Operational security and risk controls under scrutiny after recent DeFi exploits
Three high-profile DeFi incidents in March and April exposed how operational weaknesses and inadequate risk management can magnify losses across the decentralized finance ecosystem. In a new brief, S&P Global Ratings examined those hacks and concluded that the largest vulnerabilities were not buggy smart contract code, but governance failures, poor operational setups and miscalibrated collateral controls.
The episodes, which affected Resolv, Drift and KelpDAO and produced combined on-chain losses in the hundreds of millions of dollars, illustrate how token minting mechanics, cross-chain messaging, collateral eligibility and human trust assumptions can create rapid contagion across lending protocols.
What happened: three incident archetypes
S&P’s review highlights three distinct attack patterns that were central to the losses observed.
1) Compromised mint keys and direct token creation. In Resolv’s case, attackers gained control of administrative access keys used to mint tokens. With that control they created additional tokens and leveraged market mechanics and curated lending vaults to extract value. The episode underlines the risks of concentrated administrative privileges for token issuers and the need for segregation and redundancy when mint operations are possible.
2) Cross-chain messaging and single-point-of-failure setups. The KelpDAO exploit relied on weaknesses in the cross-chain messaging configuration used to aggregate collateral backing for a bridge-native token (rsETH). Attackers were able to create unbacked tokens without breaching the mint contract itself, exploiting a low-security setup on a messaging layer. Although the newly minted tokens were relatively illiquid, they were accepted as collateral on a major lending market. That composability allowed the attacker to borrow roughly $300 million in wrapped ether, converting token creation into realized profit.
3) Extended social engineering leading to administrative takeover. The Drift attack was, according to S&P, the result of a lengthy social-engineering campaign in which attackers posed as legitimate partners to gain trust and eventually administrative control. The compromise permitted the draining of liquidity and demonstrates how human factors and governance procedures remain a core attack vector even where contracts themselves are sound.
How risk management failures amplified damage
S&P’s analysis stresses that operational failures are amplified by lending protocols’ risk settings and the broader composability of DeFi. Several mechanics played a role:
Collateral eligibility and concentration limits. Lending platforms that allow new or complex assets as collateral must treat each asset as a distinct credit and operational risk. In KelpDAO’s case, a token’s correlation to Ethereum was used as the primary risk signal, rather than acknowledging its unique behaviours and attack surface. As a result, supply caps and exposure controls were insufficient and the protocol lent against the compromised asset at levels exceeding the reserve set aside to absorb losses.
Hard-coded pricing and curated vault mechanics. In the Resolv fallout, tokens that had collapsed in market value remained accepted as collateral at a fixed price in certain curated vaults. That mismatch created arbitrage pathways allowing on-chain actors to purchase depreciated tokens and borrow against them, turning price dislocations into liquidity drains for lenders.
Single points of failure in cross-chain systems. Using the lowest-security configuration available for cross-chain messaging created a centralised trust assumption that an attacker could exploit. Redundancy, decentralized relayer sets and stronger verification would reduce this class of risk.
Recommendations and implications for institutions and protocols
S&P frames the incidents as cautionary examples for both native DeFi projects and institutional participants exploring tokenization. Key controls identified include:
Segregation and decentralization of administrative privileges. Minting and burning authorities should be split across multiple actors or managed via multi-sig and time-delayed governance to reduce the risk of unilateral mint events.
Zero Trust and stronger identity controls. Protocol teams should adopt Zero Trust principles for external integrations and staffing, deploy rigorous identity verification processes for contractors and partners, and reduce reliance on informal trust-based relationships.
Asset-level risk treatment and calibrated concentration limits. When onboarding collateral, lending platforms need to assess each asset’s operational and market profile and set supply caps, borrow limits and liquidation parameters accordingly.
Redundancy in cross-chain infrastructure. Cross-chain messaging and oracle layers should avoid single-configuration defaults and implement redundancy and fail-safes to prevent spoofed signals from enabling token creation or misreporting collateralization.
Broader market and regulatory considerations
The incidents underscore how composability, while a source of innovation in DeFi, can also transmit shocks quickly between protocols. For institutional actors considering tokenization of traditional assets, the lessons are clear: operational security and governance models must be designed to at least match, and ideally exceed, those used in legacy financial infrastructure.
Regulators and custodians may increasingly focus on operational controls, proof of reserves, and governance robustness as part of any framework that supports institutional participation in tokenized markets. For market participants, the balance between innovation and prudence will be central to preventing further episodes of contagion driven by operational gaps rather than code flaws.
Bottom line. The recent wave of DeFi exploits demonstrates that robust risk management and operational security are as important as secure code. As tokenization and institutional engagement expand, protocols and their counterparties must close governance, identity and collateral-calibration gaps to limit contagion in a highly interconnected ecosystem.
