An open-source AI tool that no one watched warned about Kelp DAO's $292 million vulnerability 12 days ago.

Author: Zengineer

Translation: Deep潮 TechFlow

Deep潮 Guide: On April 18, Kelp DAO was hacked for $292 million, the largest DeFi incident in 2026 so far. The vulnerability was not in the smart contract code but in the LayerZero cross-chain bridge’s 1-of-1 validator node configuration—single point failure allowed an attacker to forge cross-chain messages. Twelve days ago, when I used my open-source AI auditing tool to scan Kelp, I had already flagged this risk point. This article reviews the entire attack process and honestly reflects on three things our tool failed to do correctly at that time.

What is Kelp DAO

Kelp DAO is a liquidity re-staking protocol built on EigenLayer. The mechanism is as follows: users deposit ETH or staking tokens (stETH, ETHx) into the Kelp contract, which then delegates the assets to EigenLayer’s operator nodes for restaking—providing security for multiple AVS (Actively Validated Services). In return, users receive rsETH as proof. Unlike directly restaking on EigenLayer (where assets are locked), rsETH is liquid—can be traded, used as collateral in lending protocols like Aave, and cross-chain.

To enable cross-chain liquidity, Kelp deploys rsETH on more than 16 chains using LayerZero’s OFT (Omnichain Fungible Token) standard. When you transfer rsETH from Ethereum to an L2, LayerZero’s DVN (Decentralized Verifier Network) verifies whether the cross-chain message is legitimate. This bridge architecture is the core of the story that follows.

Kelp was initiated by Amitej Gajjala and Dheeraj Borra (former co-founders of Stader Labs), launched in December 2023, with a peak TVL of $2.09 billion. Governance is managed via a 6/8 multi-signature plus a 10-day contract upgrade timelock. The governance token KERNEL oversees the three product lines: Kelp, Kernel, and Gain.

The Hack Event

On April 18, 2026, an attacker withdrew 116,500 rsETH from Kelp DAO’s cross-chain bridge, worth about $292 million—this is the largest DeFi attack in 2026 to date. The root cause was not a smart contract bug but a configuration issue: a 1-of-1 DVN setup (only one validator node, a single signature sufficed), allowing an attacker to forge cross-chain messages with a single compromised node.

Twelve days earlier, on April 6, I had already flagged this attack surface with my open-source security audit tool.

First, a word: this theft involved real people losing real money. WETH deposits on Aave from users who never interacted with rsETH were frozen; LPs across multiple protocols faced bad debts they never agreed to bear. This article analyzes what happened, what our tool detected, and the actual losses—more important than any scoring table.

The full report is on GitHub, with commit timestamps verifiable by anyone. Below, I’ll discuss what we caught, what we missed, and what this incident means for DeFi security tools.

46 Minutes of Turmoil in DeFi

At 17:35 UTC on April 18, the attacker compromised the isolated DVN validator node and had it “approve” a forged cross-chain message. LayerZero’s Endpoint saw the DVN approved it, then passed the message via lzReceive to Kelp’s OFT contract—leading the contract to mint 116,500 rsETH on Ethereum mainnet. The message claimed that assets on other chains were locked as collateral—assets that never existed.

What followed was a standard DeFi money laundering process:

• Using the stolen rsETH as collateral in Aave V3, Compound V3, Euler
• Borrowing about $236 million worth of WETH with these unbacked collaterals
• Concentrating around 74,000 ETH, withdrawing via Tornado Cash

After 46 minutes, at 18:21, Kelp’s emergency multi-sig froze the contract. The attacker made two follow-up attempts (each 40,000 rsETH, about $100 million), both reverted—this pause stopped roughly $200 million more.

But the impact was severe. Aave V3 absorbed about $177 million in bad debt. AAVE token plummeted 10.27%. ETH dropped 3%. WETH utilization on Aave hit 100%, causing depositors to rush withdrawals. rsETH on over 20 L2s suddenly became questionable assets overnight.

