What do technical experts think about the Kelp DAO hacking incident?

Author: Grvt Deep Research Institute

In the early morning of April 19, Kelp DAO’s LayerZero-based rsETH cross-chain bridge was compromised, with 116,500 rsETH flowing out from the mainnet OFTAdapter without any corresponding burn records, valued at approximately $292 million at the time. Within an hour, Kelp urgently executed pauseAll, but the attacker subsequently launched two more attacks. Had the contract not been paused, the total loss could have approached $391 million.

Less than a day after the incident, Aave froze the rsETH and wrsETH markets, with key pools reaching 100% utilization, making it difficult for users to withdraw ETH, WETH, and even USDT, USDC. At least nine protocols triggered emergency responses in succession. This is the highest single-loss record in DeFi in 2026; three weeks prior, Drift Protocol experienced a $285 million attack. These two incidents together have raised an increasingly unavoidable industry issue: Are the current security management frameworks in DeFi sufficient to handle today’s threats?

How did the attack happen

To understand this incident, we need to first understand Kelp’s cross-chain architecture.

Kelp uses LayerZero’s OFT standard deployment. The mainnet holds the minting and redemption rights for rsETH through the OFTAdapter contract, while over 20 Layer 2s are mapped via standard OFT contracts. Cross-chain transfers do not produce wrapped versions; instead, they rely on a 1:1 debit-credit settlement mechanism—burn on Layer 2 triggers release on the mainnet, and lock on the mainnet triggers minting on Layer 2.

The core entry point of this mechanism is lzReceive, which theoretically only accepts cross-chain messages verified by LayerZero. In this attack, the attacker bypassed this verification logic, forging a message with no corresponding source chain burn record, directly triggering the mainnet Adapter to release reserves. No source debit was made, but credit was issued on the target end. Omnichain supply conservation was broken at this moment.

Cyvers CTO Meir Dolev later compared this attack to: “The vault is fine, the guards are honest, the lock is working properly. The lie is whispered directly to the one person who can open the door.” This metaphor accurately describes the core issue—it’s not a system design flaw, but a single trust node in the verification chain that can be compromised.

Expert opinions: a predictable structural failure

Kelp chose the weakest security configuration allowed by LayerZero: 1/1 DVN, meaning cross-chain messages only require a single validator signature to pass.

Shalev Keren, co-founder of cryptography security firm Sodot, directly pointed out in an interview that this is “a single point of failure, no matter how marketing spins it.” He further explained that a single compromised validator is enough to drain funds from the bridge, and this architectural flaw cannot be fixed through any audit or security review. The only solution is to “remove unilateral trust from the architecture itself.”

More importantly, this is not a blind spot that can only be discovered after the fact. As early as January 2025, a development team explicitly warned on the Aave governance forum that Kelp should expand to multi-validator verification. Fifteen months later, the second validator was never added.

LayerZero later stated that they had repeatedly urged Kelp to upgrade to multi-validator configuration and announced they would stop approving messages for applications still using a single validator. But this statement also raises questions: if the risk was known, why didn’t the protocol layer take stronger measures earlier, instead leaving the decision entirely to the application layer?

The ongoing debate over “protocol responsibility” versus “application responsibility” remains unresolved. Grvt Blockchain Lead Haoze Qiu told the media: “Kelp DAO accepted a bridge security configuration with too little redundancy for this amount of assets, creating a single point of failure in the verification path. Meanwhile, LayerZero also bears responsibility, because this attack involved infrastructure related to their validator stack—even if it wasn’t characterized as a core protocol vulnerability. In interconnected DeFi, users don’t care which layer is at fault; they care whether the system is robust enough to protect their assets at critical moments.”

How the contagion happened

The technical failure was only the first half of this incident. The real systemic risk unfolded in the second half of the attack.

The attacker deposited the stolen rsETH into lending platforms like Aave V3, V4, Compound V3, Euler, etc., borrowing real assets with nearly worthless collateral. On Aave alone, about $196 million was borrowed, with total debt exceeding $236 million. These collateral assets, at the moment of deposit, had their underlying mainnet reserves emptied and could not be liquidated through normal mechanisms.

