"Creator Says" is a dialogue column launched by Foresight News, where we ask the outstanding creators selected each month about market hot topics and organize the collected results into articles, gathering diverse opinions to explore deeper thinking.
Written by: Foresight News April 2026 Excellent Content Creators
Organized by: Foresight News
Recently, the DeFi industry has seen a series of major security incidents, with projects like Kelp DAO and Drift repeatedly experiencing massive thefts, causing security lines to be breached frequently. This not only led to a significant blow to market confidence but also prompted the industry to deeply rethink risks and value. As a series of safety accidents shattered the illusion of DeFi's rampant growth, the hidden risks in popular sectors like multi-chain layouts and re-staking have gradually come to light. We must pause and, amidst the aftermath of these incidents, re-examine the underlying security logic of DeFi and explore the future path for the industry under risk pressure.
This issue of "Creator Says" focuses on "DeFi Security," and we invited April 2026 outstanding creators on Foresight News, including Web3 Xiao Lv, Biteye researcher Changan, BlockBooster researcher Kevin, Grvt Research Institute, 0xU Blockchain Club's Oscar, BiyaNews, JeanW, and Fu Gui to join this discussion.
We posed five questions, and below are the answers we gathered.
1. Recently, massive thefts have occurred in Kelp DAO and Drift, and DeFi security incidents have concentratedly erupted, leading to a noticeable cooling in market confidence. Affected by these chain reactions of security events, has your own on-chain position and participation mindset changed? Have you begun to pull back funds and reduce DeFi participation, or do you still maintain your original allocation strategy?
Web3 Xiao Lv: First, let me correct the premise of the question. I am not a yield-type player (referring to yield arbitrage players who earn interest from on-chain mining and staking)—holding USDC/USDT is because it is a liquidation medium, not because it has yield. From this perspective, this round of events has not really changed anything for me because I didn't have a "mining position" to shrink in the first place.
Another point worth mentioning: what has run away this time is not DeFi, but DeFi yield (referring to the part of DeFi purely driven by mining/high yield). BUIDL (referring to BlackRock's US treasury token) is fine, ONDO (referring to RWA tokenization) is fine, CCTP (referring to USDC native cross-chain) is fine. The problem lies with those protocols that treat "yield itself" as a product. The market has long referred to "on-chain finance" and "DeFi yield stack" as DeFi, and this incident has simply forced a separation of the two curves in the public eye.
The on-chain finance camp is certainly not without spillover impact—Jefferies (a top international investment bank specializing in industry research reports for traditional institutions and asset management) reported after the Kelp incident that traditional institutions might reconsider the pace of Tokenization (tokenization). But we need to differentiate: that is the transmission of market sentiment, not a problem with the structure of RWA itself.
If there is a change in mindset—it reinforces my original judgment rather than undermines it. On-chain finance is undergoing a DeFi devolution.
Biteye researcher Changan: During a bull market, I actively move funds into on-chain projects to invest. The logic is simple: earn investment returns while waiting for airdrops. At that time, the overall market sentiment is rising, and project parties have enough incentives to keep operating, so this strategy works.
But now it’s different. In a bear market, funds are shrinking, and project income is declining, while the operational and security maintenance costs of protocols do not decrease concurrently. Under this pressure gap, the probabilities of running away and getting stolen will systematically increase.
Therefore, when participating in any on-chain investment project now, I first ask myself one question: who is making money from this project, and where is the money coming from?
If a protocol's source of income is unclear or mainly relies on token incentives to maintain APY, then it is essentially using future inflation to subsidize current users. Once the market is poor, token prices fall, and incentives shrink, this logic chain is broken.
My current standard is: only participate in projects that can prove their continued profitability, and I need to see clearly the real sources of income for the protocol. If I can't see it clearly, I would rather put my money in CEX investment. CEX at least won't run away in a bear market, and the safety margin for the principal is higher.
BlockBooster researcher Kevin: After the events of Kelp DAO and Drift, my first reaction was to clear all idle authorizations. This is a reflex reminder I get from every major security event.
In terms of position strategy, I made structural adjustments and defensive contractions: consolidating positions spread across five or six emerging protocols back into some time-tested top protocols while reducing the proportion of funds for participating in new projects from 10% to below 5%.
