Original Title: The $292 Million Heist: What the Kelp DAO Hack Tells Us About DeFi’s Deepest Flaw
Original Author: Arche Capital
Translator: Peggy, BlockBeats
Editor's Note: On April 18, KelpDAO experienced the theft of approximately $292 million in assets. This was not a typical "smart contract breach," but rather a chain reaction triggered by a configuration error in a cross-chain verification layer: the attacker faked messages to generate 116,500 rsETH out of thin air, which were then transferred to Aave to borrow real ETH, causing risks to rapidly spread from a single protocol to the entire DeFi collateral system.
In a highly composable system, cross-chain bridges, liquid staking tokens, and lending protocols are nested within each other; any seemingly "local" configuration choice can become a trigger point that penetrates the entire linkage. When an asset like rsETH is widely regarded as a nearly safe collateral, if its underlying mechanism fails, the impact is not just price volatility but a synchronized collapse of the entire pricing and trust system.
Based on this, the author raises a deeper judgment: DeFi has continuously strengthened the design concepts of modularity, composability, and "permissionless" over the past few years, yet it has consistently lacked constraints of minimum security standards. This means that a technically "optional" configuration error can evolve into systemic risk.
When a high-leverage, highly interconnected financial system is built on fragile engineering configurations, "de-trust" does not automatically equate to "safer."
The following is the original text:
On Saturday afternoon, a forged message (almost equivalent to a line of numeric text) caused a piece of software to "actively" hand over $292 million. No guns, no social engineering attacks, no insider. Just a misconfigured security setting and an attacker who planned and patiently waited for hours ahead.
By Sunday morning, this would-be largest DeFi hacker event of 2026 had erased $6.6 billion from Aave's balance sheet, causing AAVE tokens to plummet by 16%, freezing liquidity in at least nine mainstream protocols, and triggering once again the familiar judgment: DeFi is dead.
It is not dead. But this time, it has once again exposed a structural wound that the industry has long avoided and has never been truly healed.
Next, we will break down the course of this incident, its impacts, and the potential changes it may bring about.
Analogy: The Cloakroom
Before diving into technical details, let’s use an image to help understand the entire event.
Imagine Kelp DAO as a cloakroom in a massive building spanning 20 rooms. You hand over your coat (ETH) to them, and they give you a ticket (rsETH) for retrieving your coat. This ticket is valuable: it proves the coat belongs to you, generates returns while waiting, and, more importantly—when the coat is still being kept—you can use this ticket to borrow money at any counter in the building as collateral.
All coats are stored in a main warehouse on the first floor (Ethereum mainnet). Each ticket in every room is ultimately backed by this warehouse.
These rooms are connected by an "intercom system" known as LayerZero. When a person in room 12 (Arbitrum) wants to communicate with the warehouse, they must go through this intercom system. There are "security personnel" in the system—referred to as DVN (Decentralized Verification Network), responsible for verifying whether messages are real before they are executed.
The problem is that Kelp only provided one security personnel for this intercom system. Just one. Any instruction can be deemed "real" with a single signature.
The attacker walked up to the intercom, impersonated someone from another room, and said, "Release 116,500 tickets." This only security personnel accepted the forged message. The warehouse then released tickets worth $292 million — and throughout the entire process, no one actually deposited any coats.
Subsequently, the attacker directly walked to Aave (the lending counter in the building) and said, "I want to borrow money using these tickets as collateral." Aave accepted the tickets at face value. The attacker ultimately walked away with over $236 million in real ETH.
And what Aave was left with was a pile of "notes" with no real asset backing.
How the Incident Happened (Step-by-step Breakdown)
Preparation
About 10 hours before the attack occurred, the attacker funded 6 wallets through Tornado Cash to obscure the source of funds. This is a standard preparatory process before an attack—planned, patient, and quite professional.
Execution
On April 18, 2026, at 17:35 (UTC), the attacker's wallet called the lzReceive function in LayerZero's EndpointV2 contract—this is the entry point for receiving and executing cross-chain messages.
The attacker constructed a forged message that looked like it came from a legitimate endpoint contract on Unichain, instructing Kelp's bridge to release 116,500 rsETH to an address controlled by the attacker.
The bridge executed this instruction.
There were no burn operations on the source chain, no collateral, no real initiating transaction. The reserves were directly "drained." 116,500 rsETH—approximately 18% of the total circulation—appeared out of thin air in the attacker’s wallet.
The Fatal Flaw of DVN
The core issue lies in Kelp's use of a 1/1 DVN configuration—only one verification node was responsible for confirming whether cross-chain messages were legitimate.
As long as this one node can be breached or forged, any message can be fabricated. As one developer said on X: "It only took one signature for 116,500 rsETH to be generated out of thin air on Ethereum. It wasn’t the contract that broke; it was the verification layer that broke."
Another explanation comes from on-chain analytics firm D2 Finance: it is possible that the private key of the source chain's OApp node was leaked, allowing the attacker to gain legitimate signing capability directly.
Regardless of the route, the essence is the same: single point of failure.
The Second Step: Draining Value
The attacker did not directly dump the $292 million worth of rsETH into the market—doing so would immediately cause the price to crash.
Instead, they chose a more efficient route: depositing these rsETH into Aave V3 as collateral and borrowing a large amount of WETH. Since these rsETH do not actually have any asset backing, this collateral essentially becomes "air." However, Aave could not identify this in real time and still processed the collateral normally.
The result was that the attacker walked away with real ETH, leaving a bad debt behind.
