Original Title: The $292 Million Heist: What the Kelp DAO Hack Tells Us About DeFi’s Deepest Flaw
Original Author: Arche Capital
Translation: Peggy, BlockBeats

Editor’s Note: On April 18, KelpDAO experienced a theft of approximately $292 million in assets. This was not a typical “smart contract breach,” but rather a chain reaction triggered by misconfiguration at the cross-chain verification layer: attackers forged messages, creating 116,500 rsETH out of thin air that should not have existed, and transferred these “un collateralized assets” into Aave to borrow real ETH. The risk rapidly spread from a single protocol to the entire DeFi collateral system.

In highly composable systems, cross-chain bridges, liquid staking tokens, and lending protocols are layered and nested. Any seemingly “local” configuration choice can become a trigger that penetrates the entire chain. When assets like rsETH are widely regarded as near-safe collateral, if their underlying mechanisms fail, it’s not just about price volatility—it’s a collapse of the entire pricing and trust system.

Based on this, the author offers a deeper judgment: Over the past few years, DeFi has continuously strengthened its modular, composable, and “permissionless” design philosophy, yet it has always lacked minimum security standards constraints. This means a technically “optional” configuration error can evolve into systemic risk.

When a highly leveraged, interconnected financial system is built on fragile engineering configurations, “trustlessness” does not automatically equate to “greater safety.”

Below is the original text:

On Saturday afternoon, a forged message (almost just a line of numbers) caused a piece of software to “actively” hand over $292 million. No guns, no social engineering attacks, no inside jobs. Only a misconfigured security setting and an attacker who had carefully planned and patiently waited for hours beforehand.

By Sunday morning, this 2026’s largest DeFi hack had wiped out $6.6 billion from Aave’s balance sheet, causing AAVE tokens to plummet 16%, freezing liquidity across at least nine mainstream protocols, and once again sparking the familiar judgment: DeFi is dead.

It’s not dead. But this incident once again exposes a long-avoided, yet unaddressed structural flaw in the industry.

Next, we will dissect the event’s process, impact, and possible future changes.

Analogy: Cloakroom

Before diving into technical details, let’s use a visual to help understand the entire event.

Imagine Kelp DAO as a large building with a cloakroom spanning 20 rooms. You hand over your coat (ETH), and it gives you a token (rsETH). This token is valuable: it proves the coat belongs to you, can generate yield while waiting, and crucially—while the coat is stored, you can use this token as collateral at any counter in the building to borrow money.

All coats are stored in a main warehouse on the first floor (Ethereum mainnet). Every token in each room is ultimately backed by this main warehouse.

These rooms are connected via an “intercom system” called LayerZero. When someone in Room 12 (Arbitrum) wants to communicate with the warehouse, they do so through this intercom. The system has “security personnel”—called DVN (Decentralized Validation Network)—responsible for verifying message authenticity before execution.

The problem is, Kelp only assigns one security personnel to this intercom system. Just one. Any command only needs a single signature to be considered “authentic.”

An attacker approaches the intercom, impersonates someone from another room, and says: “Release 116,500 tokens.” The sole security personnel accepts this forged message. The warehouse then releases tokens worth $292 million—without anyone actually depositing coats.

Next, the attacker walks directly to Aave (the building’s lending counter), says: “I want to collateralize these tokens and borrow.” Aave accepts these tokens at face value. The attacker ultimately takes away over $236 million in real ETH.

Meanwhile, Aave is left holding a bunch of “notes” with no real assets backing them.

How exactly did the event unfold (step-by-step breakdown)

Preliminary Preparation

About 10 hours before the attack, the attacker funded 6 wallets via Tornado Cash to obscure the source of funds. This is a standard pre-attack preparation—planned, patient, and quite professional.

Execution of the Attack

At 17:35 UTC on April 18, 2026, the attacker’s wallet called the lzReceive function in LayerZero’s EndpointV2 contract—this is the entry point for receiving and executing cross-chain messages.

The attacker crafted a forged message that appeared to come from a legitimate counterparty contract on Unichain, instructing Kelp’s bridge to release 116,500 rsETH to the attacker-controlled address.

The bridge executed this command.

There was no burn operation on the source chain, no collateral, no real transaction initiated. The reserve was directly drained. 116,500 rsETH—about 18% of the total circulating supply—appeared out of thin air in the attacker’s wallet.

The critical flaw in DVN

The core issue: Kelp used a 1/1 DVN configuration—only one validation node responsible for confirming cross-chain message legitimacy.

If this node is compromised or forged, any message can be fabricated. As one developer said on X: “With just one signature, 116,500 rsETH was created out of thin air on Ethereum. It’s not a contract bug, it’s a validation layer failure.”

Another explanation from on-chain analysis firm D2 Finance suggests the private key of the source chain’s OApp node may have been leaked, allowing the attacker to obtain legitimate signing capability.

In essence, both paths point to the same problem: a single point of failure.

Second step: draining value

The attacker did not immediately dump the $292 million worth of rsETH on the market—such an action would cause prices to collapse instantly.

Instead, they chose a more efficient route: depositing these rsETH into Aave V3 as collateral and borrowing large amounts of WETH. Since these rsETH are actually unsupported by any real assets, the collateral is essentially “air.” But Aave cannot recognize this in real-time and processed it as normal collateral.

As a result, the attacker took real ETH away, leaving a bad debt behind.

Emergency response

Kelp’s emergency multisig executed the pauseAll command after 46 minutes, freezing the LRT deposit pool, withdrawal contracts, oracles, and rsETH itself. Two subsequent attempts to add more attacks (each around 40,000 rsETH, totaling about $100 million) were blocked. Without this pause, total losses could have approached $391 million.