On the mindset level, I think the high incidence of security incidents is precisely the moment to differentiate between "real protocols" and "narrative bubbles." Protocols that stabilize their TVL in market panic are worthy of long-term attention.
Grvt Research Institute: In April, both Drift and Kelp DAO were attacked in less than three weeks, resulting in losses close to $600 million, with both incidents suspected to be attributed to a North Korean state-level hacker organization. The impact on the market is not just on the financial level but also on the confidence level.
Grvt was not practically affected in this round of events, but the process is worth mentioning. Our yield layer connected to Aave V3 as an external yield source, and after the Kelp DAO incident, the liquidity of USDT pools on Aave V3 rapidly depleted, at one point having no extracts at all. Fortunately, prior to this, we had triggered the internal position review mechanism to assess potential exposures and liquidity risks, and we had completed withdrawals from that pool before liquidity ran out. This process also revalidates a fact: even if a protocol itself is not directly attacked, the highly interconnected DeFi ecosystem means risk transmission can be very rapid.
This incident also accelerated an established directional adjustment in our allocation logic. We had already planned to introduce more RWA as sources of yield, including tokenized assets like U.S. Treasury bonds and money market funds, to reduce reliance on the yields of single DeFi protocols. The chain reaction of security incidents has made us even more convinced that this direction is correct, and we will speed up our efforts in this regard. The core value logic of DeFi still holds, but it's a more responsible choice in the current market environment to diversify the yield structure better.
0xU Blockchain Club's Oscar: There has been a change. I have pulled out all positions on HyperEVM and will reassess the risk-return ratio of participating in DeFi.
To be honest, unless I employ some extremely aggressive circular lending strategies where APY exceeds 50%, most DeFi yields are now just a bit over 10%. But the risks that users have to bear are numerous, and many are opaque and unpredictable.
So currently, the risk-return ratio of DeFi is not especially appealing to me.
BiyaNews: This recent series of security incidents has indeed caused the market to begin reassessing the risk structure of DeFi. In the past few years, many users focused more on yields, airdrops, and capital efficiency. However, after these recent incidents, the market is starting to recognize a key issue: high yield often corresponds to more complex underlying risks.
Especially in directions like cross-chain, re-staking, and LSDFi, these are essentially built on highly composable structures. When the market is good, this structure amplifies yield efficiency, but once an underlying link experiences a problem, the risks get magnified simultaneously. Many users are superficially participating in a "yield enhancement" product, but beneath, it may already have incorporated cross-chain bridges, message verification layers, liquidity wrapping, and multi-protocol nesting.
Therefore, a noticeable change in the market recently is that people are starting to shift from "yield first" back to "safety first." Compared to the past focus solely on APY, more people are now looking at protocol audits, fund custody methods, underlying asset structures, and exit liquidity.
From the market sentiment perspective, the risk appetite for on-chain funds is also clearly declining. Some funds are starting to flow back into BTC, ETH, and stablecoins, while others are reducing participation in complex DeFi strategies, especially high APY long-chain combination strategies.
To some extent, this incident also indicates that DeFi is entering a new phase. In the past, the industry emphasized "capital efficiency," but the market is now increasingly valuing "risk transparency" and "system stability."
JeanW: There are indeed changes; originally half of my positions have moved back to CEX, and the rest have become more diversified.
Fu Gui: To be honest, my mindset hasn't been greatly affected; I have a thicker skin. My DeFi positions were already quite diversified, so there was no direct impact overall. However, there are some real troubles—the Kelp DAO incident and the cascading effects of Aave led several vaults I was involved in to successively request withdrawals and clear funds, invalidating the original contracts. I learned about this rather late as I realized I couldn't deposit after preparing to do so, and I hadn't received any decent notification. Later, I casually checked DefiLlama and reinvested into a new vault (on-chain yield treasury / money pool).
In retrospect, I feel I should indeed establish a monitoring mechanism to track the health status of invested vaults in real-time. I cannot simply focus on interest rates; I also need to pay attention to contract statuses, TVL anomalies, project announcements, etc. I plan to write a monitoring program that can immediately notify me in case of anomalies. Overall, I still adhere to a diversified allocation; I won't put all my eggs in one basket.
