An open-source AI tool that no one is watching warned about a $292 million vulnerability in Kelp DAO 12 days ago.

Author: Zengineer

Translator: Deep Tide TechFlow

Deep Tide Introduction: On April 18, Kelp DAO was robbed of $292 million, marking the largest DeFi incident of 2026 so far. The vulnerability was not in the contract code but in the 1-of-1 verification node configuration of the LayerZero cross-chain bridge—compromising a single point allowed the forgery of cross-chain messages. Twelve days ago, when scanning Kelp with my own developed open-source AI auditing tool, this risk point had already been flagged. This article reviews the entire attack process and honestly reflects on three things that the tool did not handle correctly at that time.

What is Kelp DAO

Kelp DAO is a liquidity re-staking protocol built on EigenLayer. The mechanism is such that users deposit ETH or liquid staking tokens (stETH, ETHx) into the Kelp contract, which then entrusts the assets to EigenLayer's operating nodes for re-staking—meanwhile providing security to multiple AVS (Actively Validated Services). In return, users receive rsETH as proof. Unlike directly re-staking on EigenLayer (where assets are locked), rsETH is liquid—it can be traded, used as collateral in lending protocols like Aave, and it can also be cross-chain.

To achieve this cross-chain liquidity, Kelp deployed rsETH on over 16 chains using LayerZero's OFT (Omnichain Fungible Token) standard. When you cross rsETH from Ethereum to a certain L2, LayerZero's DVN (Decentralized Verifier Network) validates whether this cross-chain message is legitimate. This bridge architecture is the core of the subsequent story.

Kelp was initiated by Amitej Gajjala and Dheeraj Borra (previously co-founders of Stader Labs), launched in December 2023, with a peak TVL of $2.09 billion. Governance employs a 6/8 multi-signature with a 10-day contract upgrade time lock. The governance token KERNEL oversees the three product lines of Kelp, Kernel, and Gain.

The Theft Incident

On April 18, 2026, the attacker withdrew 116,500 rsETH from Kelp DAO's cross-chain bridge, equivalent to approximately $292 million—this is the largest DeFi attack event of 2026 so far. The root cause was not a smart contract flaw but a configuration issue: a 1-of-1 DVN setup (meaning only one verification node, and one signature counts), allowed the attacker to forge cross-chain messages with a single compromised node.

Twelve days earlier, on April 6, my open-source security audit tool had already flagged this attack surface.

It should be noted: this theft involved real people incurring real losses. Aave WETH depositors who had never dealt with rsETH saw their funds frozen; multiple LPs in different protocols had to bear bad debts they never contracted to assume. This article analyzes what happened, what our tool captured—but the real losses people experienced are far more significant than any scorecard.

The complete report is posted on GitHub, with a commit timestamp that anyone can verify. Next, let’s discuss what we captured, what we missed, and what this incident means for DeFi security tools.

46 Minutes, DeFi Shockwaves

At 17:35 UTC on April 18, the attacker compromised that isolated DVN verification node and made it "approve" a forged cross-chain message. LayerZero's Endpoint recognized the DVN's approval and forwarded the message to Kelp's OFT contract via lzReceive—the contract executed and minted 116,500 rsETH on the Ethereum mainnet. The message claimed that equivalent assets were locked on other chains as collateral. Those assets never existed.

Next came a standard DeFi money laundering process:

Depositing the stolen rsETH as collateral in Aave V3, Compound V3, Euler
Using these uncollateralized assets to borrow approximately $236 million in WETH
Consolidating roughly 74,000 ETH and cashing out through Tornado Cash

Forty-six minutes later, at 18:21, Kelp's emergency pause multi-signature froze the contract. The attacker subsequently attempted two follow-up actions (each for 40,000 rsETH, about $100 million), both of which were reverted—this pause blocked approximately $200 million.

However, the repercussions were still severe. Aave V3 absorbed around $177 million in bad debts. The AAVE token plummeted by 10.27%. ETH fell by 3%. The utilization rate of WETH on Aave instantly hit 100%, as depositors rushed to withdraw. RsETH on more than 20 L2s became assets of questionable value overnight.

