Exclusive interview with SlowMist: The Kelp DAO rsETH × LayerZero incident is a concentrated outbreak of systemic risk in the DeFi Lego structure system

Interviewer: Techub News

Interviewee: SlowMist Security Team

II. Opening and Problem Statement

Techub News Interview Question 1: Please define this Kelp DAO rsETH × LayerZero event in one sentence. Is it a single-point incident or a landmark event indicating systemic risk in DeFi in 2026?

This is one of the most serious DeFi security incidents so far in 2026, and also a concentrated outbreak of systemic risk. It’s not just a contract being hacked; the cascade risk of the three-layer architecture—LRT (liquidity re-staking tokens), cross-chain bridges, and lending protocols—was simultaneously breached—single-point DVN (Decentralized Validation Network) configuration failure ultimately caused losses to spread from Kelp to Aave and multiple protocols holding rsETH.

Follow-up: If you had to label it,

It should be “a problem with the entire DeFi layered structure.” The cross-chain bridge issue is the fuse, but rsETH being accepted unconditionally as collateral by protocols like Aave,

and the lack of risk controls against “forged minting sources”—this is the result of multiple trust assumptions failing at once.

III. Background Context

Techub News Interview Question 2: Was this caused by a code vulnerability or a deeper trust configuration problem?

The fundamental issue here isn’t that the code was written incorrectly. LayerZero’s protocol itself has no vulnerabilities, and the rsETH contract logic was not directly exploited.

What was truly breached was the trust configuration of the cross-chain verification mechanism—Kelp’s rsETH OApp on LayerZero adopted a 1/1 DVN configuration, meaning the security of the entire cross-chain path relied solely on LayerZero Labs’ own operated single DVN node. Once this node was deceived (not “hacked”), forged messages could pass unimpeded.

This is essentially a “single point of trust” problem, not a “single code vulnerability” issue.

Techub News Follow-up: If future security audits only focus on contract code, will that be enough?

Absolutely not. This incident shows that audits must expand from “contract code itself” to “cross-chain parameter configurations, DVN selection strategies, and trust dependency chains.” An audit report that only examines Solidity code cannot reveal how fragile the protocol is at the cross-chain layer.

IV. Timeline Review: T-10 hours

Techub News Interview Question 3: When did the attacker first leave traces? What happened around T-10 hours?

From on-chain behavior, the attacker conducted thorough preparatory work before executing the core attack—including preparing gas funds via mixers and pre-scouting target chains. This deliberate pacing is typical of professional attack teams, not opportunistic actions after discovering a vulnerability.

LayerZero’s official announcement states that the attacker had prior access to the RPC node list relied upon by their DVN, and successfully infiltrated nodes on two independent clusters, replacing the binary files running op-geth. All these preparations were quietly completed before the attack.

Techub News Follow-up: Can this premeditated approach be identified as characteristic of APT (Advanced Persistent Threat) tactics?

LayerZero attributes this attack to Lazarus Group (TraderTraitor branch), a North Korean state-sponsored APT organization. The attacker’s preparation—obtaining Gas sources in advance, using mixers to evade on-chain tracing, designing attack chains to return forged data only to targeted DVN IPs and normal data elsewhere, and self-destructing malicious binaries after the attack—is highly professional and beyond the capabilities of ordinary hackers.

V. Timeline Review: T-0 Attack Occurs

Techub News Question 4: Please break down the most critical step of the attack: what exactly did the attacker do, and why did the forged message succeed?

The attack path roughly involves these steps:

Infiltrate RPC infrastructure: The attacker replaced the binary files of the RPC nodes relied upon by LayerZero Labs’ DVN on Unichain, enabling them to return forged on-chain state data to the DVN.

DDoS attack to disable normal RPCs: Launching DDoS against uncontrolled, legitimate RPC nodes, forcing the DVN requests to failover to poisoned nodes.

DVN confirms forged transactions: Based on false data returned by poisoned RPCs, the DVN “confirmed” a minting/transfer of rsETH that never actually occurred on the chain.

Endpoint execution: After LayerZero Endpoint verifies the DVN, it triggers rsETH’s OFTAdapter to release or mint rsETH on the target chain.

Exit with proceeds: The attacker uses part of the obtained rsETH to collateralize and borrow high-liquidity assets like ETH on protocols such as Aave, completing liquidation.

Techub News Follow-up 1: Is the core issue a framework problem with LayerZero or a configuration problem with Kelp?

According to LayerZero’s official statement, their protocol operated exactly as designed. The problem lies in Kelp’s choice of a 1/1 DVN configuration—

LayerZero explicitly lists this as a “Don’t” in their integration documentation and proactively advised Kelp on best practices before the incident. From a responsibility standpoint, this is a risk introduced by the integration’s configuration decision, not a protocol-level vulnerability.