2. The core root of these multiple large-scale attacks is concentrated in the vulnerabilities of cross-chain bridges, cross-chain messaging layers, and single-point trust risks. Based on your own multi-chain experience in DeFi, do you think the "cross-chain" narrative is being overhyped and that the underlying security risks have been overlooked? What key points should ordinary users be cautious about when participating in multi-chain DeFi?
Web3 Xiao Lv: The problem with cross-chain is not whether the narrative is overheated, but rather that it has always been an architectural compromise, not the architecture itself. The L1/L2 war has left a wound; cross-chain bridges are merely temporary instruments to stitch that wound together—treating them as the backbone, they will inevitably collapse.
When Chainalysis did a post-event analysis of the Kelp incident, it stated very plainly: cross-chain bridges operate correctly according to their design; they just believed incorrect information. This should be nailed on every cross-chain product manager's desk. The issue wasn't a contract bug; it was the collapse of the underlying trust assumptions—this precisely indicates that such a "makeshift connection" structure is the problem, not some random failure of implementation.
It's worth noting that industry directions are changing. From trustless bridge (trustless cross-chain bridges) to trust the issuer (trust asset issuers)—USDC is now natively issued on 28 chains (not wrapped (wrapped tokens)), with CCTP V2 connecting 17 of them, relying on Circle as the issuer to destroy on the source chain and mint on the destination chain, with no locking pools that can be attacked. This is the structurally superior aspect of stablecoins over ETH/BTC concerning cross-chain issues—USDC has an issuer who can bear the accounting responsibility of "the same asset, different chains," unlike ETH where no one can assume that role.
A piece of advice for ordinary users: Do not move large sums of value through a third-party cross-chain bridge; use the issuer's native channel. If the asset you want to use only has a wrapped version on a chain, that chain is not yet truly ready for it.
Biteye researcher Changan: I believe the risks of cross-chain bridges have always existed; several significant theft events in history have occurred on cross-chain bridges.
Because cross-chain is essentially not just "moving assets over," it involves many complex mechanisms including message verification, asset mapping, verification nodes, and multi-signature permissions. The more chains and bridges there are, the larger the attack surface of the entire system will be.
I think the most important thing is to minimize unnecessary risk exposure. Here are two habits I would pay attention to:
- Cancel authorizations immediately after cross-chain completion.
- Try to use CEX as a cross-chain bridge.
For ordinary users, I actually recommend that they complete asset switches within the exchange's internal system as much as possible to minimize complex risks.
Moreover, many exchanges have already developed integrated functionalities for "wallet + cross-chain + multi-chain recharge," which, from the perspective of experience and security, should be sufficient for most users.
BlockBooster researcher Kevin: The cross-chain narrative has not been "overhyped," but the underlying risks of cross-chain have indeed been seriously underestimated—these are two different issues. The multi-chain ecosystem is an inevitable trend in the development of DeFi, but during the narrative stage, the market habitually compresses technological complexity into a phrase like "seamless cross-chain experience," creating a false sense of security for users.
My own experience participating in multi-chain DeFi tells me: cross-chain bridges are the weakest link in the entire process. They not only concentrate funds but also trust assumptions—you must trust the source chain contract, the destination chain contract, and the intermediary message verification layer simultaneously; if any part of this chain has a problem, the loss is total.
When ordinary users participate in multi-chain DeFi, I believe they need to control the amount for each cross-chain transaction and not transfer large amounts of assets all at once; split operations can effectively reduce single-point losses. Secondly, after cross-chain, check the authorization status on the destination chain immediately, as many attacks occur during the user's post-cross-chain authorization window.
Cross-chain is infrastructure, but at present, it is not "safe infrastructure."
Grvt Research Institute: The technical root cause of the Kelp DAO incident is very typical. It used a 1 of 1 validator configuration when employing the LayerZero cross-chain bridge, solely relying on a single node to validate the authenticity of cross-chain messages. After the attacker DDoS-ed the normal RPC node, they replaced it with their own controlled node, and the validator accepted malicious messages as legitimate. This vulnerability is not complex, but it exists because, in the pursuit of deployment speed, security boundaries were quietly lowered.
