The $292 million Kelp DAO exploit has sparked a wave of reactions across the crypto industry, with developers and traders warning that the incident has exposed deeper flaws in the way decentralized finance (DeFi) is built.
Data shared by market participants shows that the immediate consequences spread far beyond the hacked protocol.
“The rsETH hack is leading to withdrawals across all lending protocols, even Solana and unaffected protocols,” 0xngmi said in a post on Sunday, highlighting significant outflows including “Aave: -6,200 million (-23%) net inflows” and smaller but notable declines at Morpho, Sky, and JupLend. rsETH is Kelp DAO’s ether restake protocol and is a liquid restake token (LRT) that allows users to earn ether staking and restake rewards while keeping their assets liquid, even when locked in staking.
This pressure quickly turned into something more serious. A widely circulated article by Josu San Martin described cascading liquidity strains in lending markets: “ETH depositors can’t withdraw ETH, so they borrow stablecoins to ‘cash out’ funds… This is a total run on AAVE.
While Stani Kulechov, the founder of Aave, said the exploit was external and that the protocol’s contracts were not compromised, depositors panicked. The total value blocked (or deposits) increased from $26.4 billion on April 18 to nearly $20 billion as of Sunday morning in the United States, according to DefiLlama. The AAVE token also fell more than 18%, as depositors rushed to withdraw their money throughout the weekend.
A “case study”
The exploit itself has become a focal point for engineers and developers.
Several developers pushed back against early assumptions that the problem was with core infrastructure. “The KelpDAO exploit (~$290M) is NOT a bug in the LayerZero protocol. It is a configuration issue and a case study that every project with a cross-chain token needs to look at today,” reads a technical analysis from Cryptogoblin.
The thread detailed how a single verification point enabled the attack. “A signature and 116,500 rsETH materialized out of thin air on Ethereum,” the post said, describing a system in which “the [smart] the contracts were not broken. The verification layer was,” the message claims.
Others argued that the problem was deeper than a simple configuration choice.
One reviewer, who goes by the name Fishy Catfish on » A DVN (Decentralized Verifier Network) in DeFi, specifically within LayerZero V2, is an independent entity responsible for validating and attesting to the authenticity of messages sent across different blockchain networks. Essentially, DVNs check message hashes between a source string and a destination string.
To clarify things, the author made a real-world comparison: “Imagine if a roller coaster manufacturer allowed amusement parks to decide individually what the minimum safety specifications were. » Essentially, the author is simply saying that flexibility without safeguards can create hidden risks.
The post went so far as to claim that the configuration was the problem in the design. “Personally, I think this is a flawed design. Modular security is an interesting design space, however, the security range should have a fairly strong native security floor and then allow for an *additional* layer of security on top of that for higher value use cases.”
“DeFi is dead”
It is not just the quantity and complexity of the feat that has drawn harsh and panicked criticism. The scale of the exploit has heightened concerns.
Around 116,500 rsETH, or around 18% of the supply, was affected. The attacker tricked LayerZero’s cross-chain messaging layer into believing that a valid instruction had arrived from another network, prompting Kelp’s bridge to release 116,500 rsETH to an address controlled by the attacker.
Protocols responded by freezing markets and suspending functionality. Aave has halted rsETH activity. Lido has suspended deposits linked to the asset. Other projects took similar steps to limit exposure as the situation evolved.
Beyond the technical debate, sentiment towards crypto has become strongly negative. One article may have captured the mood shift in blunt terms: “DeFi is dead… ‘just using aave’ is dead,” while adding that “the era of crypto is over” and asking, “If you’re reading this, why are you still in crypto?”
While the response may seem like an overreaction, this kind of “knee-jerk” reaction is not unusual after great feats, but the magnitude of this event stands out.
The attack simultaneously affected cross-chain infrastructure, template review, and lending markets. This also follows a series of recent incidents. The hack lands in an unusually hostile time for DeFi, particularly this month. Solana-based perpetual protocol Drift lost approximately $285 million on April 1 in an attack later linked to actors affiliated with North Korea, and at least a dozen smaller protocols were exploited in the weeks that followed, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.
‘Check your configurations’
Despite all the explanations, there are still more questions than answers. For example, how did this happen and how widespread is this contagion?
It seems like everyone, even LayerZero, is still trying to figure out all the details of the exploit.
“We are fully aware of the rsETH exploit and have been actively working on remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain safe,” LayerZero said in a post on
KelpDAO echoed this sentiment. “Earlier today, we identified suspicious cross-chain activity involving rsETH. We have suspended rsETH contracts on mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors, and top security experts on RCA. We will keep you updated as we learn more about this situation.”
The responses show how complex the situation is and how widespread it could be.
Even Justin Sun stepped in to stop the contagion. “OK, Kelpdao hacker, how many do you want? Let’s talk. With the help of KelpDAO, of course. It’s just not worth sacrificing Aave and KelpDAO and letting them go down because of this hack. You can’t spend $300 million anyway,” he said in an article on X.
Yet some developers see a clearer lesson from the chaos.
The exploit did not rely on breaking encryption or bypassing smart contracts. Instead, it revealed how fragile systems can become when they depend on assumptions at multiple levels.
Simply put, the tools worked as expected. The way they were set up didn’t do it.
This distinction could shape the future. Builders are now urging projects to review their configurations, especially those that rely on cross-chain messaging.
As the cryptogoblin bluntly put it: “Check your configurations. Stay safe.”
Read more: DeFi Yields Are Crashing So Hard They Can’t Compete With a Traditional Savings Account
