Author: Merkle3s Capital

This content is supported by Block Analytics Ltd X Merkle 3s Capital. The information in this article is for reference only and does not constitute any investment advice or invitation. We are not responsible for the accuracy of the content and assume no responsibility for any consequences arising from it.

$290 million, it wasn't a code issue

On April 18, 2026, another enormous loss was added to DeFi's history—attackers found no smart contract vulnerabilities, used no zero-day exploits, and didn't even need any advanced technologies. They simply exploited a configuration option: KelpDAO set the security verification of its cross-chain bridge to be 1-of-1.

Here's how it happened. KelpDAO uses LayerZero as its cross-chain bridge protocol to transfer rsETH (Restaked ETH) between Ethereum and various Layer 2 solutions. The security core of the cross-chain bridge is a validation mechanism called DVN (Decentralized Verifier Network)—in simple terms, it requires a certain number of independent verification nodes to confirm that "this cross-chain transaction is legitimate" before the message is released.

KelpDAO's configuration was 1-of-1: One node confirmation was sufficient.

The attackers (linked to North Korea's Lazarus Group by security firms such as SlowMist) disrupted normal RPC nodes through DDoS attacks while injecting forged data into a single DVN. The single verification node was tricked, and the fake cross-chain message was approved—116,500 rsETH (worth about $290 million) was minted, "crossing" from a non-existent Ethereum endpoint.

The attackers then deposited the forged rsETH into Aave V3 as collateral, borrowing about $190 million worth of WETH.

The whole process: No cryptographic hacking, no code exploits used.

The consequences were chain reactions. According to an incident report released on April 20 by the Aave governance forum, the scale of bad debt was about $230 million (Scenario 2 estimate).

According to CoinDesk, Aave's TVL dropped from about $48.5 billion to around $30-31 billion within days, a decline of over 37%.

According to Yahoo Finance, the AAVE token fell about 15-20% (peaking around 20%). Borrowing rates soared from 3.4% to 14%, and the entire DeFi market's TVL evaporated by over $13 billion within days.

This is a disaster where AI can perfectly audit code but will never catch configuration parameters.

AI auditing tools are exploding—what next?

If you’ve been following the blockchain security space, you would have seen an exciting narrative over the past two years: AI is finally going to solve DeFi's security issues.

This is not an empty talk. CertiK's Skynet platform has covered thousands of projects with real-time on-chain monitoring; De.Fi Scanner has scanned over a million times; Hexagate's on-chain threat detection has been acquired by Gate.io.

Academia is also following suit—multiple papers on smart contract vulnerability detection based on large language models have been published between 2025 and 2026, reporting impressive detection rates.

AI is indeed effective at the code level. Reentrancy attacks, integer overflows, access control flaws—these known patterns are much faster for AI to identify than humans. Industry surveys show that 60-80% of audit projects are already using AI tools as preliminary screening aids, with no exceptions among leading audit firms.

But there’s a paradox here: tools are getting better, but losses are not decreasing.

DeFiLlama's data does not lie. Since 2025, there have been over 15 major attack incidents with losses exceeding $30 million, totaling over $2 billion.

What role did AI auditing tools play in these events? The answer is: almost none. Because the root causes of these attacks are almost never at the code level.

KelpDAO was audited, so what happened?

KelpDAO is not an insignificant project—it underwent smart contract auditing by a security firm, and its underlying protocol LayerZero is one of the most widely used cross-chain infrastructures in the industry.

The audit report states clearly that the code is clean. Then they lost $290 million.

Here lies a crucial distinction: the audit covered the smart contract code but did not cover the DVN configuration parameters.

The auditing firm checked whether there were vulnerabilities in the contract logic—the answer is no. But your DVN configuration is 1-of-1, which raises questions about risks in a production environment that are outside the scope of the audit. Ironically, following the incident, a public dispute erupted between KelpDAO and LayerZero over liability.

According to CoinDesk, KelpDAO claims that the 1-of-1 configuration is LayerZero's default setting, and its quick start guide and default GitHub configuration both point to 1/1 DVN, with about 40% of LayerZero protocols using this configuration.

LayerZero rebutted that they had explicitly warned against using the 1-of-1 configuration in a production environment. After the incident, LayerZero completely banned the 1-of-1 configuration—but that was merely closing the barn door after the horse had bolted.

Who is right and who is wrong aside, this dispute itself illustrates one thing:

The key security decisions lie not in code, but in communication between people, documentation, default values, and assumptions about what I think you know.

AI auditing tools can scan every function call in code but will not ask: "How many verification nodes does your cross-chain bridge use?" This isn't because AI isn't smart enough, but because it simply doesn't know to ask that question.