Emergency Response
Kelp's emergency multi-signature executed the pauseAll command 46 minutes later, freezing the LRT deposit pool, withdrawal contract, oracle, and rsETH itself. Subsequent attempts to add to the attack (about 40,000 rsETH each, totaling nearly $100 million) were thwarted. Without this pause, total losses could have approached $391 million.
This was the only mechanism in the entire event that operated normally as designed.
Systemic Impact on the DeFi Stack
Due to rsETH's deep integration within the entire DeFi system and its widespread presence as collateral, the impact quickly spread almost instantaneously.
Aave fully froze the rsETH market on V3 and V4. ETH utilization skyrocketed to 100%—all ETH in the pool was borrowed out, leaving depositors unable to withdraw their assets. Panic spread rapidly, with over $5.4 billion worth of ETH withdrawn from the protocol. Justin Sun withdrew approximately $154 million in a single transaction. Aave’s TVL evaporated by $6.6 billion within hours.
SparkLend and Fluid also froze their respective rsETH markets. SparkLend indicated that it had no direct risk exposure, attributing this to its more conservative risk management strategy.
Lido Finance paused deposits for its earnETH product (which involves rsETH risk exposure), but the core protocol and stETH were unaffected.
Ethena proactively paused its LayerZero-based OFT cross-chain bridge (even though it does not hold rsETH and its overall collateral ratio remains above 101%). This action itself indicated that panic had moved beyond specific assets to the system level.
Upshift paused deposits and withdrawals for its High Growth ETH and Kelp Gain vaults.
On-chain analyst 0xngmi summarized the systemic nature of this impact in one sentence: "The capital outflow even affected Solana and other unaffected protocols—the market panic is no longer targeted at rsETH itself, but at the erosion of trust in the entire DeFi stack."
Exposed Structural Defects
This attack did not rely on breaking encryption algorithms or reversing smart contracts. It leveraged a decision-making error at the configuration level.
The architecture of LayerZero is essentially modular—each protocol can choose its own security parameters. This flexibility is indeed a technical advantage, but it also means that the system lacks minimum security thresholds.
A protocol can be configured with only a single verification node, and the system will still run normally. There will be no alarms, no prompts of risk. Until one day, $292 million is directly transferred away.
This is not just a problem with LayerZero but with the entire DeFi design philosophy: the belief that "composability" and "permissionlessness" can replace mandatory security standards.
DeFi has built a financial system that can be freely assembled like Lego blocks, yet without the structural constraints found in traditional financial systems.
When you deposit money in a bank, you automatically assume that the safety mechanism for funds is regulated and standardized; whereas in DeFi, you are essentially trusting:
· Each engineer's configuration decisions
· Each integration path
· Each execution logic on every chain
This trust is "implicit, distributed, and unverifiable."
LRT: The Structure Amplifying Risk
Liquidity re-staked tokens (LRT) further amplify this issue. rsETH is not just a token; it is essentially a withdrawal certificate for a "main reserve," replicated across 20 chains. When this reserve is drained, all "withdrawal requests" on all chains become untrustworthy.
It is precisely the "composability" that made rsETH a premium collateral that also turned it into a systemic risk amplifier when it fails.
What Will Happen Next
Funds can essentially be considered unrecoverable. The attacker had professional-level pre-planning and used Tornado Cash for mixing coins. It is expected that Kelp will release on-chain messages proposing a white hat bounty (a common practice, albeit with a low success rate). On-chain detective ZachXBT has identified 6 attacker wallets, and analysts are continuously tracking, but attackers of this scale typically have established funds transfer paths.
The most pressing issue now is how to handle Aave's bad debt. There may be three paths:
1. The security module (Umbrella) absorbs the losses, and the protocol returns to normal within a few days.
2. Through governance voting, redistribute the losses among token holders (painful but bearable).
3. Long-term freezing leads to a breakdown of trust, with a recovery period measured in years.
Aave's communications in the next 72 hours will determine market expectations.
Kelp DAO will likely continue to exist under the KernelDAO system in a reduced scale, but rsETH's status as prime collateral asset is essentially over. This is its second major incident within 12 months, and trust will be hard to restore.
LayerZero will also be forced to adjust. A post-mortem report will likely confirm the community consensus: minimum security standards for DVN must be established. Although the official stance may still be presented as "recommendations," market pressure will drive it to actual enforcement.
Lending protocols will reprice all LRT collateral. Assets including rsETH, ezETH, weETH, and pufETH will face:
· Lower collateral ratios (LTV)
· Stricter supply caps
· More detailed risk assessments
The era where LRT was viewed as equivalent to stETH has ended.
Regulators will not overlook this event. Two attacks exceeding $285 million within the same month—Drift Protocol (April 1) and Kelp (April 18)—provide ample arguments for pushing for mandatory safety standards in DeFi.
It is expected that these two events will appear in U.S. Congressional hearings and EU MiCA technical consultations before the end of Q2, becoming important case studies in regulatory discussions.
Conclusion
$292 million has disappeared. This "cloakroom" only assigned one security personnel, guarding a vault that held nearly one-fifth of the "coats." When this security was breached, the attacker didn't even need to pick locks or blow open safes—they simply "politely asked," and were let through.
The industry's subsequent reaction will determine whether this incident becomes a true turning point or is merely recorded as yet another avoidable disaster. The technical fixes are not actually complicated—multi-DVN configuration, establishing minimum security thresholds, more conservative LRT collateral parameters. But the real difficulty lies in acknowledging that "permissionless" and "trustless" do not equate to "safe."
The promise of DeFi has always been to build a more transparent and accountable infrastructure than traditional finance. But this promise is only credible if the system itself is also safer. The analogy of the cloakroom holds because, when you go to retrieve your coat, it is indeed still there.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
