$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

Original Author: Lawyer Yi Haotian

On April 18, 2026, an attacker stole 116,500 rsETH, worth approximately $292 million, from KelpDAO's cross-chain bridge within 46 minutes. This is the largest DeFi security incident of 2026 so far. The stolen tokens were subsequently deposited into lending protocols like Aave V3 as collateral to borrow about $236 million worth of ETH, creating $177 to $200 million in bad debt on the Aave platform and triggering a chain reaction affecting more than nine DeFi protocols. Aave's Total Value Locked (TVL) evaporated by about $6 billion overnight.

The incident has been widely reported and will not be reiterated here. In fact, the author himself has tens of thousands of US dollars stuck and unable to be withdrawn... so the author is highly motivated in conducting this research. This article aims to explore a different question: From a civil law perspective, who should be held liable? Can the victims actually obtain compensation?

The answer is more complex than the initial finger-pointing within the crypto community. After a systematic analysis of the applicable legal frameworks, I conclude: KelpDAO and LayerZero Labs bear concurrent liability, with a rough fault allocation of 60% for KelpDAO and 40% for LayerZero; simultaneously, the liability cap clauses in both protocols' Terms of Service are almost certainly unenforceable.

Core Liability Issues: Two Failures, One Attack

Discussions surrounding this hack often start with the same debate: Was it KelpDAO's fault (for choosing a 1-of-1 DVN configuration) or LayerZero's fault (for its operated DVN's RPC infrastructure being poisoned)?

The answer is: Both are at fault.

(I) What KelpDAO Did Wrong

LayerZero's cross-chain message protocol uses a Decentralized Verifier Network (DVN) to verify whether messages sent from one blockchain to another are authentic. The protocol is designed to be highly flexible: each application deployed on LayerZero can choose how many DVNs need to reach consensus before trusting a message. LayerZero's own documentation recommends using at least a 2-of-3 configuration, meaning a message is accepted only after at least two out of three independent verifiers confirm it.

KelpDAO chose the absolute minimum configuration: 1-of-1. One verifier. Zero fault tolerance.

This meant that anyone who could compromise, deceive, or control this single verifier could forge any cross-chain message, including one instructing KelpDAO's bridge to release its entire rsETH reserve to an address controlled by the attacker. And that is exactly what happened.

This is rather absurd: KelpDAO's bridge had locked a total value of approximately $1.6 billion across more than twenty blockchain networks. The protocol chose to protect these assets with a single point of failure, equivalent to securing a bank vault with a padlock when the manufacturer explicitly recommends at least a three-lock system.

Under the traditional tort law framework, this analysis is quite straightforward. The Restatement (Second) of Torts defines negligence as conduct that falls below the standard of care established by law for the protection of others against unreasonable risk of harm. [1] For professional actors, which undoubtedly include protocol operators managing billions in user assets, the standard of care is elevated to the level of skill and knowledge ordinarily possessed by members of that profession. [2]

The most classic risk-utility analysis framework was proposed by Judge Learned Hand of the US Court of Appeals for the Second Circuit in United States v. Carroll Towing Co. [3]: If the cost of prevention (B) is less than the probability of the injury occurring (P) multiplied by the magnitude of the loss (L), then failing to take that preventive measure constitutes negligence. I.e.: When B < P×L, failure to take preventive measures is negligence.

In this case, the equation leaves no room for doubt:

• P (Probability): Cross-chain bridge attacks are one of the most common and costly attack types in DeFi. Wormhole ($320 million, 2022), Ronin ($625 million, 2022), Nomad ($190 million, 2022), and Drift Protocol ($285 million, April 1, 2026, just 17 days before this attack) all demonstrate that bridge security is a known, active threat.
• L (Loss Magnitude): Direct losses of $292 million, plus hundreds of millions in cascading bad debt across downstream protocols.
• B (Prevention Cost): Changing the bridge's DVN configuration from 1-of-1 to 2-of-3. Additional cost: minimal verification delay (a few seconds) and DVN fees (negligible relative to the value of assets protected).

