14
The $292 million exploit of Kelp DAO has set off a wave of reactions across the crypto industry, with developers and traders warning that the incident exposed deeper flaws in how decentralized finance (DeFi) is built.
Data shared by market participants shows the immediate fallout spread far beyond the hacked protocol.
“The rsETH hack is leading to withdrawals across all lending protocols, even on solana and unaffected protocols,” 0xngmi said in one post on Sunday, pointing to steep outflows including “Aave: -6,200m (-23%) net inflows” and smaller but notable declines across Morpho, Sky and JupLend. rsETH is liquid restaking protocol Kelp DAO's restaked ether and is a Liquid Restaking Token (LRT) that allows users to earn ether staking and restaking rewards while keeping their assets liquid, even when they are locked in staking.
That pressure quickly turned into something more severe. One widely circulated post by Josu San Martin described cascading liquidity stress inside lending markets: “$ETH depositors cannot withdraw the $ETH so they are borrowing stables to ‘withdraw’ funds… This is a full on run on $AAVE.”
While Stani Kulechov, Aave's founder, said the exploit was external and that the protocol's contracts were not compromised, the depositors panicked. The total value locked (or deposits) dropped from $26.4 billion on April 18 to nearly $20 billion in U.S. morning hours on Sunday, per DefiLlama. The $AAVE token also fell more than 18% as depositors scrambled to withdraw their money through the weekend.
A 'case study'
The exploit itself has become a focal point for engineers and developers.
Several developers pushed back on early assumptions that the issue stemmed from core infrastructure. “The KelpDAO exploit (~$290M, is NOT a LayerZero protocol bug. It's a configuration issue and a case study every project with a cross-chain token needs to look at today,” one technical breakdown by cryptogoblin read.
The thread detailed how a single verification point enabled the attack. “One signature and 116,500 rsETH materialized out of thin air on Ethereum,” the post said, describing a system where “the [smart] contracts weren't broken. The verification layer was,” the post claimed.
Others argued the problem runs deeper than a single setup choice.
One critique, who goes by Fishy Catfish on X, framed it as a design flaw, alleging that: “there is no security floor… A configuration can be a 1/1 DVN and the DVN you chose can be a single node ran by a single entity.” A DVN (Decentralized Verifier Network) in DeFi, specifically within LayerZero V2, is an independent entity responsible for validating and attesting to the authenticity of messages sent across different blockchain networks. Essentially, DVNs verify message hashes between a source chain and a destination chain.
To make the point clearer, the author drew a real-world comparison: “imagine if a roller coaster manufacturer allowed amusement parks to individually decide what the minimum safety specs were.” Essentially, the author is simply saying that flexibility without guardrails can create hidden risks.
The post went so far as to claim that the setup was the problem within the design. "I personally think this is a flawed design. Modular security is a worthwhile design space, however, the range of security should have a native security floor that is quite strong, and then allow *additional* layering of security on top of that for more high-value use-cases."
'DeFi is dead'
It's not just the amount and complexity of the exploit that drew the harsh, panicked criticism. The scale of the exploit has heightened concerns.
Roughly 116,500 rsETH, about 18% of supply, was affected. The attacker tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address.
Protocols responded by freezing markets and pausing features. Aave halted rsETH activity. Lido paused deposits tied to the asset. Other projects took similar steps to limit exposure as the situation unfolded.
Beyond the technical debate, sentiment across crypto turned sharply negative. One post perhaps captured the mood shift in blunt terms: “DeFi is dead… ‘just use aave’ is dead,” while adding that “The age of crypto is over” and asking, “If you're reading this - why are you still in crypto?”
While the response may sound like an overreaction, that kind of 'knee-jerk' reaction is not unusual after large exploits, but the breadth of this event stands out.
The attack affected cross-chain infrastructure, restaking models and lending markets simultaneously. It also follows a string of recent incidents. The hack lands in an unusually hostile stretch for DeFi, particularly this month. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
'Check your configs'
Despite all the explanations, there are still more questions than answers.
Even LayerZero is still trying to figure out the full details of the exploit. "We’re fully aware of the rsETH exploit and have been in active remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain safe," it said in a post on X. "We are still identifying the root cause alongside @_SEAL_Org and others. We will publish a complete post-mortem with @KelpDAO as soon as we have all information."
KelpDAO echoed this sentiment. "Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA. We will keep you posted as we learn more about this situation."
Still, some developers see a clearer lesson in the chaos.
The exploit did not rely on breaking encryption or bypassing smart contracts. Instead, it exposed how fragile systems can become when they depend on layered assumptions.
In simple terms, the tools worked as designed. The way they were configured did not.
That distinction may shape what comes next. Builders are now urging projects to review their setups, especially those relying on cross-chain messaging.
As cryptogoblin put it bluntly: “Check your configs. Stay safe out there.”
Read more: DeFi yields are crashing so hard that they can't compete with a traditional savings account
cryptopolitan.com
11
cointelegraph.com
en.bitcoinsistemi.com