What Was Captured in the April 6 Report

In early April, shortly after the $285 million theft from Drift Protocol on April 1, I wrote an open-source Claude Code skill crypto-project-security-skill—an AI-assisted architecture risk assessment framework that evaluates DeFi protocols using publicly available data (DeFiLlama, GoPlus, Safe API, on-chain validation). It is neither a code scanner nor a formal verification tool. The Drift incident made me realize that the real causes of the greatest losses are not found in smart contract code—but rather in governance vulnerabilities, configuration oversights, and architectural blind spots, all of which code scanners will never detect. Thus, I created a tool specifically to assess these layers: governance structure, oracle dependencies, economic mechanisms, cross-chain architecture, comparing each protocol with historical attacks (Drift, Euler, Ronin, Harmony, Mango).

On April 6, I ran a complete audit of Kelp DAO. The full report was made publicly available on GitHub with an immutable commit timestamp.

The comprehensive triage score for Kelp was 72/100 (medium risk). In hindsight, this score was too lenient—the few unresolved gaps in cross-chain information should have lowered the score. However, even under a medium risk rating, the report pointed to the attack surface that was later exploited.

The following screenshot shows the original text from the report's "Information Gaps" section—addressing the DVN configuration issue, which ultimately became the root cause of the $292 million theft:

Caption: The "Information Gaps" section of the April 6 report specifically names the opacity of the DVN configuration.

Below, we will compare what was flagged in the report with what actually transpired.

Finding 1:Opacity of DVN Configuration(Warning Signal)

Report Text: "LayerZero DVN configuration (validator set for each chain, threshold requirements) has not been publicly disclosed."

What Actually Happened: Kelp operated with a 1-of-1 DVN configuration. One node. One single point. The attacker compromised this single node and forged cross-chain messages. If the configuration had been 2-of-3 (the industry’s minimum recommendation), the attacker would have had to simultaneously compromise multiple independent validators.

It is essential to clarify one thing: this is Kelp’s issue, not LayerZero’s. LayerZero is an infrastructure—it provides the DVN framework, and each protocol chooses its own configuration: how many verification nodes (1-of-1, 2-of-3, 3-of-5...), whose nodes to use, and what the threshold is for each chain. Kelp chose 1-of-1 when deploying the OFT bridge. LayerZero fully supports 2-of-3 or higher—it is Kelp that did not enable it.

To illustrate: AWS provides MFA (Multi-Factor Authentication). If your account gets stolen because you never enabled MFA, it is your problem, not AWS's. LayerZero laid out the security mechanism, but Kelp did not utilize it.

At the time, our report could not determine the specific DVN threshold (because Kelp had never disclosed it), but we listed this opacity as an unresolved information gap and risk item. The unwillingness to disclose itself is a red flag.

Finding 2:Single Point of Failure Across 16 Chains(Direct Hit)

Report Text: "A single point of failure in LayerZero DVN may simultaneously affect rsETH across 16 supported chains."

What Actually Happened: The forged message directly hit the Ethereum mainnet, and the shockwave spread to all chains where rsETH was deployed. LayerZero proactively suspended all OFT bridges from Ethereum. Holders of rsETH on more than 20 L2s found their tokens became assets of uncertain value overnight.

This represents a systemic risk of multi-chain deployment: rsETH circulated simultaneously on L2s like Arbitrum, Optimism, Base, and Scroll, but all these tokens’ values were derived from assets on the Ethereum mainnet. Once the mainnet bridge was compromised, rsETH on every L2 lost its guarantee—holders could neither redeem nor verify whether their tokens retained value. Lido’s earnETH (exposed to rsETH) and Ethena’s LayerZero bridge—all were forced to pause. The radius of impact was far greater than Kelp itself.

Finding 3:Unverified Cross-Chain Governance Control(Related Issue)

Report Text: "The governance control over the LayerZero OFT configuration for each chain is unverified—especially: whether this control is under the same 6/8 multi-signature and 10-day time lock, or controlled by independent management keys."

What Actually Happened: The DVN configuration was clearly not under strict governance of the core protocol. If the bridge configuration change was also governed by the 6/8 multi-signature and 10-day time lock, a 1-of-1 DVN setup would require 6 out of 8 signers to agree—this configuration would unlikely remain unregulated indefinitely.

