$292 million KelpDAO cross-chain bridge stolen: Who should pay for this

Null

Original author: Lawyer Yi Haotian

On April 18, 2026, an attacker stole 116,500 rsETH from KelpDAO’s cross-chain bridge within 46 minutes, worth approximately $292 million. This is the largest DeFi security incident of 2026 so far. The stolen tokens were immediately deposited into lending protocols like Aave V3 as collateral, lending out about $236 million worth of ETH, causing $177 to $200 million in bad debt on the Aave platform, triggering a chain reaction affecting more than nine DeFi protocols, and causing Aave’s total value locked (TVL) to evaporate by roughly $6 billion overnight.

The details of the incident have been widely reported; this article will not reiterate them. In fact, the author himself has several tens of thousands of dollars stuck and unable to withdraw… so this research motivates the author greatly. The focus of this article is a different question: from a civil legal perspective, who should bear responsibility? Can victims truly obtain compensation?

The answer is much more complex than the initial mutual accusations within the crypto community. Through systematic analysis of the applicable legal framework, I believe: KelpDAO and LayerZero Labs bear joint fault liability (concurrent liability), roughly in proportion: KelpDAO 60% / LayerZero 40%; meanwhile, the liability caps in the terms of service of both protocols are almost certainly unenforceable.

Core liability issue: two failures, one attack

Discussions around this attack always start with the same debate: is it KelpDAO’s fault (choosing a 1-of-1 DVN configuration), or LayerZero’s fault (its operated DVN RPC infrastructure was poisoned)?

The answer is: both are responsible.

(1) What did KelpDAO do wrong?

LayerZero’s cross-chain messaging protocol uses a decentralized verifier network (DVN) to verify whether messages sent from one blockchain to another are authentic. The protocol is designed to be highly flexible: each application deployed on LayerZero can choose how many DVNs must reach consensus before trusting a message. LayerZero’s own documentation recommends at least a 2-of-3 configuration, meaning at least two out of three independent validators must confirm the message before acceptance.

KelpDAO chose the absolute minimum configuration: 1-of-1. One validator. Zero fault tolerance.

This means anyone who can compromise, deceive, or manipulate this single validator can forge any cross-chain message, including one instructing the bridge to release all rsETH reserves to the attacker’s address. And that is exactly what happened.

It’s quite absurd: KelpDAO’s bridge locks about $1.6 billion across more than twenty blockchain networks. The protocol chose a single point of failure (SPOF) to protect these assets, akin to using one lock to secure a bank vault, despite the manufacturer explicitly recommending at least a three-lock system.

Under traditional tort law, this analysis is straightforward. The Restatement (Second) of Torts defines negligence as conduct that falls below the standard of care established by law to protect others from unreasonable risks of harm. For professional actors, such as protocol operators managing billions of dollars in user assets, this standard of care undoubtedly applies, elevated to the level of skill and knowledge generally possessed by industry practitioners.

The classic risk-utility analysis by Judge Learned Hand in the “Carroll Towing Co.” case states: if the cost of prevention (B) is less than the probability of harm (P) times the magnitude of harm (L), then failure to take preventive measures constitutes negligence. In other words, negligence exists when B < P×L.

In this case, the inequality is clear:

P (probability): Cross-chain bridge attacks are among the most common and damaging attack types in DeFi. Incidents like Wormhole ($320 million, 2022), Ronin ($625 million, 2022), Nomad ($190 million, 2022), and Drift Protocol ($285 million, April 1, 2026, just 17 days before this attack) demonstrate that bridge security is a known, active threat.

L (damage scale): Direct loss of $292 million, plus chain reactions causing hundreds of millions in bad debt downstream.

B (prevention cost): Changing the bridge’s DVN configuration from 1-of-1 to 2-of-3. Additional costs: minimal validation delay (a few seconds) and DVN fees, negligible relative to the assets protected.

No rational protocol operator could defend using a 1-of-1 configuration for assets of this scale. Prevention costs are minimal, but the expected damage is catastrophic.