From actual experience participating in multi-chain DeFi, there is indeed an issue of "cross-chain" narratives being overly simplified. Many projects equate the feasibility of multi-chain deployment with security. Still, what users see when they use it is a smooth front-end interface; the underlying trust assumptions are entirely invisible.
For ordinary users, the three points they should be most cautious about are: first, understanding which bridge the protocol's cross-chain assets flow through and what the verification mechanism for that bridge is; second, whether there is a lock-up period or single-point custodianship for funds during the cross-chain process; and third, being highly wary of cross-chain yields that are significantly higher than similar products on a single chain, as such premiums often correspond to underestimated bridging risks.
0xU Blockchain Club's Oscar: I feel that most ordinary DeFi players actually do not truly understand what the underlying risks are, nor do they know what protective mechanisms a DeFi project should have in terms of security design. These are all very technical matters.
For instance, it was only after the Drift and Kelp DAO events that I became more aware of the importance of certain mechanisms, such as:
Withdrawal rate limits, single-transaction/daily withdrawal caps, default fund flow whitelists, and mandatory timelocks, etc.
Thus, for ordinary users, the most important thing to remember is: why can these protocols offer such high genuine yields? High yields must entail risk premiums.
If a protocol can provide an APY significantly higher than the traditional risk-free rate, it must mean that users are assuming certain additional risks. Therefore, when participating in DeFi, one must control positions and not expose money that should not be risked.
BiyaNews: In the past few years, "multi-chain" has almost become the industry's default direction, but compared to the convenience brought by cross-chain, the market's focus on underlying security issues has actually been relatively low.
Many users see "assets can cross chains," but what really determines security is "who verifies that this cross-chain message is true." This layer is often the most easily overlooked.
Whether it be Poly Network, Multichain, or the recent resurgence of discussions surrounding cross-chain message verification layers, they fundamentally address one issue: the biggest risks in cross-chain often do not lie in the chains themselves, but in the intermediary layers between chains.
Many bridges or message protocols appear decentralized, yet may still rely on multi-signature mechanisms, a small number of validation nodes, relay networks, or specific message layers at their core. As long as any part of these links experiences an issue, risks will swiftly transmit to the asset layer.
And one thing that ordinary users are most likely to overlook is that what they bear is not just "asset price fluctuation risk," but also the additional risk of third-party trust. Especially for cross-chain wrapped assets, multi-layer yield nested protocols, and high APY combination strategies, the more complex the product structure, the harder it often is to identify the underlying risks.
Thus, the market has begun to reassess a question: there is nothing wrong with multi-chain itself, but in the past, the industry expanded TVL by continuously increasing cross-chain complexity. This model may have already exceeded the ordinary user's risk identification capability.
JeanW: I don't think the narrative has been overhyped; rather, the convenience brought by the products leads users to a certain extent to "ignore" their inherent risks. Moreover, the industry cannot stop developing due to risks; progress is made step by step. Participating in multi-chain DeFi is essentially the same as participating in FeFi; the dark jungle is not a hypothesis, it is a fact.
Fu Gui: Personally, it feels like cross-chain has never been overhyped compared to other narratives; it is instead a necessity—for project parties as well as for users. Nowadays, whether it's L1 or L2, initiating chains usually needs to be paired with cross-chain bridges and DEX-related infrastructure. Even if cross-chain bridges do not have a large user base, many project parties will encourage or even build their own cross-chain channels, as they provide an independent entry point for funds.
From the user side, current cross-chain protocols are increasingly integrating towards B-end, allowing ordinary users to operate through aggregators or wallets, where they hardly perceive the existence of cross-chain bridges; intelligent routing will automatically recommend the optimal path, and selecting the lowest fee rate will suffice. As long as users ensure their wallet has sufficient gas, do not select the wrong target chain and target address, and do not authorize mistrusted contracts arbitrarily, the risks for ordinary users are actually quite limited. Quick bridges generally complete cross-chain transfers in a few minutes to tens of minutes, involving only 1-2 transactions. Of course, transferring large amounts of funds via quick bridges may not be cost-effective; there can be limits, and fees are not low, so opting for CEX might be more practical. Mainstream chains can also use USDC's CCTP, which is safe, convenient, and low cost.
Compared to the technological risks of cross-chain itself, what's more concerning are the subjective risks of project parties and cross-chain bridge operators—including running away, pitfalls after contract upgrades, and the undercurrents of risks one might bear as a liquidity provider for vaults.