No rational protocol operator could defend using a 1-of-1 configuration for assets of this scale. The cost of prevention was minuscule, while the expected damage was catastrophic.

It is noteworthy that the practices of industry peers provide an important reference. SparkLend set a Loan-to-Value ratio (LTV) of 72% for rsETH, Fluid around 75%, both significantly lower than Aave's 93%. This conservative stance may reflect the industry's awareness of the underlying bridge risk of rsETH. If even lending protocols were wary of rsETH's bridge risk, then KelpDAO, as the operator of the bridge itself, should have been held to a higher security standard. Yet the opposite was true: the bridge operator chose the lowest security configuration.

Another important defense needs discussion: the on-chain transparency defense. The 1-of-1 DVN configuration was publicly verifiable on-chain data; any sufficiently technical user could verify the bridge's security parameters by querying the LayerZero EndpointV2 contract. KelpDAO might argue that since the configuration was public, users had the opportunity (and responsibility) to assess the bridge's security before depositing assets. This constitutes a de facto assumption of risk defense, distinct from the service terms waiver (analyzed in Part II). The strength of this defense depends on how the court views the "reasonableness" standard for DeFi users. Can ordinary DeFi users be expected to review a bridge's DVN configuration before depositing? For institutional users and highly technical "whales," this defense might hold; for ordinary retail users, its persuasiveness is greatly diminished.

(II) What LayerZero Did Wrong

But KelpDAO's configuration choice alone was not sufficient to cause the loss. This attack also required the attacker to deceive LayerZero's DVN into signing a verification for a transaction that never occurred. It is at this juncture that LayerZero's legal risk becomes clear.

According to a detailed analysis published by Cos (Yu Xian), founder of the renowned blockchain security firm SlowMist, [4] this attack was not an exploit of the DVN's keys or the LayerZero protocol logic. The attacker targeted the upstream data source of the DVN: the RPC nodes the DVN used to read the blockchain state.

The attack was executed in five steps:

1. The attacker obtained the list of RPC nodes used by the LayerZero DVN.
2. The attacker compromised two independent RPC node clusters, replacing the legitimate `op-geth` binary with a trojanized version.
3. The trojanized binary employed selective spoofing: it returned forged data only to requests from the DVN's IP addresses. All other IP addresses, including LayerZero's own Scan monitoring service, received real data. This IP-based selective response pattern made the poisoning completely invisible to routine monitoring.
4. The attacker launched DDoS attacks against the uncompromised RPC nodes, forcing the DVN to failover to the poisoned nodes.
5. After the fake verification was completed, the malicious binary self-destructed and cleared all logs, eliminating forensic evidence.

This point is crucial: LayerZero operated this DVN. This was not a passive software library deployed by KelpDAO itself. LayerZero actively ran the verification infrastructure, chose RPC providers, configured failover logic, and signed verification proofs. When the DVN read the forged on-chain state from the poisoned RPC node and signed a verification for a non-existent transaction, it was LayerZero's infrastructure that failed.

Moreover, this attack vector is not novel. As Cos pointed out: "RPC poisoning attacks are old tricks, exchanges experienced them years ago." [5]

According to the Restatement (Second) of Torts, an actor must recognize the risk that a reasonable person in their position would recognize. [6] RPC poisoning is a well-documented attack category in the blockchain security community. A reasonable infrastructure provider operating a DVN to protect billions in cross-chain assets should have implemented countermeasures, including: (a) diversifying RPC sources across multiple independent providers and geographies; (b) implementing cross-verification between RPC nodes to detect data inconsistencies; (c) monitoring for IP-based selective response patterns; (d) hardening failover logic to avoid falling back to untrusted nodes under DDoS pressure; (e) implementing anomaly detection for DVN verification requests (e.g., flagging unusually large transfer amounts).

Furthermore, the non-delegable duty doctrine applies here. According to the Restatement (Second) of Torts, certain safety-critical functions cannot be completely delegated to third parties; the party assuming the duty is responsible for ensuring its adequate performance. [7] When LayerZero holds itself out as providing verification infrastructure for high-value cross-chain transactions, it cannot escape liability by pointing to RPC providers as independent contractors. LayerZero chose these providers, configured the failover logic, and operated the verification nodes. Responsibility lies with the operator.