This exposed a common governance blind spot: many protocols establish strict multi-signature and time locks for core contract upgrades, but they often allow a single admin key to change operational elements—such as bridge configurations, oracle parameters, and whitelist management. Kelp's core protocol governance is industry-leading (6/8 multi-signature + 10-day time lock), but these protections did not extend to its largest attack surface: the cross-chain bridge.

Finding 4:Matching the Ronin/Harmony Attack Pattern(Direct Hit)

Report Text: "The most relevant historical precedent involves bridge security. Kelp's LayerZero deployment across 16 chains presents operational complexity akin to Ronin’s multi-chain architecture."

What Actually Happened: The attack path almost perfectly replicated the Ronin script—compromising bridge validators, forging messages, and draining assets. The attack pattern matching module of our tool correctly identified this as the highest-risk attack vector by comparing protocol architecture with historical attack categories.

Historical context: In 2022, the Ronin bridge was breached due to 5 of its 9 validators being compromised, resulting in a loss of $625 million; that same year, Harmony’s Horizon bridge was breached after 2 of its 5 validators were compromised, leading to a loss of $100 million. Kelp's situation was even more extreme—there was only 1 validator, thereby lowering the attack threshold to an absolute minimum. The tool was able to flag this risk because it automatically compares protocol architecture with these historical attack patterns rather than just looking at code.

Finding 5:No Insurance Pool(Amplified Losses)

Report Text: "The protocol currently lacks a dedicated insurance pool and has no socialized loss absorption mechanisms to mitigate confiscation events."

What Actually Happened: Due to the absence of insurance reserves, the entire $292 million loss was absorbed by downstream protocols. Aave's recovery reserves covered only about 30% of its $177 million bad debt. LPs—who had no relation to Kelp’s bridge configuration decision—bore the brunt of the impact.

The attacker used the stolen rsETH as collateral, deposited in Aave V3, Compound V3, Euler, and then borrowed real WETH. Once the rsETH was confirmed to be uncollateralized, these positions became “unable to liquidate”—the collateral became worthless, but the borrowed WETH was already gone. The utilization rate of WETH on Aave instantly spiked, and ordinary users couldn’t withdraw. If you were a WETH depositor on Aave, even if you had never dealt with rsETH, your funds were affected. Kelp's partnership with Nexus Mutual only covered specific treasury products and did not cover core rsETH protocol exposure.

This represents a failure on both sides. From Kelp’s side: a protocol managing $1.3 billion in TVL, with zero insurance pool and zero loss absorption mechanisms. When the bridge was compromised, there was no buffer to absorb the damage. From Aave’s side: accepting rsETH as collateral but failing to sufficiently assess the risks of its cross-chain bridge configuration. Aave's risk parameters (LTV, liquidation thresholds) were designed for normal price fluctuations but didn’t take into account the tail risk of the “bridge configuration being compromised leading to collateral becoming worthless overnight.” The recovery reserves couldn't cover even 30% of the bad debt. Essentially, this was a risk pricing failure: Aave treated rsETH as a normally fluctuating asset, but it actually carried binary tail risks from bridge failures. The failures compounded—Kelp did not have insurance to prevent bad collateral from entering the system, and Aave did not perform sufficiently detailed risk modeling to limit exposure in such scenarios.

Where We Went Wrong

There were three things that should have been done better:

The risk rating was too low. We rated the cross-chain bridge risk as "medium." Three out of the five unresolved information gaps in the report related to LayerZero bridge configuration, which matched the historical attack patterns of Ronin/Harmony—this should have been classified as "high" or "serious." Opacity itself should have signaled a stronger warning.

We didn't penetrate the configuration layer. The report repeatedly requested Kelp to disclose the DVN threshold, but we could not independently verify it. This is precisely the structural blind spot pointed out by Guanhao's post-incident analysis: existing audit tools focus on code logic and do not capture risks at the configuration layer. We flagged the issues but failed to answer them.

We didn't check on-chain. The DVN configuration can actually be read directly on-chain through LayerZero's EndpointV2 contract. We could have queried the ULN302 registry to independently verify Kelp's DVN threshold, rather than marking it as “not publicly disclosed.” If we had checked at that time, we would have directly seen the 1-of-1 configuration without needing Kelp to disclose it. This is the most specific improvement direction for the tool: adding on-chain DVN configuration verification in cross-chain evaluation steps.