Techub News Follow-up 2: If they had used multiple DVNs with threshold verification, could this attack have been prevented?

Introducing a second independent DVN for verification would require the attacker to simultaneously control or deceive two separate verification nodes—significantly increasing the technical and resource costs. That’s why LayerZero later announced that their DVN will reject applications still using a 1/1 configuration.

VI. Timeline Review: T+46 minutes

Techub News Question 5: From the first breach to Kelp activating the pause mechanism, about 46 minutes passed. Is this response speed fast or slow?

Compared to many security incidents where responses take hours, 46 minutes is relatively quick in the industry. But for on-chain attacks, this window is still enough for the attacker to transfer, collateralize, and borrow large amounts of assets. The problem with DeFi is that all operations occur within block intervals, and manual intervention cannot outpace automated attack scripts.

Techub News Follow-up: Will on-chain automatic circuit breakers become truly effective in the future?

Yes. Post-incident manual responses can only mitigate damage; the real defense lies in on-chain automated mechanisms—such as anomaly minting alerts, large cross-chain transaction speed limits, and oracle deviation-triggered automatic pauses. This event should serve as a key point to promote “on-chain risk automation” in the industry.

VII. Timeline Review: Second wave attack attempt fails

Techub News Question 6: The attacker made several subsequent attempts that failed. What does this indicate?

It shows that the attacker’s goal was not just the $290 million loss but to clear out as much cross-chain rsETH as possible. The subsequent transactions were reverted, indicating Kelp’s pause mechanism worked at the last moment to prevent potentially larger losses.

Follow-up: If the project team had delayed 10-20 minutes, would the losses have increased significantly?

Likely yes. The attacker still had a window of opportunity before the DVN was repaired. The effectiveness of the pause mechanism directly determines the loss ceiling. The $290 million loss was already huge, but based on attacker behavior patterns, if not interrupted, the total could have been even higher.

VIII. Timeline Review: Aave’s collateral damage

Techub News Question 7: After the attacker stole assets, why did they “also exploit Aave”? How did this “trap” happen?

Lending protocols cannot distinguish on-chain between “normal minting of rsETH” and “forged cross-chain messages.” To Aave, it’s just a standard ERC-20 token and on-chain price data. The attacker deposited the anomalously obtained rsETH as collateral, borrowed ETH and other high-liquidity assets, then exited, leaving bad debt that cannot be covered.

Techub News Follow-up 1: Does this expose Aave’s risk controls or an over-trust in external asset authenticity?

Both, but more fundamentally, it’s an over-trust issue. Lending protocols set collateral ratios based on historical volatility and market cap, but cannot verify whether the asset’s issuance source is contaminated. This is a trust transfer problem across protocols, requiring industry-wide solutions—not just parameter tuning of individual protocols.

Techub News Follow-up 2: Should future lending protocols redefine “high-quality collateral”?

Yes. Especially for cross-chain synthetic assets, there’s a fundamental gap between “being priced on-chain” and “truly high-quality collateral.” Future mechanisms may include cross-chain source verification and issuance anomaly monitoring as prerequisites for accepting LRT assets.

IX. Structural assessment: Systemic risk of DeFi layered structure

Techub News Question 8: Is this the first time the full risk of the “LRT + cross-chain bridge + lending protocol” layered structure has been exposed?

Yes, this is the most direct demonstration so far of the composability risk in DeFi. Previously, we discussed “a bug in a single protocol”; now, it’s exposed that when multiple protocols form a dependency chain through assets, failure in any link can propagate along the value flow, causing cascade collapses.

Techub News Follow-up: Can we say “DeFi appears decentralized on the surface but relies heavily on a few highly centralized verification points”?

That’s quite accurate. The core issue here is that Kelp’s entire cross-chain security depends on LayerZero Labs’ own operated single DVN, which in turn relies on a small number of RPC nodes—forming a very short trust chain. “Decentralized protocols” in some critical parts actually involve highly centralized trust assumptions, often hidden in documentation rather than visible to users.

X. Technical deep dive: What exactly is a DVN?

Techub News Question 9: Please explain DVN in simple terms, and why does a 1/1 configuration become a fatal vulnerability?

Think of a DVN as a “notary” for cross-chain messages. When a user transfers assets from chain A to chain B, LayerZero doesn’t directly trust chain A’s state. Instead, it requires a DVN (decentralized verification network) to independently verify “this transaction indeed happened on chain A,” then relay that proof to chain B.

A 1/1 configuration means only one notary is hired, and their word is final. If this notary is deceived, bribed, or provides false information, the entire verification becomes meaningless—no second independent voice to say “wait, I see the same.” This is the essence of a single point of failure.

Techub News Question 10: Why isn’t an audit enough?