A comparable traditional legal concept is the liability of financial infrastructure operators. SWIFT (Society for Worldwide Interbank Financial Telecommunication) provides messaging infrastructure for global interbank communication. If SWIFT's message verification system were compromised leading to the execution of false transfer instructions, SWIFT could not simply avoid liability because its "protocol itself had no bugs"; it operates the verification infrastructure, and this operational act itself carries a duty of care commensurate with the value being protected. LayerZero's role in the DeFi ecosystem is highly analogous: it is not merely a software licensor; it is the operator of cross-chain message verification infrastructure.

The constructive notice effect of the Drift Protocol attack also needs consideration. On April 1, 2026, Drift Protocol suffered a $285 million cross-chain attack, just 17 days before the KelpDAO attack. Although the specific attack vector of the Drift attack may differ from this case (this requires further verification), it sent a clear signal to the entire cross-chain infrastructure industry: cross-chain bridge infrastructure is under active attack by Advanced Persistent Threats (APT). Against this backdrop, LayerZero, as one of the largest cross-chain message protocols, should have been on high alert. The failure to enhance the security of RPC infrastructure after the Drift attack further supports a finding of negligence.

LayerZero's strongest defense is the sophistication of a nation-state level attacker. The combination of this attack—binary replacement, IP-based selective spoofing, DDoS-forced failover, post-facto self-destruction—represents an unusual level of operational complexity, perhaps approaching the level of the SolarWinds supply chain attack. Under Restatement (Second) of Torts §302B, the risk of a highly unusual criminal intervention may be beyond the scope of reasonable prevention. If the court finds that the complexity of this attack exceeded the reasonable standard of care for private sector infrastructure providers, LayerZero's negligence liability could be significantly reduced or even eliminated.

However, the counterargument is equally strong: as Cos noted, the individual components of this attack were all well-known, even if their combination was novel. RPC poisoning is a known trick. DDoS is a known trick. Binary replacement is a known trick. A reasonable infrastructure operator should defend against these known individual threats, even if it could not foresee the precise combination.

(III) Concurrent Causation and 60/40 Fault Allocation

This is a classic case of concurrent causation. Both KelpDAO's 1-of-1 configuration and LayerZero's RPC infrastructure failure were necessary conditions for the attack's success. Remove either one, and the attack fails:

• If KelpDAO had used a 2-of-3 configuration with independent DVNs (with independent RPC infrastructure), the attacker would need to simultaneously compromise multiple independent verification paths, drastically increasing the cost and complexity of the attack.
• If LayerZero's DVN had not been deceived by poisoned RPC data, the 1-of-1 configuration itself would have functioned normally, and no unauthorized messages would have been verified.

According to the Restatement (Second) of Torts, when two or more causes combine to produce a single indivisible harm, each is considered a "substantial factor" in causing the harm, and each tortfeasor is liable. [8] The attacker's criminal act does not break the chain of causation because attacks on single-point-of-failure bridges are precisely the foreseeable risk that the multi-DVN recommendation was designed to prevent. [9]

New York and California, the most likely jurisdictions for any such lawsuit, both employ pure comparative fault systems. [10] This means each defendant's liability is reduced by their percentage of fault but is not completely barred.

So how is fault allocated? I assess it as roughly KelpDAO 60% / LayerZero 40%, based on three reasons:

First, KelpDAO made an active choice to select 1-of-1 despite LayerZero's explicit recommendation to use at least 2-of-3. This was a governance decision, not a technical limitation imposed by LayerZero. The protocol had the ability to choose higher security but did not. This active choice carries significant weight in any comparative fault analysis.

Second, the 1-of-1 configuration was the fundamental premise that allowed the attack to be mounted. Without it, the attacker would face a fundamentally different (and much more difficult) challenge. The RPC poisoning attack succeeded precisely because only one verification path needed to be compromised. A multi-DVN configuration with independent infrastructure creates defense in depth that this attack could not defeat.

