Binance · · 12 min read

Does DeFi have a security problem? Plus, 21Shares on Crypto and the Securitize IPO. The Intersection Weekly (#21)

Does DeFi have a security problem? Plus, 21Shares on Crypto and the Securitize IPO. The Intersection Weekly (#21)
Photo by Towfiqu barbhuiya / Unsplash

Welcome to the weekly letter (#21) from TheIntersection team. Our aim is simple: to decode and deconstruct the world of real-world asset tokenisation, stablecoins and DeFi for mainstream professional investors.

In this issue:

  1. News: The Securitize IPO kicks off
  2. Data: 21Shares takes stock of 2026 so far
  3. Analysis: Does DeFi have a security problem?
  4. Our weekly events round-up

 And it's all free! Before we dive in, one request: please forward this weekly letter to anyone you think might be interested. We also very much welcome feedback (and contributors). If you want to email us, just drop an email to us at teams@theintersection.news.

News in Brief

Tokenised stocks prove the case for 24/7 markets. New research from Binance shows tokenised equities continued trading through a 65-hour weekend while traditional exchanges were closed. By the time markets reopened, prices had independently adjusted and closely aligned with Monday's opening levels.
Why it matters: Continuous trading could make tokenised markets a valuable complement to traditional exchanges, enabling real-time price discovery beyond standard market hours.

DTCC advances blockchain interoperability testing. The Depository Trust & Clearing Corporation (DTCC) has completed a cross-blockchain interoperability test as it prepares to roll out tokenised settlement infrastructure for institutional markets. Why it matters: Interoperability will be essential if tokenised assets are to move seamlessly across different blockchain networks and existing financial infrastructure.

IMF reinforces tokenisation's long-term significance. The International Monetary Fund's Tokenized Finance report describes tokenisation as a "structural reconfiguration" of financial markets, arguing that it fundamentally changes how assets, collateral and settlement systems interact.
Why it matters: Global policymakers increasingly view tokenisation as a core component of future financial infrastructure rather than a niche blockchain application.

Deep Dive — Securitize's NYSE debut gives tokenisation its first public market test

The Top Line

For years, investors wanting exposure to tokenisation have had to buy the assets being tokenised—not the companies building the infrastructure. Securitize's debut on the New York Stock Exchange changes that. As the first pure-play tokenisation company to go public, it gives public market investors a direct way to back one of the sector's leading infrastructure providers.

The Details

Securitize will begin trading on the NYSE under the ticker SECZ after shareholders approved its merger with Cantor Equity Partners II. The listing values the company at around $1.25 billion and marks a significant milestone for the tokenisation industry. The company isn't issuing tokenised assets itself—it provides the infrastructure that allows financial institutions to do so.

Over the past two years, Securitize has become one of the largest tokenisation platforms in the market, working with firms including BlackRock, Apollo, KKR and VanEck. Its best-known product is BlackRock's BUIDL fund, now one of the world's largest tokenised money market funds. The listing also comes at a time when tokenisation is shifting from pilot projects to production. Banks, exchanges and asset managers are increasingly building blockchain into existing market infrastructure, while firms such as DTCC, Nasdaq and the NYSE are developing services for tokenised securities. That puts Securitize in a different position from many crypto companies that have listed in recent years. Its business is tied less to cryptocurrency prices and more to institutional demand for tokenised funds, bonds, private credit and equities. As more financial assets move on-chain, demand for issuance, compliance, transfer agency and fund administration services is expected to grow alongside them.

21Shares takes stock of 26 so far

21Shares has just published its mid-year State of Crypto update, taking stock of how its 2026 predictions are playing out in practice. Six months in, the picture is more mixed than expected. While the structural direction remains intact, the report highlights where adoption is ahead of schedule and where reality has proven more uneven. Key takeaways:

  1. Bitcoin is showing signs of maturity, but the traditional four-year cycle is still holding for now rather than breaking completely.

“Bitcoin has also, so far, avoided the outright capitulation that defined earlier downturns – it has not yet traded below its aggregate cost basis of $54,000….The number of wallets holding BTC continues to grow, and our year-end base case is a recovery toward $100,000 rather than a breakout to new all-time highs”.

  1. Crypto ETP adoption continues to broaden institutionally, though AUM has fallen short of earlier expectations due to price moves rather than lack of demand. 

“By May 2026, total global crypto ETP AUM stood at roughly $140 billion, down around 15% year-to-date, with Bitcoin ETPs accounting for approximately $110 billion."

·3. Stablecoins are seeing steady growth and stronger regulatory backing, but the $1T milestone now looks at least a year away.

“The growth is also broadening beyond the dollar. Non-USD stablecoins reached an all-time high of roughly $2 billion in circulation, up more than 40% this year alone.8 And the incumbents are moving: Visa, Mastercard, Stripe, and Coinbase are reportedly in talks to launch a joint stablecoin platform in the US, while Japan’s three megabanks – MUFG, SMBC, and Mizuho – have announced a jointly issued, trust-based stablecoin for early 2027,9 targeting $7 billion in issuance by 2028. When the giants of payments and banking start building their own rails, the question is no longer whether adoption will come. A more realistic year-end range is $400–600 billion, reflecting steady growth across trading, cross-blockchain transfers, and remittances – rather than the sudden acceleration our original call assumed. The direction is right; the timeline was simply ahead of the adoption curve. “

  1. Progress in DeFi and tokenized assets is proving more uneven, with security issues and measurement challenges slowing momentum in the near term.