Traditional security audits focus on whether the code logic works as intended and whether known vulnerabilities exist. But the problem here lies outside the code—at the “runtime parameter configuration” layer: who verifies, how many verifiers, and what if verifiers fail?

The industry needs to shift from “code audit” to “system audit,” including cross-chain dependency audits, governance permission audits, critical infrastructure dependency assessments, and most importantly—stress testing “what happens if an external component fails.” Follow-up: Should configuration audits become mandatory?

Yes, especially for cross-chain protocols using infrastructure like LayerZero or Wormhole. DVN configurations, executor parameters, etc., should be part of formal audits, with clear disclosures of the security assumptions and worst-case scenarios.

XI. Industry perspective: Tracking, loss mitigation, and collaboration

Techub News Question 11: From SlowMist’s perspective, what are the first steps after a major attack?

Typically, we initiate several actions simultaneously:

On-chain tracing and attacker profiling: Track fund flows, identify attacker’s on-chain identity features, historical behavior, and whether mixers were used, to build attacker profiles.

Exchange cooperation: Issue asset alerts to major centralized exchanges, monitor and blacklist involved addresses to prevent withdrawal via KYC channels.

Risk alerts: Push threat lists to DeFi protocols, wallets, and ecosystem participants to help cut off attacker’s subsequent operations.

White-hat negotiation channels: In some cases, establish communication with attackers, offer reasonable “bounty retention” conditions, and encourage partial fund restitution.

Follow-up: Are funds pre-mixed or anonymized, and what’s the chance of recovery?

Frankly, if the attacker is Lazarus Group level, the chance of fully recovering on-chain funds is very low—they have mature fund splitting and mixing processes. The most practical current effort is to establish faster cross-exchange asset freezing cooperation and push for legal enforcement in jurisdictions with on-chain evidence—these are the weakest links, and technology is no longer the main bottleneck.

XII. User perspective: Should ordinary users still participate in DeFi?

Techub News Question 12: Seeing this incident, do ordinary users still dare to participate in DeFi?

DeFi can still be participated in, but risk awareness and participation methods need adjustment. Key recommendations:

Control your positions—don’t stake large assets in highly complex “cross-chain + re-staking + lending” products—more layers mean more risk accumulation, not reduction.

Prioritize transparency—choose protocols that regularly publish security reports, governance permissions, rather than only looking at “APY.”

Understand what your assets are: rsETH is not ETH; it’s a cross-chain synthetic asset whose value depends on the proper operation of an entire trust chain.

Techub News Follow-up 1: What should ordinary users avoid most?

A good rule of thumb: if you can’t clearly explain in one sentence “where my assets are, who holds them, and what happens if a part fails,” then that risk shouldn’t constitute a large part of your holdings.

Techub News Follow-up 2: Should “audit existence” be replaced with more specific questions?

Yes. “Has it been audited” was a standard in 2020. Today, at minimum, ask: Does the audit cover cross-chain configurations? How many DVNs are there? How many signers in multi-sig governance, and who are they? These should be standard disclosures, not hidden details buried in documentation.

XIII. The AI era: Can DeFi still survive?

Techub News Question 13: In the AI era, does DeFi still have a future?

DeFi’s future not only exists but could see a genuine upgrade in security infrastructure through AI. But this future belongs not to protocols still relying on “complex yield structures” to attract users, but to those that first adopt the following capabilities:

AI-driven real-time on-chain risk control: Automatically detect abnormal minting, unusual fund flows, and cascade risk signals across protocols.

On-chain insurance and automatic compensation: Shift security from “post-incident accountability” to “mid-incident safeguards.”

Intelligent risk agents: Continuously monitor individual user risk exposures and automatically rebalance or exit when thresholds are triggered.

Techub News Follow-up 1: Will AI make attacks faster?

Yes. AI can be used to automatically scan for on-chain vulnerabilities, generate optimal attack paths, and accelerate off-chain reconnaissance. Both attack and defense will be AI-accelerated, meaning defenders can no longer rely solely on “manual discovery” as the last line of defense.

Techub News Follow-up 2: Will AI push the industry to treat security as a core product capability rather than a cost?

That’s the most promising structural change. Previously, security was a “regulatory compliance cost.” As users start to prioritize “security transparency” and “AI risk control capabilities” when choosing protocols, security will become a differentiator. This incident has accelerated that shift.

XIV. Final words

Techub News Question 14: Please give one sentence each to: ordinary users, entrepreneurs, and the industry.

To ordinary users: Don’t treat cross-chain synthetic assets as risk-free—every extra percentage point of yield behind them relies on unseen trust assumptions.

To entrepreneurs: Security budget isn’t an optional add-on after product launch; it’s a prerequisite for survival in the real market.

To the industry: DeFi isn’t dead; what we need isn’t more complex yield mechanisms, but more honest risk disclosures.