Third, however, LayerZero's responsibility cannot be zero. LayerZero operated the DVN whose infrastructure was compromised. RPC poisoning is a known attack vector. The Drift Protocol attack 17 days prior put the entire cross-chain industry on high alert. And LayerZero's own "protocol wasn't hacked" defense, while technically accurate at the protocol level, obscures the fact that LayerZero's operational infrastructure was the direct instrument of the loss.

The 40% allocation to LayerZero reflects the reality that it operated the failing infrastructure, using an architecture known to be vulnerable, without implementing standard countermeasures against a documented class of attacks.

Can the Terms of Service Save Them?

Both KelpDAO and LayerZero maintain Terms of Service ("ToS") with extremely aggressive liability limitations. KelpDAO caps its total liability to the greater of amounts paid in the preceding twelve months or $200. [11] LayerZero's cap is $50. [12] Both contain standard "AS IS" disclaimers and broad assumption of risk clauses.

If these cap clauses are enforceable, the entire civil liability analysis above becomes academic. A $200 cap against a $292 million loss would render KelpDAO effectively immune to any meaningful recovery.

These cap clauses will not be upheld by courts. Here's why.

(I) The Doctrine of Unconscionability

Contract law has long recognized that some terms are so fundamentally unfair that courts will refuse to enforce them. The doctrine of unconscionability is codified in the Restatement (Second) of Contracts, allowing courts to void contract terms that exhibit both procedural and substantive unconscionability. [13]

Procedural unconscionability examines whether there was a meaningful opportunity to negotiate or reject the terms. DeFi Terms of Service are classic contracts of adhesion: presented on a take-it-or-leave-it basis, with no opportunity for negotiation, often buried deep within a website most users never visit. Most DeFi users interact directly with smart contracts via interfaces like MetaMask; they never browse the protocol's website, let alone read or agree to multi-page Terms of Service documents.

The legal distinction between "clickwrap" and "browsewrap" is well-established. [14] In Specht v. Netscape [15], then-Second Circuit Judge Sotomayor (now US Supreme Court Justice) ruled that a hyperlink to terms of service below a download button, if not conspicuously presented, was insufficient to constitute user consent. In Nguyen v. Barnes & Noble [16], the Ninth Circuit similarly ruled that a website must provide conspicuous notice and an opportunity to review the terms; mere use of the website itself is not enough.

DeFi protocol interaction is closer to the Specht scenario than to Meyer v. Uber [17] (where a conspicuous registration page with a clear terms hyperlink was ruled sufficient notice). Whether on-chain smart contract interaction constitutes consent to off-chain website Terms of Service has not been squarely decided by any court, but the weight of existing browsewrap case law strongly disfavors enforcing terms in the absence of affirmative user action.

Substantive unconscionability examines whether the terms are so one-sided as to "shock the conscience." A $200 liability cap against a $292 million loss, a ratio of approximately 1:1,460,000, is textbook substantive unconscionability. LayerZero's $50 cap is an even more extreme ratio. In the landmark case Williams v. Walker-Thomas Furniture [18], the court established that courts will not enforce terms "unreasonably favorable" to the drafter when the other party had no meaningful choice. The Restatement's commentary confirms that "gross disparity in the exchange" is direct evidence of unconscionability. [19]

(II) The Gross Negligence Exception

Even if a court finds the Terms of Service enforceable in general, liability limitation clauses do not protect against gross negligence or willful misconduct. This is a well-established principle under both New York and Delaware law.

The Restatement (Second) of Contracts states that a term exempting a party from tort liability for reckless or intentional conduct is unenforceable as contrary to public policy. [20] The New York Court of Appeals has repeatedly affirmed that exculpatory clauses do not cover gross negligence, applying a "reckless disregard of known risks" standard. [21]

Does KelpDAO's 1-of-1 DVN configuration constitute gross negligence? The argument is strong. Gross negligence requires a reckless disregard of a known, substantial risk, going beyond a mere lack of due care. KelpDAO chose the minimum security configuration for a bridge protecting over $1 billion in assets, against the explicit recommendation of the infrastructure provider. The risk of a single point of failure being compromised was well-documented. The gap between 1-of-1 (zero fault tolerance) and 2-of-3 (33% fault tolerance) is not a marginal risk difference but a fundamental one.