Industry practices provide important reference: SparkLend’s LTV for rsETH is 72%, Fluid’s is about 75%, both well below Aave’s 93%. This conservative stance likely reflects the industry’s awareness of rsETH’s underlying bridging risks. If even lending protocols are cautious about rsETH bridge risks, then as the bridge operator itself, KelpDAO should have adhered to higher safety standards. Yet, the opposite happened: the bridge operator chose the lowest security configuration.

Another important defense is the on-chain transparency argument. The 1-of-1 DVN configuration is publicly verifiable on-chain; any technically capable user can query the LayerZero EndpointV2 contract to verify the bridge’s security parameters. KelpDAO might argue that since the configuration is public, users have the opportunity (and responsibility) to assess the bridge’s security before depositing assets. This constitutes an assumption of risk defense (fact-based), different from contractual waiver clauses (to be analyzed in Part Two). The strength of this defense depends on how courts view the reasonableness of DeFi users: can ordinary DeFi users be expected to review the DVN configuration before depositing? For institutional users and high-tech “whales,” this may be effective; for retail users, its persuasive force diminishes significantly.

(2) What did LayerZero do wrong?

But KelpDAO’s configuration choice alone is insufficient to cause the loss. The attack also required deceiving LayerZero’s DVN into signing off on a transaction that never occurred. It is precisely at this step that LayerZero’s legal risk becomes clear.

According to a detailed analysis by the well-known blockchain security firm SlowMist, this attack was not a breach of DVN keys nor an exploitation of LayerZero’s protocol logic. The attacker targeted the upstream data sources of the DVN: the RPC nodes LayerZero uses to read blockchain state.

The attack was executed in five steps:

• The attacker obtained the list of RPC nodes used by LayerZero’s DVN.

• The attacker compromised two independent RPC node clusters, replacing legitimate op-geth binaries with trojanized versions.

• The trojanized binaries used selective spoofing: they returned fake data only to requests from DVN IP addresses. All other IPs, including LayerZero’s own monitoring services, received real data. This IP-based selective response made poisoning completely invisible to normal monitoring.

• The attacker launched DDoS attacks on the un-compromised RPC nodes, forcing the DVN to fail over to the poisoned nodes.

• After forging the verification, the malicious binary self-destructed and erased all logs, eliminating forensic evidence.

This is critical: LayerZero operates this DVN. It is not a passive software library deployed by KelpDAO. LayerZero actively runs the verification infrastructure, choosing RPC providers, configuring failover logic, and signing verification proofs. When the DVN reads falsified on-chain state from poisoned RPC nodes and signs off on a non-existent transaction, it is LayerZero’s infrastructure that has failed.

Moreover, this attack vector is not new. As Cos (the founder of SlowMist) pointed out: “RPC poisoning attacks are old tricks; exchanges have experienced them years ago.”

Under the Restatement (Second) of Torts, a party must recognize the risks that a reasonable person in its position would recognize. RPC poisoning is a well-documented attack category in the blockchain security community. A responsible infrastructure provider operating a DVN to protect billions of dollars in cross-chain assets should have already implemented countermeasures, such as:

a) Cross-validating RPC nodes from multiple independent providers and geographic locations;

b) Implementing cross-checks among RPC nodes to detect data inconsistencies;

c) Monitoring for IP-based selective response patterns;

d) Strengthening failover logic to prevent fallback to untrusted nodes under DDoS pressure;

e) Implementing anomaly detection on verification requests (e.g., flagging unusually large transfers).

Additionally, the non-delegable duty doctrine applies here. According to the Restatement (Second) of Torts, certain critical security functions cannot be fully delegated; the party undertaking the duty must ensure its proper performance. When LayerZero claims to provide high-value cross-chain transaction verification infrastructure, it cannot escape liability by pointing to RPC providers as independent contractors. LayerZero chose these providers, configured failover, and operated the nodes. Responsibility lies with the operator.

A traditional analogy is the liability of financial infrastructure operators. SWIFT, the global banking messaging network, provides a messaging backbone for banks worldwide. If SWIFT’s message verification system is compromised, leading to false transfer instructions, SWIFT cannot simply claim “no vulnerability in the protocol itself” to escape liability; it operates the verification infrastructure, and that operation carries a duty of care proportional to the value it protects. LayerZero’s role in the DeFi ecosystem is highly similar: it is not just a licensee of software; it is the operator of cross-chain message verification infrastructure.