Four blind spots in AI auditing

The general idea from security researcher samczsun (former Paradigm security researcher, founder of SEAL 911) is:

The difference between those who find vulnerabilities and those who do not lies in the former's ability to observe inconsistencies and continue to question.

Blind Spot 1: Architectural design decisions

AI can audit code logic but cannot determine: Are the security assumptions of this system valid?

KelpDAO is a typical case: 1-of-1 DVN is completely legal at the code level—the contract logic has no bugs, function calls are correct, access control is reasonable. But architecturally, it creates a single point of failure. AI sees "the code is correct" but fails to recognize "the design is dangerous."

Many similar cases exist. Multichain's MPC keys are controlled by the CEO alone, and Beanstalk Farms' governance proposal has no time lock—the code is fine, but the architecture is a ticking time bomb.

Blind Spot 2: Configuration parameters audits

Smart contracts require setting numerous parameters when deployed on-chain—number of verification nodes, multi-signature thresholds, time lock durations, oracle sources, liquidation thresholds. These parameters determine the actual security level of the system, but they are not in the code; they are in the deployment configuration.

AI auditing tools scan the logic of .sol files and will not check what parameters you actually filled in during deployment. It’s like auditors checking that a bank vault's lock design is fine but no one checks if the vault door was actually locked during operation.

KelpDAO's DVN = 1 is like "the door is unlocked." The more outrageous disaster of the Nomad Bridge in 2022 occurred during a code upgrade after an audit, where the Merkle root was initialized to 0x00, meaning any message could be forged as valid. This isn't audit negligence; it's audit drift: the audited code and the final deployed code are not the same version.

Blind Spot 3: Operational processes and private key management

AI cannot see the configuration of hardware security modules (HSMs), where private keys are stored, the OpSec level of operators, or whether temporary permissions have been revoked.

The lesson from the Ronin Network was the most painful: attackers obtained the private keys of 5 verification nodes (4 belonging to Sky Mavis and 1 belonging to a third-party Axie DAO verifier), and a temporary authorization from 2021 was never revoked. The attackers stole $624 million. The attack was only discovered 6 days later—because no one was monitoring the anomalous behavior of the verification nodes.

Mixin Network stores private keys in a cloud database. Bybit's Safe multi-signature front end was implanted with malicious JavaScript by Lazarus, and the interface seen by signers was completely different from the transaction being signed— the contract itself was unharmed, and AI contract auditing had no effect on this.

Blind Spot 4: Composite risks

DeFi is like Lego blocks. A single module’s security does not guarantee security when combined.

KelpDAO's architecture is a three-layer stack: rsETH (restaked protocol) + LayerZero (cross-chain bridge) + Aave V3 (lending protocol). Each layer makes sense individually—but the risks when stacked are exponential. "What happens to Aave’s collateral if the cross-chain bridge is breached?"—this question was not in any audit report because it doesn't belong to the audit scope of any single module.

OpenZeppelin pointed out in KelpDAO's post-incident analysis: "Smart contract audits typically do not check how third-party protocol integrations are configured during deployment, nor whether infrastructure components introduce single points of failure.”

AI currently cannot do this—it audits code, not intent.

Case Studies: This is not a coincidence; it is a pattern

If you think KelpDAO was a case of bad luck, the following three cases will make you reconsider.

Case 1: Bybit—$1.46 billion, front end injected with malicious code

Date: February 21, 2025 Loss: About $1.46 billion (401,347 ETH + stETH and other tokens) Attack Type: Supply chain attack

Bybit uses Safe as a multi-signature wallet solution. Attackers (confirmed by the FBI to be the Lazarus Group) compromised a Safe developer's machine and injected malicious code into Safe's front end JavaScript via an AWS S3 bucket.

When Bybit's multi-signature signers opened the Safe interface to prepare for signing, they saw normal transaction content—but the actual signed transaction had been tampered with, transferring control to the attackers.

Key Point: The smart contract itself has no vulnerabilities. The multi-signature logic is correct, and the code has been audited. The attack occurred at the front end—that is a layer completely unexamined by AI contract auditing tools. This was the largest single loss event in DeFi history.

Case 2: Ronin Network—$624 million, forgotten to revoke temporary permissions

Date: March 23, 2022 (disclosed on March 29) Loss: About $624 million (173,600 ETH + 25.5M USDC) Attack Type: Private key leakage + operational security failure

Ronin is a side chain for Axie Infinity, where 5 out of 9 verification nodes can approve withdrawals. The attackers used social engineering to break into a Sky Mavis employee's device, obtaining the private keys of 5 verification nodes (4 belonging to Sky Mavis and 1 belonging to a third-party Axie DAO verifier). Some of these keys had permissions from a temporary authorization in 2021—that was supposed to be revoked after the task was completed, but no one remembered to do so.

