KelpDAO being hacked sounds the alarm for DeFi security. What lessons does it teach us?

Shaw.ai, Golden Finance

On April 18th, the cryptocurrency community experienced the most severe DeFi security incident since 2026—the KelpDAO rsETH cross-chain bridge was hacked. Within just a few hours, approximately 116,500 rsETH were stolen, valued at up to $290 million at the time, accounting for 18% of the total rsETH supply. This attack not only put KelpDAO in crisis but also triggered liquidity panic across the entire DeFi industry, even dragging the leading lending platform Aave into the chaos, with over $9 billion in deposits urgently withdrawn, making it a security incident comparable to a “financial tsunami.”

Many people may be unfamiliar with terms like “cross-chain bridge,” “rsETH,” or “liquidity run.” Don’t worry—we’ll use simple language to walk through the entire hacker attack process step by step, then discuss the latest developments and the most pressing questions.

1. Understand 3 key concepts first to easily grasp the incident

Before explaining the attack process, clarify these three core terms to avoid confusion:

• rsETH: Simply put, it’s a “derivative token of ETH.” We know ETH (Ethereum) can be staked to earn interest, but staking locks the funds, preventing immediate use. rsETH is a token that “packs” staked ETH; holding rsETH is like owning a claim to the staked ETH, earning staking rewards while being tradable and collateralizable at any time—similar to a “redeem voucher” for staked ETH.

• Cross-chain bridge: Different blockchains (like Ethereum, BSC) are like separate “banks.” A cross-chain bridge is a “transfer channel” connecting these “banks,” allowing tokens like rsETH to move between blockchains. The attack targeted the rsETH cross-chain bridge built on LayerZero platform by KelpDAO.

• LayerZero DVN module: Think of it as the “security guard” of the cross-chain bridge, responsible for verifying the authenticity of cross-chain transactions—such as confirming you transferred tokens on chain A before issuing corresponding tokens on chain B. Normally, multiple “guards” (validators) verify this process for security, but KelpDAO only set up one “guard” (single validator), which created an opportunity for hackers.

2. Full process of the hacker attack: 3 steps stealing $290 million, a “textbook” operation

This hack was highly covert and efficient, completing core operations in less than an hour with clear steps and targeted actions, divided into three stages:

Step 1: Exploit the vulnerability, “create money out of thin air”

The hacker precisely identified a critical flaw in KelpDAO’s cross-chain bridge—reliance on a single LayerZero DVN validator. Normally, minting rsETH across chains requires genuine ETH staking as backing, but the hacker used technical means to forge validation messages, deceiving the single “security guard.”

Specifically, the hacker infiltrated the RPC nodes relied upon by LayerZero DVN, replaced the node software, and launched a DDoS attack to disable normal nodes, forcing the “guard” to rely on tampered nodes for information. As a result, the hacker successfully minted 116,500 “fake” rsETH on the Ethereum mainnet without any real collateral—like holding fake “staking vouchers” that fooled everyone.

Step 2: Borrow and lend, “turning fake into real”

With these “fake” rsETH, the hacker did not sell directly (to avoid detection), but instead used a more covert method—collateralizing on major lending platforms. They deposited the fake rsETH into protocols like Aave and Compound, mainly Aave v3, as collateral, and borrowed large amounts of real WETH (wrapped ETH, worth the same as ETH), effectively borrowing “real money” with “fake coins.”

Step 3: Trigger panic, liquidity run erupts

The hacker moved extremely fast—depositing large amounts of fake rsETH as collateral, borrowing out WETH, which caused the WETH market on Aave v3 to be drained, with utilization soaring to 100%. In simple terms, all WETH in Aave was borrowed out, making it impossible for normal users to withdraw.

News spread quickly, causing market panic: investors feared that Aave would face huge bad debt from the “fake collateral,” risking their deposits. A large-scale liquidity run ensued—WETH, USDC, USDT, and other stablecoins’ utilization rates surged, and investors rushed to withdraw funds. Within 48 hours, over $9 billion in deposits were pulled from Aave, and the total funds in DeFi shrank by $13.2 billion.

Notably, KelpDAO detected anomalies about 46 minutes after the attack began, immediately paused rsETH-related contracts to prevent further damage, or losses could have been even greater. Industry insiders believe the attack was carried out by North Korea’s Lazarus Group, with highly professional techniques evident.

3. Latest developments: emergency responses and unresolved bad debts

After the attack, KelpDAO, LayerZero, Aave, and others acted swiftly. As of April 23, the latest updates are:

1. KelpDAO: Emergency paused rsETH contracts on mainnet and multiple L2 chains, collaborating with LayerZero, auditors, and security experts for a comprehensive investigation. They are still analyzing losses and exploring solutions for bad debts.