The constructive notice effect of the Drift Protocol attack in April 2026 must also be considered. That attack, which resulted in $285 million stolen, occurred just 17 days before the KelpDAO attack. While the specific attack vectors may differ (requiring further verification), it clearly signals to the entire cross-chain infrastructure industry that high-level persistent threats (APT) are actively targeting bridge infrastructure. In this context, LayerZero, as one of the largest cross-chain messaging protocols, should have been on high alert. Failure to strengthen RPC infrastructure security after the Drift attack further supports negligence.

LayerZero’s strongest defense is the complexity of state-level nation-state attackers. The attack combination—binary replacement, IP-based selective spoofing, DDoS, self-destruction—represents an extraordinary operational complexity, possibly approaching the level of the SolarWinds supply chain attack. Under the Restatement (Second) of Torts §302B, highly abnormal criminal interventions are beyond the scope of reasonable prevention. If courts find that the attack’s complexity exceeds what a responsible private infrastructure provider should have foreseen, LayerZero’s fault liability could be significantly reduced or even eliminated.

However, the counterargument is equally strong: as Cos pointed out, each individual component of this attack is well-known; even their combination is not entirely novel. RPC poisoning is a known technique. DDoS is a known technique. Binary replacement is a known technique. A responsible infrastructure operator should have defenses against these known threats, even if it cannot predict their specific combination.

(3) Concurrent causation and 60/40 fault sharing

This is a classic case of concurrent causation. Both KelpDAO’s 1-of-1 configuration and LayerZero’s RPC infrastructure failure are necessary conditions for the attack’s success. Removing either would cause the attack to fail:

• If KelpDAO had used a 2-of-3 independent DVN (with independent RPC infrastructure), the attacker would need to compromise multiple independent verification paths, greatly increasing attack complexity and cost.

• If LayerZero’s DVN had not been poisoned by RPC data deception, the 1-of-1 configuration would work normally, and no unauthorized messages would be verified.

According to the Restatement (Second) of Torts, when multiple causes jointly produce a single indivisible harm, each cause is considered a “substantial factor” in bringing about the harm, and each tortfeasor is liable. The attacker’s criminal conduct does not break the causal chain, because the single point of failure attack on the bridge is a foreseeable risk that multiple DVNs are designed to prevent.

In New York and California, the most likely jurisdictions for such litigation, pure comparative fault applies. This means each defendant’s liability is reduced proportionally to its fault, but not necessarily eliminated.

How should fault be apportioned? I estimate roughly: KelpDAO 60% / LayerZero 40%, based on three reasons:

• First, KelpDAO made an active choice: despite LayerZero’s clear recommendation of at least 2-of-3, it chose 1-of-1. This is a governance decision, not a technical restriction imposed by LayerZero. The protocol had the capacity to choose higher security but did not. This active choice carries significant weight in any comparative fault analysis.

• Second, the 1-of-1 configuration is the fundamental premise enabling the attack. Without it, the attacker faces a much more difficult challenge—compromising multiple independent verification paths. A multi-DVN setup with independent infrastructure creates a defense-in-depth that this attack cannot overcome.

• Third, LayerZero’s responsibility cannot be zero. It operates the infrastructure that was compromised. RPC poisoning is a known attack vector. The Drift Protocol attack 17 days earlier put the entire cross-chain industry on high alert. While its “protocol not breached” defense is technically accurate at the protocol layer, it conceals the fact that LayerZero’s operational infrastructure was the direct tool of the loss.

The 40% share reflects a reality: LayerZero operated the failed infrastructure, used a known-vulnerable architecture, and did not implement standard countermeasures for documented attack categories.

Do the terms of service save them?

Both KelpDAO and LayerZero maintain terms of service (“ToS”) with extremely aggressive liability caps. KelpDAO caps total liability at the greater of the amount paid in the last twelve months or $200. LayerZero’s cap is $50. Both include standard “as-is” disclaimers and broad risk assumption clauses.

