Written by: GoMoon

The biggest DeFi hacking incident of 2026 has arrived! On April 18, Kelp DAO's liquidity re-staking protocol suffered a blow, with hackers stealing 116,500 rsETH in just a few hours, amounting to a staggering $293 million at the time.

After verification by security researchers, it was confirmed that Kelp DAO's smart contract code had no vulnerabilities. The $293 million loss was not due to a coding issue, but rather hidden in an overlooked "configuration parameter," marking it as the biggest security lesson of the year!

How did the hackers operate?

The attack process was unusually smooth, consisting of just three steps:

1. Exploiting configuration loopholes to forge messages: Kelp DAO used a LayerZero cross-chain bridge with a key configuration called the DVN threshold, which selected "1-of-1" — meaning only one verification node was needed to confirm cross-chain messages. The hacker directly breached this sole node, forged false messages, and deceived the Ethereum mainnet into minting rsETH without actual asset backing.

2. Collateralizing to cash out real money: With the batch of fake rsETH, the hacker dispersed it as collateral across the lending protocols Aave V3, Compound V3, and Euler, borrowing over $236 million in WETH (a stablecoin with real backing).

3. Rapid exit to lock down the market: That same day, the hacker absconded with $236 million in WETH, leaving chaos behind. Platforms like Aave and SparkLend hurried to freeze the rsETH market, but Aave V3 alone faced approximately $177 million in bad debts, which ultimately had to be borne by users staking aWETH.

What should alarm us most is not the hackers' clever methods, but the exposure of a "structural blind spot" in the DeFi security industry — configuration layer vulnerabilities that current tools cannot detect!

We typically know that DeFi projects must undergo code audits, using tools like Slither and Mythril to scan for issues like reentrancy attacks and integer overflow. However, Kelp DAO's issue was not in the code itself, but in the DVN configuration parameter filled out during project deployment!

This parameter does not enter the .sol code file, where Slither and Mythril cannot scan for it, and current LLM-assisted audits do not cover it. According to related research, existing code audit tools can detect at most 8%-20% of exploitable vulnerabilities, provided that "the vulnerability is in the code."

Configuration vulnerabilities have become the "invisible killer" of DeFi security! In 2022, the Nomad cross-chain bridge was hacked for $190 million due to initialization errors during deployment; this time, Kelp DAO actively chose a "1-of-1" risky configuration and similarly fell into a trap. Combined, these two types of configuration vulnerabilities have resulted in approximately $482 million in losses, comparable to the scale of losses from key leakage vulnerabilities!

However, the entire industry is currently fixated on code logic vulnerabilities, training audit tools and optimizing detection models, with no one specifically addressing configuration issues. Just like this time, the "1-of-1" configuration fully complies with LayerZero's rules, meaning it's not considered a violation, yet this "compliant choice" directly led to a fatal risk.

DeFi security has never been about "no vulnerabilities in the code" equating to everything being fine; those small details hidden in configurations and operations are the hidden reefs that should be most carefully watched. I hope this lesson awakens the entire industry, preventing a $293 million tragedy from repeating itself!

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。