If a court characterizes the 1-of-1 choice as reckless rather than merely negligent, then the $200 cap clause would be invalid regardless of the outcome of the unconscionability analysis.

The gross negligence exception is important because it bypasses the threshold dispute over the validity of the Terms of Service. Even if a court finds that users did agree to the Terms (e.g., via a clickwrap mechanism), and even if a court finds the $200 cap is not unconscionable in a general commercial context (e.g., for institutional-grade users), the gross negligence exception still applies independently. It is a public policy doctrine, not subject to the parties' agreement. Under New York law, this principle has been repeatedly affirmed, [21] constituting the most robust second line of attack against the Terms of Service.

(III) Securities Law Veto Power

There is a third path to invalidating the service terms caps, and it is the most powerful.

If rsETH is classified as a security under federal law, then both the liability cap clause and the arbitration clause would be invalid by operation of law. The Securities Act provides that "any condition, stipulation, or provision binding any person to waive compliance with any provision of this title" is void. [22] The Exchange Act contains an identical anti-waiver provision. [23] These provisions cannot be contractually circumvented. They preempt the Federal Arbitration Act. They are not subject to state unconscionability analysis. They are mandatory commands of federal law.

Does rsETH meet the definition of a security? Under the foundational test established in Howey [24], an investment contract exists when there is (1) an investment of money, (2) in a common enterprise, (3) with an expectation of profits, (4) derived solely from the efforts of others.

rsETH satisfies every prong. Users deposit ETH (investment of money) into pooled restaking strategies on EigenLayer (common enterprise). rsETH generates yield through restaking rewards (expectation of profits). And the restaking strategies, operator selection, and bridge infrastructure are entirely managed by the KelpDAO team, with no control by individual holders (efforts of others).

The complication is the split holding from the Ripple case. [25] In 2023, the Southern District of New York distinguished between direct institutional sales (which are securities) and programmatic secondary market sales on public exchanges (which are not). Most rsETH trading occurs on secondary markets—DEX swaps, Aave deposits—not through direct purchases from KelpDAO. Under the Ripple framework, secondary market purchasers might fail the "efforts of others" prong. But Ripple is only a district court decision, currently on appeal to the Second Circuit, and its applicability to liquid staking tokens remains untested.

If the securities classification succeeds, it completely changes the entire recovery landscape. Service terms caps disappear. Arbitration clauses disappear. Direct purchasers gain private rescission rights. [26] All purchasers who relied on KelpDAO's statements about the bridge's security can bring fraud claims. [27]

Here we need to explain the power of this legal tool specifically: Under US law, arbitration clauses and class action waiver clauses are typically strongly protected. The US Supreme Court, in AT&T Mobility v. Concepcion [28] and Epic Systems v. Lewis [29], established that the Federal Arbitration Act (FAA) preempts state laws that invalidate class action waivers in arbitration agreements. In American Express Co. v. Italian Colors Restaurant [30], the Supreme Court further narrowed the "effective vindication doctrine," ruling that an arbitration clause is only overturned if it prevents the assertion of statutory rights, and high litigation costs alone are not sufficient grounds for overturning.

This means that if LayerZero's arbitration clause holds, it would force victims into individual arbitration, with each person's claim capped at $50, functionally equivalent to a complete liability barrier. No rational plaintiff would initiate individual arbitration for a $50 recovery.

However, the securities law anti-waiver provisions provide a way to bypass this obstacle. If rsETH is a security, federal law directly voids the arbitration clause and class action waiver clause, without needing to invoke unconscionability, without fighting the preemptive effect of the FAA. This is why the securities classification is the most critical "nuclear option" in the entire analysis.

