Kelp DAO Attack Analysis: Fake Message Steals $292 Million, Systemic Risks in DeFi Raise New Concerns

1. Event Overview

On April 18th at 17:35 UTC, the second-largest liquidity staking protocol Kelp DAO was subjected to a large-scale attack. The hacker exploited a vulnerability in its LayerZero-based rsETH cross-chain bridge, forging cross-chain messages to steal 116,500 rsETH from the Ethereum mainnet, worth approximately $292 million, accounting for about 18% of rsETH's total circulating supply. About 46 minutes after the incident, Kelp DAO urgently paused multi-signature operations, successfully intercepting two subsequent attempts to transfer an additional 40k rsETH (roughly $100 million).

The attacker obtained initial funds via Tornado Cash and precisely constructed cross-chain data packets, calling the lzReceive function on the LayerZero EndpointV2 contract, triggering the Kelp bridging contract to release assets—however, there was no actual deposit of this rsETH on the source chain; the instructions were purely fabricated out of thin air.

2. Root Cause: Critical Flaw in Cross-Chain Configuration

The fundamental issue lies in Kelp DAO adopting an overly simplified 1/1 DVN (single validator node) setup, rather than the LayerZero recommended 2/2 multi-signature validation, allowing a single validator to confirm cross-chain messages. After bypassing validation, the bridge adapter failed to strictly verify the message source, mistakenly believing that equivalent assets were locked on the source chain, thus executing the release command—essentially enabling "unsecured minting out of thin air."

3. Chain Reaction: Aave Bad Debt and Market Panic

The hacker quickly collateralized the stolen rsETH into lending protocols such as Aave V3, Compound, and Euler, borrowing approximately $236 million in real WETH/ETH. Since rsETH is a false issuance, these borrowing positions became unrecoverable bad debts—Aave bears about $177-196 million, Compound around $39.4 million, and Euler approximately $840k.

Aave immediately froze the rsETH market but still triggered widespread panic withdrawals, with over $5.4 billion in assets pulled from Aave, and ETH utilization rate spiked to 100%. Aave's TVL plummeted from about $26.4 billion to $20.7 billion, and the AAVE token price dropped over 10%.

4. Industry Reflection: Systemic Risks of DeFi Lego-Style Architecture

This attack was not a traditional smart contract bug but exposed dual vulnerabilities in cross-chain bridge configuration security and the collateral logic of LRT (liquidity staking tokens). The Kelp DAO incident is the second major security breach in April after Drift Protocol ($285 million), not counting the $284 million loss from a phishing attack in January, highlighting the increasingly severe compound security challenges faced by DeFi. As an LRT-like wrapped asset, rsETH’s underlying value depends on the security of the cross-chain bridge, and protocols like Aave incorporating such high-risk assets into collateral lists cause risk to propagate asymmetrically along the protocol chain. Once the underlying system is compromised, the impact can instantly spread across the entire lending ecosystem.

The event also triggered chain reactions: projects like Solv announced suspensions of LayerZero-related bridges, and Curve Finance temporarily disabled LayerZero infrastructure. LayerZero responded that they are investigating the root cause and will jointly release a comprehensive analysis report.

Kelp DAO founder Charlie posted on X (Twitter) admitting that the team made a mistake in adopting the 1/1 DVN configuration, and explicitly stated that a full compensation plan will be developed for all affected users, rejecting the community’s common concern of "socialized loss sharing." The founder pointed out that, although recovering related assets is difficult, the core responsibility is to protect user rights, and detailed compensation plans will be announced soon.

This incident once again warns the DeFi industry: as assets become increasingly nested across protocols, every weak link in the "Lego structure" could trigger a systemic collapse. The market needs stricter risk controls, more conservative security frameworks, and more cautious cross-chain configuration strategies—otherwise, the next loss could far exceed $292 million. #Gate13周年现场直击