“TVL stands at roughly $140 billion, and the trajectory has been disrupted by a brutal year for security: more than $840 million lost to exploits across 50+ incidents so far in 2026, roughly 70% more than the same period last year, with April marking the worst month in DeFi’s history. The KelpDAO exploit alone saw close to $300 million stolen and triggered more than $13 billion in outflows within two days, rattling institutional confidence in restaking in particular …Hyperliquid, the onchain exchange for all financial assets, continues to generate over $1 billion in annualized revenue and returns the vast majority of that value to token holders through buybacks – and is up more than 100% year-to date. Morpho, the lending engine behind Coinbase’s cryptobacked loans, has become the most valuable lending company in this space, surpassing Aave in market capitalization at over $1.2 billion”  

Overall, the report underscores a shift from narrative-driven growth to a more fundamentals-led phase, with capital becoming more selective and real-world use cases starting to differentiate. The full report is HERE

 

Does DeFi have a security problem? The Kelp Exploit

by John Gray

 One of the biggest heists in DeFi history took place earlier this year. The story received little mainstream attention, however, despite the fact the total value of the haul was nearly $300m (for context, that’s three times the value of the jewels stolen from the Louvre in 2025). Part of the reason for this lack of coverage was that the exploit involved some fiendishly complex technical processes. Even to explain the basics of what happened requires an in-depth understanding of how blockchains work.  

In this sense, the Kelp DAO exploit of April 2026 goes right to the heart of how DeFi works, and tells us a great deal about the challenges it currently faces. Let’s start by unpacking what happened in non-technical terms, then move on to what the exploit reveals about broader cybersecurity risks in DeFi.

What is Kelp DAO?

Kelp DAO is a liquid restaking protocol built on top of the Ethereum ecosystem. Restaking is one way investors can seek to earn returns in DeFi, as The Intersection recently outlined. Users deposit assets such as ETH or liquid staking tokens with Kelp, which then restakes them through a protocol called EigenLayer. In return, users receive rsETH, a tradable token that represents their claim on those assets. They can then deploy rsETH elsewhere in DeFi for further yield.

 In its own words, the protocol offers “steady, on-chain rewards through curated DeFi strategies, built for ETH holders who want reliable yield without active management.” The key idea is that, instead of sitting on your ETH as you might do with bitcoin, you can make it “work harder”. In a sense, Kelp is trying to do for crypto what a money market fund or structured income product does in TradFi: take a relatively simple asset and layer additional income-generating activities on top of it.

 The risks of restaking: a checklist

 The catch is that this extra yield doesn’t come for free. It involves assuming additional risks, on top of the market risk of holding the cryptocurrency in the first place. One is smart-contract risk, or the possibility that a flaw in the underlying code could allow funds to be stolen, frozen or otherwise mishandled. Another is bridge risk, which arises whenever assets move between different blockchains. These bridges are among the most complex components of the DeFi ecosystem and have been frequent targets for attackers.

 Bridge risk is really a category of infrastructure risk. Even if the blockchain itself remains secure, DeFi protocols often depend on external information sources and server networks to function properly.

 Then there’s governance risk, which reflects the fact that many protocols are controlled by token holders or small groups of developers, whose decisions can alter the system's rules. Finally, there is liquidity risk: in periods of market stress, it may become difficult to sell or redeem assets at their expected value, leaving investors unable to exit positions without taking a hit. In the case of Kelp DAO, the risk that ultimately manifested was in the bridge infrastructure used to verify and relay information between different blockchains.

 The Kelp caper

 On 18 April 2026, attackers reportedly linked to North Korea’s Lazarus Group drained about 116,500 rsETH (worth roughly $292m) from Kelp DAO. At the time, that represented around 18% of the token’s circulating supply. Crucially, the exploit targeted neither the protocol’s smart contracts nor the blockchain itself, but Kelp’s bridge infrastructure, which relied on the cross-chain messaging protocol LayerZero. The bridge was supposed to release rsETH on one chain only after verifying that an equivalent amount had been burned on another chain. The attackers convinced the bridge’s verification system that such a burn had occurred, when, in fact, it had not.

 As Chainalysis framed it in a highly technical dissection of the exploit, “the rsETH released on Ethereum had no matching burn anywhere upstream. The result was unbacked supply entering circulation.” In other words, the system was tricked into creating rsETH out of thin air, effectively leaving millions of dollars’ worth of phantom collateral in circulation.

Three-step recovery

Kelp and its partners moved quickly to limit the damage. The first priority was containment. Kelp paused its contracts within about 46 minutes of the initial drain, reportedly preventing at least two further attempts that could have stolen another $100m. Lending protocols such as Aave froze rsETH markets to stop the contagion spreading.