3. This round of security incidents has also ripple effects on top protocols like Aave, with re-staking and LSDFi becoming channels for rapid risk transmission. Have you personally participated in the re-staking or LSDFi track? What implicit risks easily overlooked have you encountered? Do you think these types of products are a supplemental source of DeFi yields or that they covertly magnify risks as hidden leverage?
Web3 Xiao Lv: My professional role is as a researcher, not a yield hunter (profit-driven players), so I haven't invested heavily in LSDFi. But as an observer, I have some judgments about the structure of these products.
The essence of re-staking is the re-staking of collateral. The term "shared security" (a promotional term for the re-staking track: using the same staked asset to support the network security of multiple public chains) sounds innovative, but structurally it means that a single margin must bear multiple slashing conditions—like packaging the same subprime loan into different CDO tranches (a core financial structure of the 2008 financial crisis, where a batch of poor assets was bundled and sold to different investors at different risk levels); structurally analogous. Back then, it was called credit enhancement; today, it's called shared security; the name has changed, but the account is still the same. LSDFi builds on this with another layer of wrapped derivatives (re-packaging staking receipts into tradable derivative tokens); each additional layer expands the radius of infection for single-point failure.
This round of Kelp incidents serves as an empirical example of this contagion path. Kelp was hacked for $292 million, which appears to be a localized accident; however, the downstream Aave, receiving rsETH as collateral, had to bear an estimated $200 million in bad debts, causing about $9 billion in TVL to flow out of the entire DeFi within two days. The so-called "implicit risk" is not due to a bug in a particular contract but is based on correlation risks—once an underlying asset is destabilized or a layer is slashed, all upper-level products simultaneously enter a liquidation spiral. This path is usually invisible but becomes apparent during incidents.
It's not a yield stack, it's a leverage stack.
Biteye researcher Changan: Re-staking and LSDFi are essentially supplemental yields, but the yield they supplement inherently comes from assuming additional risks.
Many people view re-staking as "a higher-yield estimate," but in essence, it constantly layers on more risk. You stake an asset, receive a receipt, and then keep using that receipt for loans, re-staking, and yield enhancements, and with every layer of nesting, yields can increase, but risks also rise simultaneously.
This round has highlighted this issue significantly, showing how once underlying assets exhibit anomalies, risks can swiftly spread through the collateral, lending, and liquidation chain, ultimately leading to a cascade failure.
When ordinary users engage with these products, I believe the most critical thing is not to first look at APY, but rather to clarify how many layers their assets are going through, what assets the lowest layer depends on, and how risks will transmit to them if issues occur in the underlying.
BlockBooster researcher Kevin: I have studied the early积分阶段 of EigenLayer and liquidity mining on multiple LRT protocols. My understanding is that re-staking is essentially a conditional leverage, simultaneously offering yield supplements and risk amplifications; the key lies in whether you truly understand the conditions.
The most easily overlooked implicit risks in practice include: the chain reaction of slashing—when you stake ETH with EigenLayer and then enter Pendle or Aave via LRT, if the underlying AVS triggers slashing, your principal will not only be affected, but the pricing anchor of the entire LRT will also loosen, leading to a chain liquidation; also, liquidity illusions—many LRTs claim "liquidity re-staking," but under extreme market conditions, the liquidity depth of the secondary market often lacks enough support for large exits, with de-pegging risks larger than anticipated; lastly, the opacity of yield sources—some LSDFi's high APY relies on protocol token subsidies, and once the subsidies decline, true yield may not even cover gas fees.
I tend to classify re-staking as a "conditional yield enhancement tool," suitable for users who understand the underlying mechanisms and can accept long lockup periods. Ordinary retail investors should keep LRT positions limited to 5%-10% of their total position and only participate in top protocols with sufficient TVL.
Grvt Research Institute: The reason for the substantial impact of this Kelp DAO incident is largely due to rsETH being heavily used as collateral in other protocols. When the backing of rsETH encounters problems, head protocols like Aave, SparkLend, and others are forced to urgently freeze relevant markets, and risks transmit nearly in real-time.