Findings were not specific enough or actionable. Saying “DVN configuration undisclosed” is merely observing documentation gaps—not predicting an attack. These risks (oracle centralization, bridge dependencies, lack of insurance) are equally prevalent in most cross-chain DeFi protocols. The tool flagged Kelp's opacity, but it had also flagged similar patterns in dozens of unaffected protocols. Without disclosing the false positive rate, claiming “we predicted this” is an exaggeration. A more honest statement is that we asked some correct questions that no one else was asking, and one of them happened to hit a key vulnerability.

On "Responsible Disclosure"

A fair question: if we flagged these risks on April 6, why didn't we notify Kelp before the attack on April 18?

There was no notification. The reason is that the report identified opacity—“DVN configuration undisclosed”—not a specific exploitable vulnerability. We did not know the configuration was 1-of-1; we only knew the configuration was not public. There was nothing concrete to disclose. “Your bridge configuration is undocumented” is a governance observation, not a report suitable for bug bounty submission.

In hindsight, we could have directly contacted the Kelp team to ask about their DVN threshold. That conversation might have exposed the 1-of-1 configuration and led to a fix. We did not do that. This is a lesson: even if a finding seems too vague to go through formal disclosure processes, it's still worth sending a message to ask.

What This Means for DeFi Security

Kelp's theft—like the drift stolen 17 days ago—was not due to a smart contract vulnerability. Automated code scanners such as Slither, Mythril, or even GoPlus did not catch it. The vulnerability lay in deployment configurations, governance gaps, and architectural decisions, present above the code layer.

This is also the core claim of crypto-project-security-skill:

Protocol security is not just about code security. A protocol can have perfect Solidity, five audits from top firms, a $250,000 bug bounty—and still lose $292 million due to bridge validator configuration issues.

The tool is open-sourced on GitHub—anyone can review the methodology, run it themselves, or improve it.

Timeline

12 days. The signals were already there. The question is: how does the ecosystem build tools that can see these signals before the next bridge falls?

What You Can Do

If you have assets in DeFi protocols with cross-chain bridges:

Run an audit yourself. The tool is open-source. Don't just take our word for it—verify it yourself.
Check the bridge validator configurations. If a protocol is unwilling to disclose its DVN threshold, consider it a red flag. Our report acted accordingly, and it proved correct.
Don’t assume code audits cover everything. Kelp had over five code audits from reputable companies and platforms (Code4rena, SigmaPrime, MixBytes). Traditional code audits are not designed to capture configuration-layer risks like DVN threshold settings—that's a different type of analysis, not an oversight of the audit firm.
Evaluate insurance coverage. If a protocol lacks an insurance pool, and you are an LP on a lending platform accepting its token as collateral, you are implicitly underwriting it. This lesson was harshly learned by WETH depositors on Aave during this incident.

A Bigger Picture: AI Agents as a Security Layer

This article discusses a tool and a theft. But the underlying claim is larger: AI Agents can serve as an independent security layer for DeFi investors.

The traditional security model in the crypto industry looks like this: protocols hire auditing firms, auditing firms review code, and auditing firms issue reports. This model has blind spots—Kelp's situation illustrates this, as it focused on code correctness but missed out on configuration, governance, and architectural risks.

Claude Code and these types of tools provide an alternative path: anyone can perform an AI-assisted risk assessment of any protocol within minutes using publicly available data. You do not need to spend $200,000 hiring an auditing firm. You do not need to read Solidity. You allow the agent to compare the protocol architecture against known attack patterns, and it will present you with the questions you should be asking before investing your money.

This will not replace professional audits—however, it lowers the entry threshold for the first layer of due diligence to a level accessible to everyone. An LP considering investing in a new re-staking protocol can now run an audit and obtain a structured risk assessment covering governance, oracles, bridges, and economic mechanisms. This represents a genuine shift in how retail and mid-tier investors can self-protect.

Kelp's report is not perfect. It rated bridge risk as medium when it should have been severe. It did not penetrate the configuration layer. But it asked the right questions—had the Kelp team or any LP taken these questions seriously at the time, the loss of $292 million could have been avoided.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。