DeFi has truly been jolted by a severe hacking incident this time. Last month, the Kelp DAO cross-chain bridge vulnerability led to nearly $300 million being stolen, which is not just a problem for a single protocol but a concentrated exposure of the entire DeFi ecosystem's fragility.

The incident happened very quickly. The hacker forged cross-chain messages via LayerZero, successfully minting and transferring 116,500 rsETH within a short period, with total losses estimated between $292 million and $294 million. Interestingly, the attacker prepped funds using Tornado Cash, waiting about 10 hours before striking, indicating this was not a random attack but a carefully planned operation.

But the truly terrifying part is the chain reaction. The stolen rsETH was rapidly used as collateral on major lending platforms like Aave, SparkLend, and Fluid, with the hacker borrowing large amounts of ETH. Once these assets were marked as impaired, the entire lending market instantly fell into turmoil. Aave had to urgently freeze related markets, but the potential bad debt risks had already emerged.

This is what’s called DeFi Jenga risk. One protocol gets hacked, and immediately ten platforms are affected. Although Kelp DAO activated emergency measures within 46 minutes, suspending contracts across multiple chains, the damage was already done. The hacker has now exchanged about $250 million of the stolen assets into ETH, making the fund flow even harder to trace.

From a technical perspective, the vulnerability was in LayerZero’s OFT cross-chain bridge and messaging layer, not in Kelp DAO’s core staking contracts. But this doesn’t mean the mainnet ETH collateral is completely safe; cross-chain liquidity has been severely impacted, with wrapped ETH on multiple chains caught in a liquidity crunch.

Most concerning is that, because the incident occurred during a holiday, many platforms responded sluggishly. As large staked assets are withdrawn and assets exchanged, more lending platforms may be forced to suspend withdrawals. If you have staked funds on DeFi platforms, now might be the time to consider transferring them to a self-custody wallet.

Security agencies like ZachXBT and PeckShield are continuously tracking the hacker’s movements, and investigations are ongoing. The final compensation plan and responsibility allocation have not yet been announced, and this story is far from over. The rapid development of DeFi far exceeds risk management capabilities, and frequent hacking incidents are a stark reflection of this contradiction. Stay tuned to Kelp DAO’s official announcements, as upcoming information will be crucial.