I just read a very interesting analysis from Ripple's emeritus CTO about what happened with Kelp DAO. David Schwartz touched on a point that many in the community are not considering enough.

The underlying issue is not simply that there was a vulnerability in the code, but something deeper: most DeFi bridges are equipped with quite robust security mechanisms, but it turns out no one uses them. It sounds strange, but it’s true. Developers of these bridges often advise against enabling the most secure layers because they complicate operations.

In the specific case of Kelp DAO, the attack occurred three days ago, draining approximately 116,500 rsETH through the rsETH bridge. On-chain analysis showed that it all traces back to a private key leak that allowed the attacker to manipulate the system. This is where Ripple’s CTO makes his key observation: Kelp DAO probably chose a minimal security setup, discarding critical LayerZero functions that could have prevented all this.

The numbers are staggering: $292 million simply disappeared. But what really caught my attention is that the CTO points out this was preventable. The irony is that systems are designed to be secure, but convenience and operational complexity end up winning.

It’s a reminder that in DeFi, sometimes the risk doesn’t come from poor design, but from operational decisions that prioritize ease over security. Something to keep in mind when evaluating any protocol.