If these caps are enforceable, the entire civil liability analysis becomes moot. A $200 cap on a $292 million loss effectively immunizes KelpDAO from any meaningful recovery.

Courts are unlikely to uphold these caps. Reasons include:

(a) The principle of unconscionability

Contract law long recognizes that some clauses are so fundamentally unfair that courts refuse to enforce them. The doctrine of unconscionability, explicitly codified in the Restatement (Second) of Contracts, allows courts to rescind contracts with both procedural and substantive unconscionability.

Procedural unconscionability examines whether there was meaningful negotiation or opportunity to reject the terms. DeFi’s standard-form (adhesion) contracts are typical: presented as “accept or walk away,” with no negotiation, often buried deep in websites most users never visit. Most DeFi users interact directly with smart contracts via wallets like MetaMask, never reviewing or even seeing the full terms.

The legal distinction between “clickwrap” and “browsewrap” agreements is well established. In Specht v. Netscape, the former Federal Second Circuit held that a hyperlink to terms not prominently presented does not constitute assent. In Nguyen v. Barnes & Noble, the Ninth Circuit held that websites must provide clear notice and opportunity to review terms; mere presence of a link is insufficient.

DeFi interactions resemble Specht’s scenario more than Meyer v. Uber, where a conspicuous registration page with clear terms was deemed effective notice. Whether on-chain smart contract interactions constitute agreement to off-chain website terms has not been definitively decided, but existing browsewrap case law strongly disfavors enforcement absent affirmative user conduct.

Substantive unconscionability considers whether the clause is so one-sided as to “shock the conscience.” A $200 liability cap for a $292 million loss—roughly 1 in 1,460,000—is textbook substantive unconscionability. LayerZero’s $50 cap is even more extreme. In Williams v. Walker-Thomas Furniture, the court held that when one party has no meaningful choice, courts will not enforce unconscionable terms. The “gross disparity” in the exchange is direct evidence of unconscionability.

(b) The exception for gross negligence

Even if courts find the liability caps generally enforceable, they do not protect against gross negligence or willful misconduct. This is a well-established principle in New York and Delaware law.

The Restatement (Second) of Torts states that clauses exempting a party from liability for reckless or intentional misconduct are against public policy and unenforceable. The New York Court of Appeals has repeatedly confirmed that such clauses do not cover gross negligence, applying a reckless disregard standard.

Is KelpDAO’s 1-of-1 DVN configuration grossly negligent? The argument is strong. Gross negligence requires reckless disregard of known risks, exceeding mere carelessness. Choosing the lowest security configuration for a bridge protecting over $1 billion, contrary to explicit recommendations, and relying on a single point of failure, is a classic case of gross negligence.

If a court finds that the 1-of-1 choice constitutes gross negligence rather than simple negligence, then the liability cap—no matter how well-argued—would be invalid.

The importance of the gross negligence exception is that it bypasses the enforceability of the liability caps. Even if users are deemed to have accepted the terms, the public policy exception applies: gross negligence cannot be waived.

© Federal securities law disqualification

A third path renders the liability caps invalid, and it is the most powerful.

If rsETH is classified as a security under federal law, then liability caps and arbitration clauses are invalid by operation of law. The Securities Act states that “any condition, stipulation, or provision that purports to waive compliance” with the law is void. The Exchange Act contains similar anti-waiver provisions. These cannot be circumvented by contract; they take precedence over the Federal Arbitration Act and are not subject to state unconscionability analysis. They are mandatory federal commands.

Does rsETH qualify as a security? Under the Howey test, an investment contract exists if:

1. There is an investment of money,

2. In a common enterprise,

3. With an expectation of profits,

4. Derived from the efforts of others.

rsETH meets all these criteria. Users deposit ETH (money) into a pooled staking strategy on EigenLayer (common enterprise). rsETH generates yield through re-staking rewards (profit expectation). The re-staking strategy, operator choices, and bridging infrastructure are fully managed by the KelpDAO team; individual holders have no control (the “efforts of others”).

The complex issue is the split holding in Ripple v. Warden. In 2023, the Southern District of New York distinguished between direct institutional sales (which are securities) and secondary market sales (which are not). Most rsETH trades occur on secondary markets, via DEX swaps or deposits into Aave, not direct purchases from KelpDAO. Under Ripple, secondary market buyers may not satisfy the “efforts of others” element. But Ripple is a district court decision currently on appeal, and its applicability to liquid staking tokens remains untested.

If classified as a security, the entire recovery landscape changes: the liability caps vanish, arbitration clauses vanish, and purchasers gain rescission rights. All buyers relying on KelpDAO’s statements about bridge security could bring fraud claims.

This underscores a key legal tool: under U.S. law, arbitration clauses and class action waivers are strongly protected. The Supreme Court in AT&T v. Concepcion and Epic Systems v. Lewis reaffirmed that the Federal Arbitration Act preempts state law to invalidate arbitration agreements containing class waivers. In American Express v. Italian Colors, the Court further limited the “effective vindication” doctrine, ruling that only when arbitration prevents access to statutory rights can it be invalidated—costly litigation alone is insufficient.

This means that if LayerZero’s arbitration clause is valid, victims would be forced into individual arbitration with a $50 cap per claim—functionally a complete liability shield. No rational claimant would initiate arbitration for $50.

But the anti-waiver provisions of securities law provide a way around this. If rsETH is a security, federal law explicitly invalidates arbitration and class waivers, without regard to unconscionability or other defenses. This is the “nuclear option” in the analysis.

RPC providers: auxiliary role

RPC node providers whose infrastructure was poisoned occupy a special position in this liability chain. They supplied the falsified data that the DVN relied on. Their liability is limited by several factors:

According to the Restatement (Second) of Torts, a commercial information provider who fails to exercise reasonable care may be liable for economic losses caused by reasonable reliance, but only to a “limited group” of foreseeable recipients. In New York, Credit Alliance v. Arthur Andersen further constrains provider liability with a three-part test.

In this case, RPC providers’ liability may be limited to LayerZero (which directly selected and relied on them), and not extend to downstream users like KelpDAO or rsETH holders. Their liability would primarily be a contribution claim against LayerZero, which bears 40% fault, rather than a direct claim by victims.

A practical obstacle is that the RPC providers’ identities have not been publicly disclosed. They may themselves be victims of nation-state level attacks, with capabilities exceeding typical cybercriminals—binary replacement, IP spoofing, DDoS, self-destruction—making their fault hard to establish. If they are victims of state-level attacks, their fault is difficult to prove, and the standard of care does not require defending against military-grade intrusions.

The most likely outcome: RPC providers’ liability remains behind the scenes, and their contribution shares are addressed in the fault apportionment between KelpDAO and LayerZero, but they are not the primary avenue for victims’ recovery.

Aave’s 93% LTV: a fiduciary duty issue

The attack stole $292 million from KelpDAO’s bridge. But the contagion—$177 to $200 million bad debt, $6 billion TVL drop, principal losses—was amplified by Aave’s governance decisions.

(1) Aggressive parameter setting

In January 2026, Aave governance passed Proposal 434, raising rsETH’s e-mode LTV from 92.5% to 93%. This means each $100 of rsETH collateral could support borrowing $93 of ETH.

Compared to competitors: SparkLend set rsETH’s LTV at 72%, Fluid at about 75%. The 21 percentage point gap reflects fundamentally different risk philosophies.

At 93% LTV, the safety margin is only 7%. Any decline in collateral value exceeding 7% would generate bad debt, borne by Aave depositors, not borrowers. For collateral whose value depends on a single point of failure bridge, this is objectively insufficient.

(2) Legal framework: DAO as a general partnership

The legal status of DAO governance liability has evolved significantly over the past two years.

In Samuels v. Lido DAO (2024), the California federal court held that Lido DAO could reasonably be considered a general partnership under California law. Participating token holders might be viewed as general partners, bearing personal liability for partnership obligations. Similarly, in Sarcuni v. bZx DAO, another California federal court reached a comparable conclusion, holding DAO token holders jointly and severally liable.

Under California’s RUPA, partners owe each other duties of care and loyalty, and are jointly liable for all partnership obligations.

