0xTodd ( thinking )
0xTodd ( thinking )|Apr 19, 2026 02:52
Kelp DAO was maliciously issued $200 million worth of Ethereum Staking tokens via LayerZero cross chain bridge by hackers yesterday. Because rsETH is a multi chain asset, the hacker deceived the cross chain bridge and created the illusion of "assets have already been deposited on other chains" (although in reality, he did not deposit), using the vulnerability to maliciously issue 116500 rsETH on the ETH main network. Then, the hackers deposited these anchor free tokens into various lending protocols, such as Aave and Morpho, and ultimately borrowed the real Ethereum ETH. So the awkward thing about this matter now is that Aave has the least responsibility, but bears the greatest loss 。 Although it is not yet clear which one is more responsible, Kelp or LayerZero, based on LayerZero's past reputation, it is highly likely that the responsibility on the Kelp project side is greater (not an accusation, only speculation). Meanwhile, for the project team, their underlying Ethereum, namely Staked ETH, has not been directly stolen or exchanged by hackers. So the party with greater responsibility for the project actually suffered smaller financial losses. And this KelpDAO, to be precise, is a sub product under the Kernel protocol. The Kernel protocol, although currently listed on Binance, has a market value of only around $22 million, which doesn't seem like it can afford to lose money at all 。 And the Kernel project team has had vulnerabilities before. In 2025, rsETH was issued once by a massive amount, but fortunately, the last time did not cause any actual losses. I have a famous saying: If a DeFi project has encountered a problem once, it is highly likely to encounter a second, third, or fourth problem. For Aave, it has hardly had any problems in the past. And obviously, the project team and LayerZero are likely neither willing nor willing to pay. Therefore, although the responsibility was also minimal this time, the bitter fruit fell on AAVE. This is actually a tragedy of the commons. Fortunately, Aave has an Umbrella pool. You can understand it as a safety pool. However, the assets it underwrites are separated from each other. And almost all of the assets borrowed by the hacker this time were WETH. The insurance pool for WETH is currently around 56 million US dollars; There is still a significant gap compared to the actual loss of approximately $200 million+. In fact, Aave's Umbrella pool has never been compensated. Since Aave launched Umbrella, there has never been a security incident that required it to be in danger. So this time, Aave may still have to rely on its own revenue to slowly carry on. Some people spread rumors that Aave carries great risks, but I believe Aave can withstand this loss. Although it will be very painful, it should still be manageable. ---Dividing line--- I have two feelings now: My first feeling is that I have an unprecedented disappointment with cross chain DeFi. I think cross chain communication can only take the official bridge, not the third-party bridge. This field is too prone to problems. Even I think that a manual review mechanism should be introduced for large cross chain transactions. For example, automatic processing is required for amounts below $100000, while amounts exceeding $100000 must be manually reviewed. The second feeling is that in DeFi, this huge nested doll, responsibility and risk are actually not equal. The most paradoxical thing is that those who bear the greatest responsibility and cause the most trouble often fail to bear the corresponding financial losses. At present, the money has not yet entered the tornado. I hope this matter can be resolved properly in the end.
+5
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads