Volo Protocol Suffers Additional Damage in the Wake of KelpDAO Hack... DeFi Market Faces 'Bank Run' Crisis

The decentralized finance (DeFi) ecosystem is reeling from high-profile hacks that have evaporated hundreds of millions of dollars in value within days. Before the industry could recover from the $292 million KelpDAO breach—the largest of 2026—Volo Protocol became the latest victim, losing $3.5 million from several vaults. This series of security incidents has triggered a 'bank run' sentiment in the market, causing a $10 billion exodus of funds from DeFi protocols while exposing the fragile interconnectivity of modern yield-bearing assets.

Volo Protocol suffered losses of approximately $3.5 million across three vaults holding WBTC, XAUm, and USDC. This attack dealt a compounded blow to investors, occurring at a time when market confidence was already severely diminished following the KelpDAO incident. Security experts believe the breach exploited vulnerabilities within the vaults themselves, suggesting that not only large protocols but also small-to-medium platforms are constantly exposed to security threats.

Because DeFi applications are highly interconnected, a vulnerability in one protocol poses a systemic risk to the entire ecosystem.

While Volo Protocol's losses may seem relatively small compared to the massive scale of the KelpDAO incident, the psychological impact on the market is significant. News of successive hacks has led investors to question the safety of their assets, resulting in immediate withdrawal pressure. Analysts predominantly suggest that strategies involving depositing assets across multiple protocols to maximize yield have instead become conduits for spreading risk.

The Shadow of KelpDAO: Unprecedented Damage of $292 Million

The KelpDAO hack on April 18 targeted the rsETH cross-chain bridge, stealing approximately 116,500 rsETH tokens. This massive amount represents about 18% of the total circulating supply of rsETH, serving as a decisive factor in destabilizing the entire rsETH ecosystem. The attackers laundered a portion of the stolen funds through Tornado Cash, and KelpDAO had to freeze contracts via multi-sig to prevent an additional $100 million in losses.

• KelpDAO: $292 million loss, primary asset rsETH, attack via LayerZero RPC node compromise.
• Volo Protocol: $3.5 million loss, primary assets WBTC, XAUm, USDC, exploitation of vault vulnerability.

The 'TraderTraitor' unit under North Korea's Lazarus Group was identified as being behind the KelpDAO attack. They demonstrated high technical sophistication by hacking two RPC nodes that supply data to LayerZero's validators, deploying malicious code and injecting false transaction data. This allowed the attackers to unauthorizedly mint uncollateralized rsETH, a result of the collapse of a core element of bridge security.

KelpDAO's vulnerability immediately spread to major lending protocols like Aave. The attackers used the unauthorizedly minted rsETH as collateral on Aave to borrow actual WETH, leaving Aave with approximately $196 million in bad debt in the process. Consequently, Aave took emergency measures to freeze the rsETH and WETH markets on the Ethereum network, but market panic had already spread.

Market Collapse and the Realization of a 'Bank Run'

According to data from the on-chain analysis platform DeFiLlama, the total value locked (TVL) across the entire DeFi market plummeted by approximately $10 billion to $13 billion following these incidents. Aave's TVL crashed by 33% in just a few days, and the price of its governance token, AAVE, also dropped by 30%, reflecting investor sell-offs. In particular, more than 120 networks, including CosmoHub, experienced TVL decreases, confirming a market-wide retreat.

Reports from security platforms Immunefi and Hacken indicate that approximately 28.7% of losses in the third quarter of 2024 could have been defended against with automated incident response strategies alone. As the scale of hacks grows in 2026, there is an urgent need for real-time monitoring and strengthened security standards for bridge infrastructure that go beyond simple code audits. The future of DeFi now depends on building systemic defense mechanisms capable of managing interconnected risks, beyond the growth of individual protocols.