(3) Caremark oversight duties

Delaware’s fiduciary duty framework, analogous to DAO governance, provides the most relevant standard of care. In the landmark Caremark case, the court established that directors have an active duty to establish and monitor compliance and risk management systems. Stone v. Ritter confirmed that Caremark oversight liability requires proof that directors either:

1. Completely failed to implement monitoring systems, or

2. Established systems but consciously disregarded their outputs, with bad faith.

Aave’s situation fits the second. It did not lack risk management systems; it employed Chaos Labs for three years. But on April 6, 2026, Chaos Labs publicly announced its departure, citing “fundamental disagreements on risk strategies.” Twelve days later, the attack occurred.

This coincidence is highly suggestive: the risk managers’ departure, combined with the highly aggressive LTV parameters, led to a collapse of collateral value in a matter of weeks. Under Van Gorkom, if directors approve major decisions without “full information,” the business judgment rule is rebutted. If Aave governance did not evaluate the security of rsETH’s bridge when approving the 93% LTV, especially given the known zero-fault 1-of-1 DVN, that would be a classic “uninformed decision” under Van Gorkom.

(4) Practical limitations

The fiduciary duty theory in Aave governance is legally strong but practically limited. Anonymous voting participants cannot be pursued for damages; you cannot sue an anonymous wallet address. The Lido DAO case is still actively litigated (dispositive motions scheduled for November 2026), and may be overturned.

But not all governance participants are anonymous. Institutional delegates, risk funds, protocol treasuries, professional governance services—if they voted for Proposal 434—are identifiable and could bear personal liability under the Lido/bZx partnership framework. For these identifiable delegates, the theory is actionable.

This underscores why Caremark duties are so critical. In traditional corporate law, Caremark establishes a minimum oversight obligation: directors need not micromanage but must ensure the existence of reasonable information reporting and compliance systems. When directors:

1. Completely fail to establish such systems, or

2. Establish them but consciously ignore warning signs,

they breach their Caremark duties.

In Aave’s context, this means: did governance review the security architecture of rsETH’s bridge when accepting it as collateral? Did any governance participant, risk committee member, or delegate know that rsETH’s bridge relied on a 1-of-1 DVN? If not (which is highly likely in current DeFi governance practices), then governance made a decision without fully understanding the risk, setting parameters with only a 7% safety margin. This is precisely the “uninformed decision” targeted by Van Gorkom.

Furthermore, Chaos Labs’ departure was not merely coincidental. As the founder of Chaos Labs stated, “there were fundamental disagreements on risk strategies.” The timing—just twelve days before the attack—strongly suggests that the departure was a warning sign. A prudent governance process would have re-evaluated risk parameters or at least paused onboarding new high-risk collateral after the Drift attack. Aave governance did not.

The deeper systemic implication is that if DeFi governance voters can be held personally liable for risk parameter decisions that amplify attack losses, it would fundamentally change how governance participants treat collateral onboarding and LTV settings. The 93% LTV on single point of failure bridge assets could become a classic case of governance negligence, a DeFi version of the Caremark red flag.

A key date: the dispositive motion in Samuels v. Lido DAO scheduled for November 2026. If the California court confirms that Lido DAO is a general partnership and that governance token holders bear personal liability, it would clear legal obstacles for similar suits against Aave governance participants. Conversely, if the Lido case is overturned, the entire governance liability framework discussed here would be significantly undermined.

Liability hierarchy: theory meets practice

Legal liability is one issue; actual recovery is another. The most compelling defendant (KelpDAO, 60% fault) may be the hardest to recover from (offshore DAO, unknown structure). The easiest target in practice (LayerZero Labs Canada Inc., 40% fault) is a real company with identifiable directors and over $120 million in venture funding.

This creates a liability hierarchy, where practical considerations override pure fault allocation:

Priority 1: LayerZero Labs Canada Inc., a real Canadian federal corporation (company number 13558479, Vancouver), with two directors and sufficient funds. It is the most feasible target for litigation. Advantages: identifiable entity, governed by Canadian corporate law, assets can be seized. Obstacles: fault reduction due to 40% fault share ($292 million × 40% ≈ $117 million), potential arbitration clauses, Canadian business judgment rule protections.