In practice, there are several implicit risks in the re-staking space that are easily overlooked. First is liquidity fragility: re-staking tokens often seriously de-peg under pressure scenarios, where liquidity is worst and exit costs are extremely high. Second, there’s the complexity of contract layers: the risks in re-staking protocols aren’t confined to one contract; they comprise layers of staking, re-staking, and yield layers, where any one layer having a problem could penetrate upwards. Third, yield source opacity: many LSDFi's high APY mixes token incentives with true protocol revenue, and once incentives decline sharply, liquidity quickly withdraws, leaving those who remain with a majority of tail risks.
Overall, I lean towards viewing the current shape of re-staking as more like implicit leverage rather than simply a yield supplement. It layers several times the risks on the same principal amount, suitable for high-risk tolerance users participating with small positions, and unsuitable as a core allocation.
0xU Blockchain Club's Oscar: I have participated. The biggest implicit risks of re-staking and LSDFi, I believe, are liquidity runs and staked assets de-pegging.
I first clearly felt this risk during the Luna collapse when stETH de-pegged. At that time, 1 stETH was no longer equal to 1 ETH, but many DeFi users would usually default to using staked assets as if they were native assets, even directly putting them into lending protocols as collateral.
If the market experiences large-scale liquidations, leveraged positions will be forced to unwind, causing substantial chain damage.
Additionally, many users are easily attracted by high APY/APR, but the definitions of APR and APY can be confusing, and these yields are inherently dynamic. To truly make money, continuous monitoring of positions and yield changes is essential.
Thus, these types of products are not as simple as they seem, and they often amplify risks.
BiyaNews: LSDFi and re-staking are actually further extensions of DeFi towards "capital efficiency." These types of products expanded rapidly in the past, significantly because they offered users a relatively stable asset option that yielded higher returns.
But the real problem is that many risks are not directly exposed, but hidden within asset correlations and protocol nestings.
For example, many users on the surface appear to diversify their allocations—one portion doing LST, another doing re-staking, and another doing stablecoin LP—but at the core, all may rely on the same ETH collateral system. Once the underlying liquidity, cross-chain bridges, or verification networks encounter issues, risks will spread in tandem.
This is also why more and more people are beginning to realize that DeFi's "composability," to some extent, is also a "risk composability."
There are also several problems that are relatively easy to overlook. The first is liquidity illusion, where many re-staked assets may seem highly liquid, but under extreme conditions, the real capability to absorb sell pressure may fall far short of expectations. The second is governance and upgrade risks; many protocol parameters, whitelists, or verification rules fluctuate, and it is quite challenging for ordinary users to keep track constantly. The third pertains to the sources of yield; some high APY primarily rely on token incentives rather than real cash flows.
Thus, at this current stage, re-staking and LSDFi resemble "enhanced yield tools" more than low-risk investment products. The increase in yield ultimately still corresponds to leveraged risks.
JeanW: I have participated in LSDFi very little, finding the "nesting" too aggressive. However, I hold a relatively positive view of this type of product; it indeed offers higher yields for those with greater risk tolerance, but it is simply not suitable for me.
Fu Gui: I haven't personally participated in re-staking or LSDFi products, mainly investing through aggregators into vaults where strategies are automatically rolled. However, many of the vaults I invested in have underlying products of this type; they just added a layer of packaging, and the user perception is not significant.
If we're talking about implicit risks, I think the core lies in several points:
Nesting risks are opaque. Many vaults are layered with re-staking, which on top of that may pile LSDFi, presenting users with an APY number, but the underlying may already be three or four layers of protocol nesting. If any layer encounters a problem, the risks will rapidly transmit upwards, and users often remain unaware at the first notice.
Liquidity mismatch. The exit mechanism for re-staked assets usually has a lock-up period or queue. If the market exhibits anomalies and one wishes to exit quickly, they may find that liquidity is severely insufficient. What looks like high yield is actually won with liquidity.
Liq...
Disclaimer: This article represents only the personal views of the author and does not represent the position and views of this platform. This article is for information sharing only and does not constitute any investment advice to anyone. Any disputes between users and authors are unrelated to this platform. If the articles or images on the webpage involve infringement, please provide relevant proof of rights and identity documents and send an email to support@aicoin.com. The relevant staff of this platform will conduct an investigation.