 Then, because much of the stolen rsETH had been deposited into lending markets as collateral, Kelp, Aave and other ecosystem participants formed a coalition – known as DeFi United, as detailed below – to neutralise the unbacked tokens, absorb bad debt, and gradually restore the missing backing. Kelp pledged to replenish the entire stolen amount, around 117,000 rsETH, before reopening withdrawals and resuming normal operations. On 25 May, it announced that the final tranche of 20,373.72 rsETH had been transferred to its LayerZero smart contract, and declared the operational phase of the recovery complete.

The final stage was remediation. Kelp hardened its bridge infrastructure and moved away from the single-verifier configuration identified as the exploit’s critical point of failure.

 Collateral damage

 The Kelp DAO exploit sent shockwaves through the DeFi lending market, exposing the sector’s deep interconnections. After using much of the stolen rsETH as collateral on Aave, the attacker left the platform with around $190m in bad debt, triggering a wave of withdrawals. The crisis helped drive Aave’s total value locked (TVL) from $26.4bn to below $14bn, costing it its position as DeFi’s largest protocol. Thus, although Aave itself was not hacked, it became one of the principal casualties of the exploit because it had accepted rsETH as collateral, as it outlined in its post mortem.

 The protocol eventually restored normal operations and recovered much of the damage, but the episode served as a reminder that, in DeFi, a vulnerability in one protocol can rapidly spread through many others. The systemic risk lies not only in the security of individual protocols, but in the connections between them.

 DeFi united

One interesting outcome of the Kelp exploit was the emergence of DeFi United, the industry-wide coalition spearheaded by Aave to coordinate the recovery of rsETH. Faced with the prospect of losses cascading through multiple protocols, participants worked together to restore the token’s backing and stabilise affected markets. As The Defiant noted at the time, “the worst-case scenario for DeFi seemed to be in motion. Then something unprecedented happened: the community plugged the hole itself.”

The episode raises a larger question about the future of DeFi. On one hand, DeFi United demonstrated that the ecosystem can respond collectively to a major crisis, limiting the damage from an attack that might otherwise have spread much further. On the other, critics argue that such interventions risk introducing a form of moral hazard, insulating protocols from the consequences of poor security practices and creating a crypto equivalent of the traditional financial system's “too big to fail” institutions. But let’s leave the niceties of this vastly important argument to a future article, and return to our initial question.

 Does DeFi have a cybersecurity problem?

 As it happens, the Kelp exploit came on the heels of another DeFi exploit.

 On 1 April 2026, attackers stole $285m from Solana’s Drift Protocol — more than half of the platform’s TVL — in an operation that was similarly linked to North Korean actors. According to Drift’s account, the attackers spent months cultivating trust before tricking Security Council members into signing transactions that ultimately handed over administrative control of the protocol. They then approved a worthless token as collateral and used it to withdraw hundreds of millions of dollars in genuine assets.

 The key point here is that the Solana exploit was not really a hack in the traditional sense. Indeed, it was closer to an old-school con job, in which the human element was definitive.  Taken together, the Kelp and Drift exploits tell us a lot about DeFi's current security landscape. Early critiques of DeFi focused on buggy smart contracts: poorly written code that could be exploited to drain funds. Those vulnerabilities certainly still exist. But many of the most consequential attacks now target the people, governance systems, and infrastructure surrounding the blockchain, rather than the blockchain itself.

 The Kelp and Drift incidents illustrate this shift. In one case, attackers allegedly compromised the infrastructure used to verify information between blockchains. In the other, they spent months cultivating trust before obtaining valid administrative signatures. Neither attack depended primarily on discovering a flaw in a smart contract. Instead, they exploited familiar cybersecurity weaknesses: infrastructure compromise, social engineering, credential abuse and excessive trust in critical systems.

 In that sense, DeFi's cybersecurity problem increasingly resembles that faced by every other digital industry. The sector has built extraordinarily sophisticated cryptographic systems, but those systems remain embedded within organisations, technical infrastructure and human networks that are often much easier to attack. There may be a parallel here with the growing number of crypto ‘wrench attacks’: physical robberies where criminals force victims to surrender their cryptocurrency private keys, seed phrases or digital wallet passwords. No matter how robust your encryption is, there will always be a degree of meatspace vulnerability.

 In the case of DeFi, the deeper challenge is that its defining strength — its composability — also creates systemic risk. Protocols are bound to one another through bridges, collateral arrangements, governance systems and liquidity pools. A failure in one part of the ecosystem can rapidly spread elsewhere, as Aave’s experience during the Kelp crisis demonstrated. Security is therefore no longer simply a question of whether a protocol’s code is sound, but whether the entire web of dependencies around it can be trusted.

 The irony is that blockchains themselves may be among the most secure components of the system. More and more, the vulnerabilities lurk at the edges: where chains communicate with one another, where data enters the system, and where human beings are required to make decisions. These are harder problems to solve than a bug in a smart contract because they ultimately involve trust.

Events on our radar

Read next