Priority 2: Audit and security firms. KelpDAO and LayerZero likely engaged security auditors to review the bridge contracts. Under the Restatement (Second) of Torts, professionals providing business advice may be liable for negligent misrepresentation if their statements cause damages. If any auditor reviewed the deployment but failed to flag the 1-of-1 DVN as a major risk, negligence claims are plausible. Auditors with errors and omissions insurance are tangible entities, making them attractive targets. The key question: was the DVN configuration within the scope of the audit? Reviewing the engagement letter is the first step.

Priority 3: KelpDAO founders. Amitej Gajjala and Dheeraj Borra are identifiable individuals, co-founders of KelpDAO. Under the Lido/bZx partnership framework and California’s Corporations Code §16306, they face personal liability as general partners. If their assets are held overseas or in crypto, recovery remains challenging.

Priority 4: Aave governance delegates. Recognizable institutional delegates who voted for Proposal 434 (93% LTV). This is a novel theory with high legal uncertainty but strong factual basis.

6. Conclusion: a shared liability framework

KelpDAO attack is not a story of a single villain. It’s a story of layered failures in a composable system, where each participant—KelpDAO, LayerZero, Aave governance, and unnamed RPC providers—made individual decisions that seemed reasonable but collectively created catastrophic fragility.

KelpDAO prioritized speed and simplicity over security. LayerZero operated verification infrastructure but failed to harden it against known attack vectors. Aave governance set aggressive risk parameters without assessing the underlying bridge security. Somewhere in the infrastructure stack, RPC providers failed to detect or prevent their core binaries from being replaced.

The 60/40 fault split reflects this judgment: KelpDAO’s active choice—opting for a 1-of-1 bridge despite clear recommendations—is more blameworthy. But LayerZero’s 40% share recognizes that operating the compromised infrastructure involved a duty of care that cannot be waived by disclaimers, especially when the attack vector is a documented, well-understood vulnerability.

The service terms’ liability caps—$200 and $50—were drafted after the incident as speed limits. They aim to limit risk exposure but are fundamentally unconscionable, subject to the public policy exceptions, gross negligence, and federal securities law anti-waiver provisions discussed above. The strongest path: classifying rsETH as a security under Howey, which would invalidate these caps and open the door to private rescission rights and fraud claims.

This incident sets several precedents for the broader DeFi ecosystem that will shape protocol design and governance for years:

• Single-point-failure bridges are inherently unreasonable for safeguarding significant value. Multi-DVN configurations are cost-effective and essential.

• Infrastructure providers cannot escape operational failure liability through disclaimers. Operating verification infrastructure entails a duty of care that follows from the act of operation, not just code.

• DeFi governance is no longer a liability shield. Emerging case law (Lido/bZx/Ooki) is dismantling the assumption of anonymity and protection. Governance voters—especially identifiable institutional delegates—face real personal liability for risk parameter decisions. Turning a $292 million bridge attack into a $200 million bad debt with 93% LTV is precisely the kind of governance failure that Caremark duties aim to prevent. The question now is whether the legal system can allocate responsibility in a way that compensates victims and incentivizes better security architectures. The answer depends on which recovery paths are pursued, whether assets can be swiftly traced, and whether courts extend traditional liability frameworks into the DeFi context.

Implications for protocol developers: ask yourself—if this bridge is compromised, can you explain in court why you chose the lowest security configuration? If the answer is “because it was cheaper” or “more convenient,” you are arguably on the 60% fault side. When prevention costs are trivial and potential losses run into hundreds of millions, any deviation from industry best practices becomes powerful evidence for plaintiffs.

Implications for governance participants: anonymous voting no longer equals anonymous immunity. If you, as a delegate of a well-known fund, vote for aggressive LTVs without reviewing the underlying security assumptions, Caremark duties may directly reach you. The Lido case, regardless of its final outcome, has irreversibly changed the legal landscape of DeFi governance.

Implications for infrastructure providers: “Our protocol has no vulnerabilities” is not a disclaimer. When you operate verification infrastructure, your liability arises from your operational conduct, not just your code architecture. The LayerZero case will be a test of this principle.

Law is catching up. Protocols that fail to adapt risk being on the wrong side of a 60/40 fault split.