RPC Providers: Ancillary Roles

The RPC node providers whose infrastructure was poisoned occupy a special place in this chain of liability. They provided the false data that the DVN relied upon. But their liability is limited by several factors.

Under the Restatement (Second) of Torts, a supplier of information in the course of business who fails to exercise reasonable care is liable for economic loss resulting from justifiable reliance, but only to the foreseeable "limited group" that the supplier intended to reach or knew the recipient intended to reach. [31] In New York, Credit Alliance v. Arthur Andersen [32] further limits the liability of information suppliers to third parties with a three-prong test.

Applied here, the RPC providers' liability likely extends only to LayerZero (who directly selected and relied on them), not to downstream KelpDAO users or rsETH holders. This means the RPC providers' liability is primarily relevant for contribution claims by LayerZero—a mechanism for LayerZero to shift its 40% fault share downstream—not as a direct path to recovery for victims.

There is also a practical obstacle: The identity of the RPC providers has not been publicly disclosed. They themselves may have been victims of a nation-state level cyberattack; the sophistication of the attack (binary replacement, IP-based selective spoofing, DDoS, self-destructing binaries) suggests operational capabilities beyond ordinary cybercriminals. If the providers were themselves victims of a nation-state attack, establishing their negligence becomes difficult, as the standard of care does not require ordinary commercial entities to defend against military-grade intrusions.

The most likely outcome: RPC provider liability remains in the background, potentially relevant in contribution proceedings between KelpDAO and LayerZero, but not a primary path to recovery for victims.

Aave's 93% LTV: A Governance Fiduciary Duty Issue

The attack stole $292 million from KelpDAO's bridge. But the contagion effect—$177-$200 million in bad debt, a $6 billion TVL drop, loss of principal for depositors—was amplified by Aave's governance decisions.

(I) Aggressive Parameter Setting

In January 2026, Aave governance passed Proposal 434, raising the e-mode Loan-to-Value ratio (LTV) for rsETH from 92.5% to 93%. This meant that for every $100 of rsETH collateral, users could borrow $93 worth of ETH.

Compare this to Aave's competitors: SparkLend set rsETH's LTV at 72%. Fluid set it at around 75%. The gap is not marginal; a 21 percentage point difference reflects a fundamentally different risk philosophy.

At a 93% LTV, the safety margin is only 7%. Any drop in collateral value exceeding 7% creates bad debt, and this bad debt is borne by Aave's depositors (not the borrowers). For a collateral asset whose value depends on a cross-chain bridge with a single point of failure, a 7% safety margin is objectively insufficient.

(II) Legal Framework: DAO as a General Partnership

The legal landscape for DAO governance liability has shifted dramatically over the past two years.

In Samuels v. Lido DAO [33], a California federal court ruled in 2024 that Lido DAO had a reasonable basis to be considered a general partnership under California law. Governance token holders who participate may be considered general partners, personally responsible for partnership obligations. In Sarcuni v. bZx DAO [34], another California federal court reached a similar conclusion, ruling that participating DAO token holders are jointly and severally liable.

Under the California Revised Uniform Partnership Act (RUPA), partners owe each other fiduciary duties of care and loyalty, [35] and are jointly and severally liable for all partnership obligations. [36]

(III) Caremark Oversight Duties

Delaware's fiduciary duty framework, analogously applied to DAO governance, provides the most relevant standard of care. In the landmark Caremark case [37], the court established that fiduciaries have an affirmative duty to establish and monitor compliance and risk management systems. Stone v. Ritter [38] confirmed that Caremark oversight liability requires proof that the fiduciary either (1) utterly failed to implement a monitoring system, or (2) having implemented such a system, consciously failed to monitor its outputs, with conscious disregard constituting bad faith.

Aave's situation falls into the second category. Aave was not lacking a risk management system; it had employed Chaos Labs for three years. But on April 6, 2026, Chaos Labs publicly departed, its founder citing "fundamental disagreements on risk." [39] Twelve days later, the attack occurred.