This was the only mechanism functioning as designed during the incident.

Systemic Impact on the DeFi Stack

Because rsETH is deeply embedded across the entire DeFi ecosystem as a widely used collateral, the impact spread almost instantly.

Aave froze rsETH markets across V3 and V4. ETH utilization soared to 100%—all ETH in the pool was borrowed out, depositors couldn’t withdraw. Panic spread rapidly, with over $5.4 billion worth of ETH withdrawn from the protocol. Justin Sun withdrew about $154 million in a single transaction. Aave’s TVL evaporated by $6.6 billion within hours.

SparkLend and Fluid also froze their rsETH markets. SparkLend claimed no direct exposure, citing its more conservative risk controls.

Lido Finance paused deposits in its earnETH product (which involves rsETH risk exposure), but core protocols and stETH remained unaffected.

Ethena, for precaution, paused its LayerZero-based OFT cross-chain bridge (despite not holding rsETH and maintaining collateral ratios above 101%). This move indicates panic has shifted from specific assets to systemic trust.

Upshift paused access to its High Growth ETH and Kelp Gain vaults.

On-chain analyst 0xngmi summarized the systemic scope of this shock in one sentence: “Funds are fleeing, even affecting Solana and other unaffected protocols—the market panic is no longer about rsETH itself but about trust in the entire DeFi stack.”

Revealed Structural Flaws

This attack did not rely on breaking encryption algorithms or reverse-engineering smart contracts. It exploited a configuration-level decision error.

LayerZero’s architecture is inherently modular—each protocol can choose its own security parameters. This flexibility is a technical advantage but also means the system has no minimum security threshold.

A protocol can simply configure a single validation node, and the system will still operate normally. No alerts, no risk warnings. Until one day, $292 million is transferred out outright.

This is not just a LayerZero issue but a fundamental flaw in DeFi design: the belief that “composability” and “permissionlessness” can replace mandatory security standards.

DeFi has built a financial system that can be freely assembled like LEGO blocks, but without the structural constraints of traditional finance.

In banking, your money’s safety relies on regulation and standardization; in DeFi, you are actually trusting:

· Each engineer’s configuration decisions

· Each integration pathway

· The execution logic on each chain

This trust is “implicit, distributed, and unverifiable.”

LRT: Amplifying Risks

Liquidity Re-staking Tokens (LRT) further magnify this problem. rsETH is not just a token; it’s essentially a withdrawal receipt for a “main reserve,” copied across more than 20 chains. When this reserve is drained, all “withdrawal requests” on every chain become untrustworthy.

It is precisely the “composability” that makes rsETH a high-quality collateral, but also an amplifier of systemic risk when failure occurs.

What’s Next

Funds are essentially unrecoverable at this point. The attacker had professional-level planning and used Tornado Cash for mixing. Kelp is expected to publish on-chain messages offering bug bounties (a common practice, but with low success probability). On-chain detective ZachXBT has identified six attack wallets, and analysts are tracking them continuously, but such large-scale attackers usually have mature fund transfer routes.

The most urgent issue now is how Aave will handle the bad debt. There are three possible paths:

1. The security module (Umbrella) absorbs the loss, and the protocol recovers within days

2. Governance votes to distribute the loss among token holders (painful but manageable)

3. Long-term freeze leading to trust collapse, with recovery taking years

Aave’s communication in the next 72 hours will shape market expectations.

Kelp DAO will most likely continue to exist under the KernelDAO system in a scaled-down form, but rsETH’s role as a primary collateral asset is essentially over. This is its second major incident within 12 months, and trust is hard to restore.

LayerZero will also be forced to adjust. The post-mortem report will likely confirm community consensus: establishing a minimum security standard for DVN. Although the official may still suggest it, market pressure will push toward de facto mandatory enforcement.

Lending protocols will reprice all LRT collateral. Assets including rsETH, ezETH, weETH, pufETH will face:

· Lower collateral ratios (LTV)

· Stricter supply caps

· More detailed risk assessments

The era of LRT being considered nearly equivalent to stETH is over.

Regulators will not ignore this incident. Two attacks exceeding $285 million within the same month—Drift Protocol (April 1) and Kelp (April 18)—provide ample grounds for pushing DeFi to adopt mandatory security standards.

It is expected that before the end of Q2, these incidents will be discussed in US congressional hearings and EU MiCA consultations, becoming key cases in regulatory debates.

Conclusion

$292 million has vanished. This “cloakroom” only had one security guard watching over a vault storing nearly one-fifth of the “coats.” When this guard was breached, the attacker didn’t even need to pick a lock or blow open the safe—they simply “politely asked,” and they were let in.

The industry’s subsequent response will determine whether this incident becomes a true turning point or is merely recorded as another avoidable disaster. Technical fixes are not complicated—adding more DVNs, setting minimum security thresholds, adopting more conservative LRT collateral parameters. But the real challenge is acknowledging that “permissionless” and “trustless” do not automatically mean “safe.”

DeFi’s promise from the start was to build a more transparent, accountable infrastructure than traditional finance. But this promise is only credible if the system itself is safer. The cloakroom analogy holds because, when you go to retrieve your coat, it’s really still there.

[Original Link]

Click to learn more about Rhythm BlockBeats’ job openings

Join the Rhythm BlockBeats official community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Group: https://t.me/BlockBeats_App

Twitter Official Account: https://twitter.com/BlockBeatsAsia