Recently, a serious security vulnerability has surfaced in the DeFi ecosystem. After reviewing the relevant data, I found that the incident’s impact is wider than expected.

Kelp DAO’s cross-chain bridge was attacked by hackers in mid-April, with losses totaling between 2.92 and 2.94 hundred million US dollars. This is the largest security incident in the DeFi sector this year. The hackers stole 116,500 rsETH tokens in a single operation by forging cross-chain messages. They later tried to move another 80,000 rsETH, but Kelp DAO stopped them in time by pausing the relevant contracts.

What’s even more worrying is that this attack triggered a domino effect. The hackers took the stolen rsETH and used it as collateral to deposit it into major lending protocols including Aave, SparkLend, and Fluid, borrowing large amounts of WETH and ETH. Once rsETH was marked as a distressed asset, these platforms immediately faced massive bad debts. Aave responded quickly and froze the rsETH market on V3 and V4, but losses on other platforms could no longer be avoided.

The root cause of this incident is actually a vulnerability in the cross-chain bridge built by LayerZero. The hackers first used Tornado Cash to prepare funds and laid in wait for about 10 hours before carrying out the attack, using the lzReceive function to trigger the vulnerability. Interestingly, the attack happened during a holiday period, when platforms’ response times were generally slower, which also exposed DeFi’s shortcomings in emergency handling.

I noticed that this incident well illustrates the risk of “Lego block” style composability— a vulnerability in a single cross-chain bridge can instantly spread across the entire ecosystem. The hackers have now exchanged roughly 250 million US dollars worth of stolen tokens into ETH, and the fund flow has been tracked on-chain.

Kelp DAO’s response was fairly timely. Within 46 minutes, it activated emergency measures, pausing the rsETH contracts on the Ethereum mainnet and multiple L2s, and working with LayerZero and security auditing companies to conduct an investigation. However, cross-chain liquidity has already been severely damaged, and wrapped Ether across multiple chains has fallen into difficulties.

For those who have funds staked on DeFi platforms, the most sensible move now is to withdraw the money to a self-custody wallet as soon as possible. Considering that more platforms may suspend withdrawals later, acting early is definitely the right choice. Security research teams are still continuing to track the hackers’ addresses, and no compensation plan has been released yet. Everyone should keep a close watch on official announcements.