This coincidence is highly probative: Aave's risk manager left over strategic disagreements, and within two weeks, the precise category of risk amplified by the aggressive LTV parameters—collateral value collapse—materialized on a catastrophic scale. Under Van Gorkom [40], the business judgment rule is rebutted when directors approve major decisions "without adequate information." If Aave governance approved the 93% LTV without conducting any assessment of rsETH's bridge security, specifically without knowing that rsETH's bridge relied on a zero-fault-tolerance 1-of-1 DVN, this is exactly the kind of uninformed decision-making Van Gorkom targets.

(IV) Practical Limitations

The fiduciary duty theory against Aave governance is legally strong but practically limited. Anonymous governance voters are unrecoverable; you cannot collect damages from an anonymous wallet address. The Lido DAO precedent itself is still under active litigation (dispositive motions scheduled for November 2026) and could be overturned.

But not all governance participants are anonymous. Major institutional delegates—venture funds, protocol treasuries, professional governance services—if they voted for Proposal 434, are identifiable and face personal liability under the Lido/bZx partnership framework. For these identifiable delegates, the theory is actionable.

Here we need to explain why the Caremark duty is so crucial. In traditional corporate law, the Caremark duty represents a minimal oversight responsibility; directors don't need to micromanage operations but must ensure reasonable information reporting and compliance monitoring systems exist. Directors breach their Caremark duty when they either (1) completely fail to establish such systems, or (2) have established such systems but consciously ignore their warning signals.

In the Aave context, this duty has a very specific meaning: Did Aave governance, when accepting rsETH as collateral, review the security architecture of rsETH's underlying bridge? Specifically, did any governance participant, risk committee member, or delegate know that rsETH's bridge relied on a 1-of-1 DVN configuration, i.e., zero fault tolerance? If the answer is no (which is highly likely given the lax practices of current DeFi governance), then Aave governance set a parameter with only a 7% safety margin for billions in collateral without fully understanding the risk. This is precisely the "uninformed decision-making" targeted by Van Gorkom.

Going further: Chaos Labs' departure is not merely a coincidence. Chaos Labs had served as Aave's risk management service provider for three years and was deeply familiar with Aave's risk framework. When its founder publicly cited "fundamental disagreements on risk strategy," it constituted a significant warning signal. A prudent governance system should have immediately conducted a risk parameter review, or at least paused new high-risk collateral listings, after its risk management service provider left over strategic disagreements, especially in the context of the recent Drift Protocol attack. Aave governance took no such action.

The broader significance of the Aave governance issue is systemic. If DeFi governance voters can face personal liability for risk parameter decisions that amplify attack losses, it would fundamentally change how governance participants approach collateral listing and LTV parameters. A 93% LTV for an asset backed by a single-point-of-failure bridge could become the classic case of governance negligence, the DeFi version of a Caremark red flag.

A timeline to watch: Dispositive motions in Samuels v. Lido DAO are scheduled for November 2026. If the California federal court affirms that Lido DAO constitutes a general partnership and that governance token holders bear personal liability, it will clear the legal path for similar lawsuits against Aave governance participants. Conversely, if the Lido precedent is overturned, the entire theoretical framework of DAO governance liability discussed here would suffer a major setback.

Recovery Tiers: Theory Meets Practice

Legal liability is one thing. Actual recovery is another. The defendant with the strongest legal case (KelpDAO, 60% fault) might be the hardest to recover from (offshore DAO, unknown entity structure). The most practically reachable defendant (LayerZero Labs Canada Inc., 40% fault) is a real company, with identifiable directors and over $120 million in venture funding.

This creates a recovery hierarchy where practical considerations take precedence over pure liability allocation:

Tier 1: LayerZero Labs Canada Inc. A real Canadian federal corporation (Corp #13558479, Vancouver), [41] with two directors and ample funding. It is the most viable corporate litigation target. Key advantage: Identifiable entity, subject to Canadian corporate law, assets can be seized. Key obstacles: Comparative fault reduction (40% × $292M = ~$117M max exposure), potential arbitration clause, Canadian business judgment rule protection.