What We Found on April 6

In early April, shortly after Drift Protocol was hacked for $285 million on April 1, I developed an open-source AI framework called crypto-project-security-skill—an architecture risk assessment tool that uses public data (DeFiLlama, GoPlus, Safe API, on-chain verification) to evaluate DeFi protocols. It’s not a code scanner or formal verification tool. The Drift incident made me realize: the biggest losses are not in smart contract code but in governance flaws, misconfigurations, and architectural blind spots—areas that code auditors can’t see. So I built a tool to evaluate these layers: governance structure, oracle dependencies, economic mechanisms, cross-chain architecture, comparing attack patterns from past incidents (Drift, Euler, Ronin, Harmony, Mango).

On April 6, I ran a full audit on Kelp DAO. The complete report is on GitHub, with immutable commit timestamps.

The report gave Kelp a composite risk score of 72/100 (medium risk). In hindsight, this was too lenient—the unresolved cross-chain information gaps should have lowered the score. Even at a medium risk level, the report highlighted the attack surface that was later exploited.

Below is a screenshot of the “Information Gaps” section of the report—the core issue with Kelp’s DVN configuration, which ultimately caused the $292 million theft:

Figure caption: The “Information Gaps” section of the April 6 report explicitly points out the opacity of DVN configuration.

Now, let’s compare what was flagged versus what was actually exploited.

Discovery 1: DVN Configuration Opacity (Warning Signal)

Report text: “LayerZero DVN configuration (validator sets, threshold requirements) not publicly disclosed.”

What actually happened: Kelp used a 1-of-1 DVN setup—one validator node. If an attacker compromises that node, they can forge cross-chain messages. If the configuration had been 2-of-3 (industry minimum recommended), the attacker would need to compromise multiple independent validators.

To clarify: this is a Kelp issue, not LayerZero’s. LayerZero provides the infrastructure—DVN framework—each protocol chooses its configuration: how many validator nodes (1-of-1, 2-of-3, 3-of-5…), which nodes to use, threshold per chain. Kelp chose 1-of-1 when deploying the OFT bridge. LayerZero fully supports 2-of-3 or higher—Kelp simply didn’t enable it.

Analogy: AWS offers MFA (multi-factor authentication). If your account is hacked because you never enabled MFA, that’s your fault, not AWS’s. LayerZero provides the security framework; Kelp chose not to use it.

Our report couldn’t verify the exact DVN threshold (since Kelp never disclosed it), but we explicitly listed this opacity as an unresolved risk—lack of disclosure itself is a red flag.

Discovery 2: Single Point of Failure on 16 Chains (Direct Hit)

Report text: “LayerZero DVN single point failure could impact all 16 supported chains’ rsETH.”

What actually happened: Forged messages directly hit Ethereum mainnet, causing a ripple effect across all chains with rsETH. LayerZero preemptively paused all outbound OFT bridges from Ethereum. rsETH holders on over 20 L2s faced uncertainty about whether their tokens were still backed.

This is a systemic risk in multi-chain deployment: rsETH exists on Arbitrum, Optimism, Base, Scroll, etc., but all these tokens derive their value from assets on Ethereum mainnet. When the mainnet bridge is compromised, rsETH on all chains loses its backing—holders can’t redeem or verify their tokens’ worth. Lido’s earnETH (exposure via rsETH), Ethena’s LayerZero bridge—all had to pause. The blast radius far exceeded Kelp’s own system.

Discovery 3: Cross-Chain Governance Control Unverified (Related Issue)

Report text: “Governance control over LayerZero OFT configuration on each chain is unverified—specifically, whether control is under the same 6/8 multi-sig and 10-day timelock, or managed by separate keys.”

What actually happened: DVN configuration is clearly outside the core protocol’s strict governance. If bridge configuration changes are governed by the 6/8 multi-sig + 10-day lock, then a 1-of-1 DVN setup would require 6 of 8 signers to agree—unlikely to be left unmanaged.

This exposes a common governance blind spot: many protocols have strict multi-sig + timelock for core contract upgrades, but operational changes—bridge configs, oracle parameters, whitelists—are often controlled by a single admin key. Kelp’s core governance is industry-leading (6/8 multi-sig + 10 days), but these protections don’t extend to its biggest attack surface: the cross-chain bridge.