Aave subsequently froze the affected markets, causing liquidity to dry up and triggering a withdrawal wave exceeding $10 billion. Fluid also froze the rsETH market, Upshift paused two of its vaults, Lido Earn suspended deposits due to exposure to rsETH via earnETH, and Ethena prudently paused its LayerZero OFT bridge for about six hours.

This chain of contagion spread within hours to such dense nodes not because of a single protocol’s risk control failure, but as a direct result of the over-aggregation of LRT as collateral—staking, re-staking, cross-chain deployment, borrowing collateral—each layer added introduces a trust assumption. When the bottom reserves are emptied, the entire chain becomes unbalanced.

A notable comparison is SparkLend, which had already delisted rsETH from its collateral asset list as early as January 2026. Facing LRT, different protocols made vastly different risk assessments. This divergence itself indicates that the industry has not yet reached a consensus on the systemic risks of LRT-like assets.

Attribution controversy: what we know and what we don’t

LayerZero attributed the attack to TraderTraitor, a subunit of North Korea’s Lazarus Group, and pointed out that previous attacks on the Axie Infinity Ronin Bridge and WazirX were also linked to this organization.

However, Cyvers’ independent analysis explicitly does not follow the same attribution conclusion. Dolev stated that some attack patterns share similarities in complexity, scale, and coordination with known DPRK operations, but no wallets have yet been conclusively linked to the organization.

The malicious node software used by the attacker automatically deleted binaries and logs after the attack, making post-incident forensic analysis extremely difficult.

The fact that two security agencies reached different conclusions on the same incident highlights a fundamental problem: the DeFi industry lacks systematic cooperation mechanisms for attack attribution and intelligence sharing. Who launched the attack is important, but understanding how it was meticulously planned and executed, and how the industry can collectively improve threat detection, is a more valuable focus.

How should security management evolve

Since this incident, several levels of discussion have emerged within the industry, deserving serious consideration.

At the protocol design level, allowing single-validator configurations as a default option is itself a risk exposure. LayerZero’s announcement to stop approving messages for single-validator applications is a late but necessary tightening. The more fundamental question is: what thresholds and mandatory mechanisms should the protocol layer set when allowing application layer to make security downgrade decisions?

At the collateral risk management level, lending protocols need stricter due diligence standards for whitelisting LRT-like assets. Security configurations of cross-chain bridges, auditability of underlying assets’ reserves, and feasibility of liquidation in extreme cases—these dimensions have historically relied more on protocol self-reporting than independent verification. SparkLend’s delisting of rsETH three months prior shows that cautious assessment is possible, but requires willingness to accept short-term TVL loss. For platforms connecting user funds to DeFi protocols, the same logic applies: continuous monitoring, rapid judgment, and proactive adjustment of exposure before uncertainty turns into loss. Grvt took this approach in this incident, quickly adjusting related DeFi exposure upon detecting market pressure to protect user funds from liquidity crises.

At the operational security level, the Drift supply chain infiltration and Kelp’s premeditated attack demonstrate that high-risk attack actions are not only on-chain. Key management, internal operational procedures, third-party security audits—all need to be incorporated into the formal security framework, not left in the “best engineering practices” gray area.

At the industry collaboration level, the ongoing attribution disagreements reveal that on-chain intelligence sharing and standardization are still lagging. Security firms, protocol teams, infrastructure providers need more systematic information sharing mechanisms, rather than each releasing analysis reports post-factum.

Conclusion

In the first four months of 2026, DeFi attack losses have approached one billion dollars. Drift and Kelp together contributed two incidents exceeding $280 million, less than three weeks apart.

This is not a probabilistic black swan, but a clear industry signal: the threat models assumed by existing security frameworks can no longer cover the actual attack surface faced today.

The evolution of DeFi security management is not a problem that any single protocol can solve alone. It requires protocol designers, infrastructure layers, lending platforms, and security researchers to recalibrate risk assumptions in their respective domains and find ways to collectively enhance the resilience of the entire ecosystem.

This conversation has only just begun.