The recent $292 million breach of Kelp DAO has triggered widespread alarm within the crypto community, prompting warnings from developers and traders about fundamental vulnerabilities in decentralized finance (DeFi).
Market data reveals that repercussions extended beyond the hacked entity. As noted by 0xngmi on Sunday, “the rsETH hack is leading to withdrawals across all lending protocols, including those on Solana and unaffected platforms,” with Aave experiencing a -6,200m (-23%) drop in net inflows, alongside declines at Morpho, Sky, and JupLend. rsETH, Kelp DAO’s Liquid Restaking Token (LRT), enables users to earn staking rewards while maintaining liquidity.
This initial pressure escalated into more severe liquidity issues within lending markets. Josu San Martin highlighted a cascading effect: “ETH depositors, unable to withdraw ETH, are resorting to borrowing stablecoins for withdrawals… triggering a run on AAVE.”
Stani Kulechov, the founder of Aave, clarified that the protocol itself was not compromised, attributing the exploit to external factors. Nonetheless, panic ensued among depositors, leading to a drop in total value locked from $26.4 billion on April 18 to nearly $20 billion by Sunday morning U.S., according to DefiLlama. Concurrently, the AAVE token plummeted over 18% as withdrawals surged.
The focus for engineers and developers has now shifted to understanding the exploit’s nature. Cryptogoblin argued that the KelpDAO breach (~$290M) was not a LayerZero protocol bug but rather a configuration issue, highlighting the necessity for projects with cross-chain tokens to reassess their setups. The post explained how a singular verification point facilitated the attack: “One signature and 116,500 rsETH materialized from nothing on Ethereum,” noting that while smart contracts remained intact, the verification layer was compromised.
Others believe the issue extends beyond a single configuration choice. Fishy Catfish suggested it represented a design flaw, stating there is no security baseline, as a configuration could rely on a 1/1 DVN managed by a solitary entity. A Decentralized Verifier Network (DVN) in DeFi’s LayerZero V2 framework validates cross-chain messages.
To illustrate, Fishy Catfish compared this to allowing amusement parks to individually determine roller coaster safety standards, implying that unchecked flexibility can lead to hidden risks. The author further criticized the design: “Modular security is valuable, but there must be a robust native security floor with additional layers for high-value applications.”
The exploit’s magnitude and complexity have intensified concerns. Approximately 116,500 rsETH (18% of supply) was involved when an attacker deceived LayerZero’s cross-chain messaging into issuing a false instruction, resulting in the unauthorized release of rsETH to their address.
In response, protocols like Aave suspended rsETH activities, while Lido paused deposits related to the asset. Various projects took similar precautions.
Sentiment across crypto shifted notably negative, with some asserting “DeFi is dead,” criticizing reliance on platforms like Aave and questioning crypto’s future viability.
While these reactions may seem extreme, they are typical after significant exploits, though this event’s scale is particularly striking. It impacted cross-chain infrastructure, restaking models, and lending markets simultaneously, following a series of recent incidents including a $285 million Solana-based Drift hack on April 1 linked to North Korean actors.
LayerZero acknowledged the situation: “We’re aware of the rsETH exploit and are collaborating with KelpDAO. All other applications remain secure,” they stated, promising further investigation details in collaboration with KelpDAO.
KelpDAO echoed this, announcing a pause on rsETH contracts across mainnet and several L2s while investigating with LayerZero_Core, unichain, auditors, and security experts.
Developers have distilled key lessons from the chaos: the exploit did not involve breaking encryption or bypassing smart contracts but revealed vulnerabilities in layered assumptions. As cryptogoblin advised: “Check your configs. Stay safe out there.”