Discovery 4: Similar to Ronin/Harmony Attacks (Direct Hit)

Report text: “Historical precedents involve bridge security. Kelp’s deployment across 16 chains, with operational complexity similar to Ronin’s multi-chain architecture.”

What actually happened: The attack path nearly perfectly replicated Ronin’s script—breaking validator nodes, forging messages, draining assets. Our tool’s attack pattern matching module compared the protocol architecture with historical attack categories, correctly identifying this as a high-risk vector.

Background: In 2022, Ronin’s bridge was hacked by compromising 5 of 9 validators, losing $625 million; the same year, Harmony’s Horizon bridge was compromised by 2 of 5 validators, losing $100 million. Kelp’s situation was even more extreme—only 1 validator, the lowest possible threshold. Our tool flagged this risk because it compares protocol architecture against known attack patterns, not just code.

Discovery 5: No Insurance Pool (Amplifying Losses)

Report text: “The protocol currently lacks a dedicated insurance pool or socialized loss mechanism to absorb penalties.”

What actually happened: Without insurance reserves, the $292 million loss was absorbed by downstream protocols. Aave’s recovery reserves covered less than 30% of the $177 million bad debt. LPs, unrelated to Kelp’s configuration decisions, bore the largest impact.

The attacker used the stolen rsETH as collateral in Aave V3, Compound V3, Euler, then borrowed real WETH. Once rsETH was confirmed unbacked, these positions became “uncollateralizable” bad debt—collateral turned worthless, but borrowed WETH was gone. WETH utilization on Aave spiked to 100%, making withdrawals impossible. WETH depositors on Aave, even if they never interacted with rsETH, were affected. Kelp and Nexus Mutual’s insurance partnerships only cover specific vault products, not the core rsETH protocol exposure.

This is a failure of responsibility on both sides: Kelp, managing $1.3 billion TVL, has no insurance pool or loss absorption mechanism. When the bridge was compromised, there was no buffer to absorb damage. Aave accepted rsETH as collateral but didn’t sufficiently assess its cross-chain bridge risk. Its risk parameters (LTV, liquidation thresholds) are designed for normal price volatility, not tail risks like bridge failure causing collateral to vanish overnight. The recovery reserves couldn’t cover even 30% of bad debt. Essentially, this was a risk pricing failure: Aave treated rsETH as a normal volatile asset, ignoring the tail risk of bridge breach. The combined failure—Kelp’s lack of insurance and Aave’s insufficient risk modeling—led to this catastrophe.

Where We Went Wrong

Three things should have been done better:

Risk rating was too lenient. We rated the cross-chain bridge risk as “medium.” The report’s five unresolved information gaps included three related to LayerZero’s bridge configuration, matching Ronin/Harmony attack patterns—these should have been “high” or “severe.” Lack of transparency itself should have been a stronger warning.

We failed to penetrate the configuration layer. The report repeatedly asked Kelp to disclose DVN thresholds, but we couldn’t verify independently. This is the same structural blind spot identified by Juheng.com’s post-analysis: existing audit tools focus on code logic but miss configuration-level risks. We flagged the issue but couldn’t answer definitively.

We didn’t check on-chain. DVN configuration can actually be read directly from LayerZero’s EndpointV2 contract on-chain. We could have queried the ULN302 registry to verify Kelp’s DVN threshold independently, rather than marking it as “not disclosed.” If we had, we would have seen the 1-of-1 setup directly, without needing Kelp’s disclosure. This is the most concrete improvement for our tool: adding on-chain DVN configuration verification in cross-chain assessments.

Our descriptions were not specific or actionable enough. Saying “DVN configuration not disclosed” is an observation about documentation gaps—not a prediction of attack. These risks (oracle centralization, bridge dependency, lack of insurance) are common in many cross-chain DeFi protocols. Our tool flagged Kelp’s opacity, but it also flagged similar patterns in dozens of other protocols that weren’t attacked. Without a false positive rate, claiming “we predicted this” is an exaggeration. More honestly: we asked the right questions that others don’t ask, and one of those questions hit the critical point.