The attack was only discovered 6 days later. A user attempted to withdraw 5,000 ETH and found that the bridge was unresponsive, triggering an alert.

Key Point: There were no code vulnerabilities. The issue was "who holds the keys" and "whether permissions have expired"—this is purely an operational security issue. The FBI confirmed the attackers were from the Lazarus Group.

Case 3: Drift Protocol—$285 million, months of meticulously planned social engineering

Date: April 1, 2026 Loss: About $285 million (over 50% of TVL) Attack Type: Social engineering + administrator key leakage + oracle manipulation

Drift Protocol is a decentralized trading platform on Solana. This attack was not simply a case of stolen keys—the attackers spent months establishing a trust relationship with the Drift team and eventually infiltrated the security committee.

They lured security committee members to use Solana's "durable nonces" feature to pre-sign critical transactions, thereby gaining administrator privileges. They then created a fake token (CarbonVote Token), injected liquidity, manipulated oracle prices, and withdrew over 50% of the protocol's funds within 12 minutes.

Key Point: The smart contract logic was fine. The attack exploited human trust—months of social engineering groundwork, which AI, no matter how powerful, cannot detect. Suspected ties to a North Korean affiliated organization (Chainalysis).

Pattern Summary

Three cases, three methods of attack, one commonality: the root cause was not at the code level.

Bybit: Front-end supply chain—AI cannot audit

Ronin: Private key management and permission revocation—AI cannot see

Drift: Social engineering and human trust—AI cannot manage

Furthermore, due to KelpDAO's configuration error—these four incidents collectively incurred losses exceeding $2.2 billion. Each one occurred outside the boundaries of AI auditing. These assumptions of trust were not written in code, so none of them were audited by AI.

Conclusion: The tools are good, but the questions are wrong

AI auditing tools are indeed getting better. This is a fact that should not be denied. In detecting known vulnerabilities at the code level, AI has become the most efficient preliminary screening tool, and while the false positive rate remains a pain point, it is continuously improving. The correct positioning is: AI = Efficient preliminary screener, not the final arbiter.

However, if what we are asking is "how to use AI to solve blockchain security issues," we may have been asking the wrong question from the start.

No AI tool will write in an audit report: "Your DVN configuration should be 3-of-5, not 1-of-1." No AI tool will check whether your engineers stored private keys in a cloud database. No AI tool will discover at 2 AM that attackers have controlled your 5 verification nodes—Ronin Network waited 6 days. No AI tool can recognize social engineering attacks that take months to establish trust—lessons from Drift Protocol.

This isn't because AI isn't smart enough; it’s a matter of defining the boundaries of audits. Current AI auditing tools cover the code layer, while the risks that truly lead to enormous losses are distributed across the configuration layer, architectural layer, operational layer, and composite layer—these areas currently lack systematic auditing methods.

What the industry truly needs is:

Configuration audits: Audit each deployment parameter as rigorously as code—DVN numbers, multi-signature thresholds, time lock settings

Architectural threat modeling: Ask at the design phase, "What happens if this component is breached?"

Operational security reviews: Private key management plans, operator training, permission revocation processes

Composite risk assessment: Any integration with external protocols requires independent risk modeling

Notably, following the KelpDAO incident, the DeFi industry demonstrated a capacity for spontaneous coordination—DeFi United raised approximately $160 million within 10 days to cover Aave's bad debt. This just confirms one point:

Problems that AI auditing cannot solve need humans to solve.

References:

Aave Governance—rsETH Incident Report (April 20, 2026)

CoinDesk—"Kelp DAO Claims LayerZero's 'Default' Settings Are What Actually Caused the $290 Million Disaster"

CoinDesk—"Aave Could Face Up to $230M in Losses After Kelp DAO Bridge Exploit"

CoinDesk—"The $13 Billion DeFi Wipeout in Two Days"

Forbes—"AAVE wETH Exploit: $200M Bad Debt Hits Depositors"

Unchained Crypto—"Kelp DAO Disputes LayerZero's Account of the $290 Million Exploit"

LayerZero—KelpDAO Incident Statement

SlowMist Team (@SlowMist_Team)—KelpDAO exploit analysis

OpenZeppelin—"$292 Million Lost, Zero Bugs Found: Lessons From the KelpDAO Hack" (April 2026)

QuillAudits—"KelpDAO rsETH $292M Bridge Exploit (Explained)"

Bybit Official Timeline; Elliptic; SlowMist; BlockSec—Bybit hack analysis

Coinbase; Halborn—Ronin Network hack analysis

Chainalysis; Unchained Crypto—Drift Protocol hack analysis

Yahoo Finance—AAVE token price movement analysis

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。