there are more weak points to attack. Francis Zhan, associate on the crypto team at Tribe Capital, said DeFi now has more links between protocols, meaning "more complexity + more TVL [total value locked] = more attack surface per dollar secured." Evgeny Gokhberg, founder of Re7 Capital, and Amir Hajian, a researcher at crypto investment firm Keyrock, meanwhile, pointed out that April looked severe by the number of hacks, but losses as a share of DeFi TVL are still below past cycle peaks.

 

"April's hack volume, annualised, points to roughly $750 million. With DeFi TVL forecasted to grow 31% — in line with average YoY [year on year] growth since 2021 — the ratio of hack volume to TVL continues its structural decline, from 7.24% in 2022 to a projected 1.49% in 2026," said Gokhberg. "The month felt acute; against the backdrop of a maturing and expanding ecosystem, the trajectory is unambiguously improving.”

 

Several investors said security can no longer be treated as a one-time audit before launch. DeFi teams now need continuous monitoring, stronger key management, better bridge settings, clearer incident response plans, and stricter controls around who can access admin functions. "The structural problem is that DeFi protocols are handling nation-state-scale value with startup-scale security architecture," said Anirudh Pai, partner at Robot Ventures.

Security spending remains low, several investors said. "There are many many protocols that are essentially unmanaged today, but still have millions or tens of millions of dollars in their smart contracts. The right benchmark going forward has nothing to do with auditing, that’s table stakes, but instead how much attention is going to real-time monitoring, key management, incident response, and broad opsec," said Rob Hadick, general partner at Dragonfly.

AI could also help on the security side. "Most protocols still don't have real-time monitoring infrastructure; they find out they've been hacked when someone tweets about it," said Thomas Klocanas, managing partner at Strobe Ventures. "AI-powered security tooling is one of the most interesting investment areas in crypto right now." Hadick added one caveat: crypto-only security startups have historically struggled because crypto companies alone have not been a large enough market to support very large venture outcomes. But as stablecoins and tokenized assets move into mainstream companies, that could change, especially for startups solving broader cybersecurity problems.

Several investors said hacks may slow DeFi adoption in the near term, but they are unlikely to stop the broader move toward onchain finance. Praneeth Srikanti, technical investment partner at Ethereal Ventures, said institutions do not need DeFi to be risk-free. According to him, they need risk to be "measured, bounded, governed, reported, remediated, and, where possible, transferred." That could mean more capital moving toward permissioned pools.

Hadick said the real cost is that these hacks delay the institutional DeFi conversation by another 6 to 12 months and give compliance teams "more ammunition to keep saying no, but don’t expect it to have long-term meaningful impact" as security problems are not isolated to crypto. "Look at the Vercel hack that happened only a few weeks ago — that was likely the biggest deal we’ve had in years," he added.

Hadick further said that institutional capital that's actually moving onchain is going to stablecoins, tokenized treasuries, other real-world assets or RWA vaults, and permissioned and/or isolated venues, noting that that part of the market will continue to grow because the technology is that much better.

Notably, after the KelpDAO exploit, the DeFi industry coordinated more than $300 million in pledged support via the DeFi United fund, helping limit wider damage. Several investors said that showed that DeFi has matured and can respond under stress. But they also said the industry cannot rely on emergency bailouts every time something breaks. "DeFi United was largely an act of self-interest," said Samantha Bohbot, partner and chief growth officer at RockawayX. "Participants understood that without a recovery effort, the reputational damage and collateral contagion would cost them far more than the bailout itself. It signals a certain maturity in the ecosystem, but it should not be mistaken for altruism."

The fund-level pressure

One of the biggest impacts may be on funds themselves. For venture and equity funds, the direct impact is often limited unless a portfolio company was closely tied to the affected protocols. But liquid and yield-focused funds are more directly exposed because they often hold DeFi tokens, use lending markets, or run onchain yield strategies. Hadick said the latest hacks make fundraising "absolutely harder" for liquid funds that need to be onchain and trade volatile assets. He added that yield funds were already struggling to find good onchain yield, while liquid funds have been hurting since Oct. 10.

Pai of Robot Ventures and Zhan of Tribe Capital said their firms were not affected by the recent hacks. Bohbot of RockawayX said her firm had no direct exposure to Drift, Kelp, or Resolv protocols. She said the indirect impact came through changes in deposit and borrow rates, but there was "no material effect" on fund performance. Klocanas of Strobe Ventures also said his firm did not have direct markdown exposure because it had no portfolio companies with meaningful total value locked, revenue, or user activity tied to the affected protocols.

Mathijs van Esch, general partner at Maven 11, said the firm's liquid holdings have "probably taken a hit" as crypto tokens reacted to the hacks and exploits, and that this has likely affected portfolios across the space. He added that this can also happen in a broader market move.

Hajian of Keyrock said the full industry-wise fund impact may take time to show up publicly. He noted that no major liquid fund has yet disclosed a markdown tied specifically to Drift or Kelp in a fund letter, partly because Q2 letters are generally expected around mid-July. But he said the mechanics are already clear and come in several layers.

Hajian's first layer is direct collateral markdowns. Any fund holding rsETH during the Kelp exploit had to decide whether to mark it to the lower market price or closer to par if it believed the DeFi United recovery would work, Hajian said. He added that both choices are defensible, but each has consequences. Funds without direct rsETH exposure could still be hit through Pendle PT-rsETH positions, Curve liquidity provider positions or structured liquid restaking strategies. He said this part of the contagion is often underreported. A fund can have zero direct exposure to the hacked asset and still take a 5% to 15% markdown on a strategy because of that embedded risk, he added.

Hajian said the second layer of pressure comes through borrow markets and yield strategies. After the Kelp fallout, Aave saw nearly $8.5 billion in outflows, borrow rates spiked, and stablecoin borrowing costs rose sharply. "Yield funds running delta-neutral strategies that depended on stable borrow costs took mark-to-market hits on the funding leg even where their collateral was untouched," he said.

Hajian's third layer is liquidity and "gating". Liquid funds that publish daily or weekly net asset values face a real challenge when the underlying collateral is impaired and recovery depends on a multi-week rescue effort, he said. Yield funds offering monthly redemptions may need to decide whether to gate, side-pocket or fully absorb markdowns, and each option creates a different LP problem, he said. The fourth layer is on counterparties and credit lines. Hajian said prime brokers and over-the-counter desks "did not pull credit lines en masse," but new exposures did tighten. Funds that depended on those credit lines for their structured restaking strategies had to either deleverage at unfavourable prices or accept materially worse terms, according to Hajian. "That is a direct hit on net returns even where the headline collateral did not move much," he said.

As for his firm Keyrock specifically, Hajian said its core business is market making, OTC, and liquidity provision "rather than commingled directional yield funds," and the operational risk frameworks the firm runs for its own balance sheet are different in kind from a typical liquid yield fund. "Portfolio implications I have described above are most acute for funds whose product is explicitly DeFi-native yield, and those are the strategies where I would expect the most visible markdowns and reporting changes in Q2 LP letters," Hajian said. 

To subscribe to the free The Funding newsletter, click here.