On “Responsible Disclosure”

A fair question: if we flagged these risks on April 6, why didn’t we notify Kelp before the attack on April 18?

We didn’t notify. Because the report identified opacity—“DVN configuration not disclosed”—not a specific exploitable vulnerability. We didn’t know the configuration was 1-of-1; we only knew it wasn’t public. Nothing concrete enough to disclose. “Your bridge configuration lacks documentation” is a governance observation, not a bug bounty report.

In hindsight, we could have contacted Kelp directly to ask about their DVN threshold. That conversation might have revealed the 1-of-1 setup and prompted a fix. We didn’t do that. Lesson learned: even if a finding seems too vague for formal disclosure, a private message can be worthwhile.

What This Means for DeFi Security

Kelp’s theft—like Drift’s 17 days earlier—is not a smart contract bug. Automated scanners like Slither, Mythril, or GoPlus can’t detect it. The vulnerability lies in deployment configurations, governance gaps, and architecture decisions—above the code layer.

This aligns with the core claim of crypto-project-security-skill:

Protocol security isn’t just about code. A protocol can have perfect Solidity, top-tier audits, and a $250k bug bounty—yet still be robbed of $292 million due to validator configuration issues.

Our tool is open-source on GitHub—anyone can review the methodology, run it themselves, or improve it.

Timeline

12 days. The signals were there all along. The question is: how can the ecosystem build tools that spot these signals before the next bridge is compromised?

What You Can Do

If you hold assets in DeFi protocols with cross-chain bridges:

Run an audit yourself. The tool is open-source. Don’t just trust us—verify yourself.

Check bridge validator configurations. If a protocol refuses to disclose its DVN threshold, treat it as a red flag. Our report does exactly that, and it proved correct.

Don’t assume code audits cover everything. Kelp had over five audits from reputable firms (Code4rena, SigmaPrime, MixBytes). Traditional audits focus on code logic, not configuration risks like DVN thresholds—that’s a different analysis, not a failure of auditors.

Assess insurance coverage. If a protocol has no insurance pool and you’re a lender accepting its tokens as collateral, you’re implicitly insuring it. This time, WETH depositors on Aave learned this the hard way.

A Larger Vision: AI Agents as a Security Layer

This article discusses a tool and a theft. But the bigger point is: AI agents can serve as an independent security layer for DeFi investors.

The traditional security model in crypto: protocols hire auditors, auditors review code, and issue reports. This approach has blind spots—Kelp’s case shows it focuses on code correctness but misses configuration, governance, and architecture risks.

Claude Code and similar tools offer a different path: anyone can use public data to run an AI-assisted risk assessment in minutes. No need to pay $200k for an audit. No need to understand Solidity. The agent compares protocol architecture against known attack patterns, highlighting questions you should ask before depositing.

This won’t replace professional audits but lowers the barrier for first-level due diligence for everyone. LPs considering new restaking protocols can run an audit defi and get a structured risk report covering governance, oracles, bridges, and economic mechanisms. For retail and mid-tier investors, it’s a real step toward self-protection.

Kelp’s report was imperfect. It rated bridge risk as medium—probably should have been severe. It didn’t penetrate the configuration layer. But it asked the right questions—if the Kelp team or any LP had seriously addressed these issues, the $292 million loss could have been avoided.

References

CoinDesk: The Largest Crypto Attack of 2026—Kelp DAO Stolen $292 Million

Crypto Briefing: Kelp DAO Suffered $292 Million Bridge Attack

DL News: Hacker Attacks DeFi Protocol Kelp DAO, Losses About $300 Million

Bitcoin.com: ZachXBT Reveals Over $280 Million Attack on KelpDAO

鉅亨網: The $293 Million Vulnerability Was Not in the Code

Aave Official Statement on X

Kelp DAO Full Security Report (April 6, 2026)

crypto-project-security-skill Source Code