Skip to content
YieldScope
Get rate alerts

DeFi yield isn't free: what 2026's hacks teach about lending risk

A $292M hack that triggered $9B of Aave outflows, a lender that shut down a year after its breach, a stablecoin contagion. 2026's DeFi lessons — and how to assess a yield before chasing it.

newsdefilendingrisksafety 2026-06-23 · 6 min read · YieldScope Research

DeFi lending advertises some of the most attractive yields in crypto — often well above what centralized platforms pay. That premium is real, but so is the reason for it. 2026 has been a brutal teacher on exactly what you are being paid to absorb. Three events tell the story.

2026's wake-up calls

The KelpDAO hack — and the $9 billion that fled Aave. On April 18, 2026, attackers drained roughly 116,500 rsETH (about $292 million) from a LayerZero bridge connected to KelpDAO. They then used borrowed positions across DeFi to extract legitimate ETH. The panic that followed was the real lesson: roughly $9 billion flowed out of Aave — the largest DeFi lender — over a single weekend. Aave itself was not hacked. It simply got caught in the fear.

Radiant Capital shut down. On June 1, 2026, the lending protocol Radiant Capital announced it was winding down. It never recovered from a $50 million hack back in October 2024 — couldn't claw back the funds, couldn't raise enough to rebuild trust. A breach from eighteen months earlier ultimately ended the platform.

The msUSD contagion. In June, the msUSD stablecoin depeg spread to a separate protocol, Altura, which shared a reserve-verification provider — forcing it to wind down a $39M vault despite having no direct exposure. Same theme: interconnection turns one failure into several.

Lesson 1: smart-contract risk is the base layer

Every DeFi yield sits on top of code. That code can have bugs, and bridges — the plumbing that moves assets between chains — have been the single most-exploited part of crypto for years. The KelpDAO drain happened at a bridge, not at the lending app you might have been using. When you deposit into a DeFi protocol, you are trusting not just that protocol's code but everything it connects to.

Audits help, but they are not guarantees. Radiant was audited. The honest framing: an audit lowers the odds of a known class of bug; it does not make a protocol unhackable.

Lesson 2: contagion — you are exposed to what your platform touches

This is the lesson that surprises people. Your lender can be perfectly solvent and still hand you a bad week because something it depends on broke.

Aave didn't get hacked, yet $9B left in a weekend. Altura had no msUSD exposure, yet it had to close a vault. DeFi protocols compose — they lend to each other, share oracles, share bridges, share verification providers. That composability is the magic that creates the yield, and it is also the wiring that carries panic from one failure to the next. When you pick a platform, you are also picking everything it is plugged into, whether you can see it or not.

Lesson 3: a hack can kill a platform a year later

Radiant's collapse is the quiet, important one. The hack was in 2024; the shutdown was in 2026. The damage from a breach is rarely just the stolen amount — it is the slow bleed of trust, liquidity, and the capital needed to keep operating. A platform that "survived" a hack is not automatically fine. The right question is not only "was it ever hacked?" but "did it fully recover — reserves, users, and confidence?"

This is why track record is one of the five checks behind every A–F grade on YieldScope. A clean multi-year history is information. So is a messy one.

Lesson 4: the highest APY is often the least battle-tested

There is a pattern across all of this. The eye-watering DeFi yields tend to cluster on newer protocols, exotic strategies, and complex collateral — exactly the setups with the most surface area for something to go wrong. The boring, lower yield on a long-running, deeply-audited, deeply-liquid protocol is lower because it is carrying less of this risk.

That does not mean high yield is always a trap, or that blue-chip DeFi is risk-free. It means the rate is a clue about risk, not a free lunch — and a number with no context is the most dangerous kind.

CeFi lending isn't immune either

It is tempting to read all this as "DeFi is dangerous, centralized platforms are safe." That is the wrong lesson. Centralized lenders produced some of the largest investor losses in crypto's history: Celsius, Voyager, and BlockFi all froze withdrawals and went bankrupt in 2022, taking billions of user funds down with them. The failure mode is just different. Instead of a smart-contract exploit, it is opaque risk-taking you cannot see — rehypothecation, bad loans, undisclosed leverage — right up until the moment withdrawals stop.

DeFi at least lets you inspect the code and the collateral on-chain. CeFi asks you to trust a company's internal decisions you will never see. Both can advertise attractive yields; both can lose your principal entirely. So the useful frame is not "DeFi versus CeFi" but "what specific risk am I taking, and can I actually see it?" On-chain, you face contract and contagion risk that is at least partly verifiable. Off-chain, you face counterparty risk that mostly is not.

This is also why spreading across both worlds — and across several platforms within each — beats chasing the single highest number. The people who lost everything in 2022 usually had it all in one place that happened to pay the best rate. Diversification is boring, and it is the cheapest risk reduction available to you. None of this argues against earning yield; it argues for earning it deliberately — knowing whether your platform is on-chain or off, what it depends on, how it behaved under past stress, and how much of your stack sits in any one place.

How to actually assess a DeFi yield

Before depositing for a DeFi rate, work through this:

  • TVL and liquidity. Deep, stable total value locked means you can actually exit when you want. Thin liquidity is where bank-runs and flash-liquidations happen.
  • Audits — plural, and recent. One audit from years ago is weak. Multiple, ongoing reviews are better. Verify they exist; don't take the marketing's word.
  • Track record under stress. Has the protocol lived through a market crash or an exploit attempt and kept working?
  • Dependencies. What bridges, oracles, and other protocols does it rely on? Each is an extra failure point.
  • Where the yield comes from. Real borrowing demand is sustainable; yield propped up by token emissions or leverage is not. If you can't explain the source, treat the rate as a warning.
  • Position sizing. Contagion is real — don't concentrate everything in one protocol or one chain.

Bottom line

DeFi yield is not free money; it is payment for taking on smart-contract risk, contagion risk, and the quiet long tail of a breach that may not surface for a year. 2026 didn't prove DeFi is broken — plenty of protocols ran through the chaos untouched. It proved that the rate alone tells you almost nothing, and that the work is in understanding what sits underneath it.

Compare DeFi and CeFi yields side by side with a safety grade — track record included — on YieldScope, and for the centralized side of the same question, read is crypto staking safe?

Not financial advice. DeFi carries smart-contract and contagion risk that can result in total loss. Do your own research.

Educational content, not financial or legal advice. Sources are linked in the text.

Never miss a guide

New guides most weeks, plus a Monday digest of the best rates. No spam.

Keep reading

All guides