2. LayerZero: Clarified that the attack was not due to a protocol flaw but resulted from KelpDAO’s “single DVN validator” setup, which deviated from their recommended “multi-validator” best practices. They have deprecated the affected RPC nodes, replaced them with new ones, and urged projects still using a single validator to upgrade to multiple validators, while working with global authorities to trace hacker funds.

3. Aave: Urgently froze the rsETH collateral market to prevent further bad debt. On April 21, Aave announced that the WETH reserves in the Ethereum Core V3 market had been unfrozen, allowing users to supply WETH again, though the Loan-to-Value ratio (LTV) remains at 0 (temporarily unable to borrow against WETH). WETH reserves on other chains like Ethereum Prime and Arbitrum remain frozen, with recovery efforts ongoing.

4. Industry impact: The incident prompted widespread reflection on cross-chain bridge security and re-staking token (LRT) risks. Many lending protocols tightened collateral requirements, delisted low-usage LRT tokens, and issued security guidelines emphasizing checks on “single point validation” and node security. Leading cross-chain projects have initiated security upgrades, adding multiple validation nodes and enhancing RPC node protections to prevent DDoS and node tampering.

5. Funds tracing: As of April 23, on-chain data shows about 30% of the stolen rsETH has been exchanged for WETH and USDC, with some funds split via DEXs and others moved into privacy wallets, complicating tracking. However, authorities have identified some hacker-related addresses, with a small portion of funds transferred to compliant exchanges, which are now being investigated for freezing.

6. User compensation updates: KelpDAO announced on April 22 that they will prioritize protecting ordinary users, reviewing rsETH holders and losses, and plan to compensate part of the damages through “community treasury subsidies + third-party insurance,” though specific ratios and timelines are yet to be determined. The platform’s risk reserves and responsible parties will handle bad debts, ensuring ordinary depositors are not affected.

7. Your most pressing questions, answered once and for all

After the incident, many investors and crypto users have questions. Here are the five most common ones, answered in plain language:

1. Why did the hacker succeed? What is the core reason?

The core reason is KelpDAO’s “security misconfiguration”—they relied on a “single security guard” (single DVN validator) for cross-chain validation. LayerZero had warned that this setup posed high risks, but KelpDAO ignored the advice. The hacker exploited this flaw by tampering with nodes and forging validation messages, effectively creating tokens without collateral—an incident caused by “single point of trust,” not a code bug.

2. Can the $290 million stolen be recovered?

It’s very difficult but not impossible. Currently, LayerZero and law enforcement are working to trace the hacker’s funds. Although the hacker used privacy tools to obfuscate transactions, on-chain traces remain. Given the hacker’s professionalism (suspected APT group), and some funds possibly transferred elsewhere, the amount recoverable remains uncertain.

3. Will ordinary users’ funds be affected?

It depends: ① If you only deposited assets like USDC, USDT, or ETH on platforms like Aave without collateralizing rsETH, your funds are currently safe. Aave has frozen the market and will gradually resume normal operations. ② If you hold rsETH or used rsETH as collateral, you may face losses depending on how KelpDAO handles bad debts later.

4. How is this attack different from previous cross-chain bridge hacks?

The biggest difference is the “chain reaction”—this incident caused a broader industry impact. Past attacks usually affected only one project, but here, because rsETH was used as collateral across multiple major lending protocols, the attack triggered a liquidity run across the sector, damaging trust more widely. Also, this was a “misconfiguration + infrastructure intrusion” attack, not just a private key theft or code flaw.

5. What changes will the DeFi industry see moving forward?

The most immediate change will be “security upgrades”—future cross-chain bridges will likely enforce “multi-validator” setups to prevent single points of failure. Lending protocols will tighten collateral standards, especially for derivative tokens like LRT. Additionally, the industry may push for “on-chain automatic circuit breakers” that pause operations during abnormal activity, making DeFi safer and more resilient.

5. Summary: a wake-up call for the entire industry

This $290 million hack is fundamentally a tragedy caused by “complacency” and “security negligence”—KelpDAO ignored LayerZero’s security advice, adopting a high-risk single validator setup, which ultimately gave hackers an opportunity. The incident’s ripple effects also exposed the vulnerabilities of DeFi’s “Lego-like” architecture: a failure in one link can threaten the whole ecosystem.

For ordinary users, this is a crucial reminder: crypto investments carry risks. When choosing projects, focus not only on returns but also on security configurations and risk management. Avoid letting project negligence cause your funds to suffer.

The follow-up handling of this incident is ongoing—how bad debts are shared, how cross-chain bridge security is upgraded, and how user compensation is implemented remain industry priorities. Moreover, the event has prompted regulatory attention; some countries’ crypto regulators have announced plans to accelerate cross-chain bridge security standards, regulate re-staking token issuance and circulation, and prevent systemic risks. We will continue to monitor and bring you the latest updates.