Tier 2: Audit & Security Firms. KelpDAO and LayerZero almost certainly hired security audit firms to review the bridge contracts. Under the Restatement (Second) of Torts, professionals supplying information for business guidance who make negligent misrepresentations causing loss are liable. [42] If any auditor reviewed the bridge deployment but failed to flag the 1-of-1 DVN configuration as a material risk, a professional negligence suit is viable. Audit firms are real entities with errors and omissions (E&O) insurance, making them one of the most practical recovery targets. Key threshold issue: Was the DVN configuration within the audit's scope? Obtaining and reviewing the engagement letter is the first step in assessing this claim.

Tier 3: KelpDAO Founders. Amitej Gajjala and Dheeraj Borra are identifiable individuals who co-founded KelpDAO. Under the Lido/bZx partnership framework and California Corp Code §16306, they face personal liability as general partners. Recovery challenges remain if their personal assets are offshore or held in crypto.

Tier 4: Aave Governance Delegates. Identifiable institutional delegates who voted for Proposal 434 (93% LTV). Novel theory, high legal uncertainty, but strong factual basis.

Conclusion: A Framework of Shared Responsibility

The KelpDAO hack is not a story with a single villain. It is a story of layered failures in a composable system, where each participant—KelpDAO, LayerZero, Aave governance, and unnamed RPC providers—made decisions that seemed reasonable in isolation but collectively created catastrophic fragility.

KelpDAO chose speed and simplicity over security. LayerZero operated verification infrastructure but did not harden it against known attack vectors. Aave governance set aggressive risk parameters without assessing the underlying bridge security of the collateral. And somewhere in the infrastructure stack, RPC providers failed to detect or prevent the replacement of their core binaries.

The 60/40 fault split reflects the judgment that KelpDAO's active choice, selecting 1-of-1 for a billion-dollar bridge against explicit advice, is the more culpable act. But LayerZero's 40% share acknowledges that operating DVN infrastructure carries an independent duty of care, a duty that cannot be disclaimed away, especially when the attack vector falls into a known, documented class of vulnerabilities.

The Terms of Service both protocols relied on, capping liability at $200 and $50 against a $292 million loss, are speed limit signs noticed only after the crash. They were drafted to limit exposure, but the doctrines of unconscionability, the gross negligence exception, and the anti-waiver provisions of federal securities law all provide paths to invalidate them. The most powerful path, classifying rsETH as a security under the Howey Test, would not only void the cap clauses but also open private rescission rights and fraud claims that bypass arbitration obstacle.

For the broader DeFi ecosystem, this attack sets several precedents that will shape protocol design and governance for years to come:

First, for any protocol protecting significant value, a single-point-of-failure bridge configuration is inherently unreasonable. The cost of a multi-DVN configuration is negligible relative to the risk. After this attack, any protocol continuing to operate a 1-of-1 DVN configuration is doing so with full knowledge of the consequences.

Second, infrastructure providers cannot disclaim away operational failures through disclaimers. LayerZero's stance, "the protocol wasn't hacked, the configuration was Kelp's choice," is technically accurate but legally insufficient. When you operate validation nodes, choose RPC providers, and sign attestations, the duty of care follows the operation, not just the protocol specification.

Third, DeFi governance is not a liability shield. The emerging Lido/bZx/Ooki line of precedent is dismantling the assumption that DAO governance provides anonymity and protection. Governance voters, particularly identifiable institutional delegates, face real personal liability for risk parameter decisions. A 93% LTV that turned a $292 million bridge hack into a $200 million bad debt crisis is exactly the type of governance failure that Caremark's oversight duty is meant to catch.

The question now is whether the legal system can allocate responsibility in a way that both compensates victims and creates incentives for better security architecture. The answer depends on which recovery paths are pursued, whether assets can be traced promptly, and whether courts are willing to extend traditional liability frameworks to the novel architecture of decentralized finance.

Implication for protocol developers: In your next bridge deployment, ask yourself a simple question: If this bridge gets hacked, can I explain in court why I chose the minimum security configuration? If the answer is "because it was cheaper" or "because it was more convenient," you might already be on the 60% fault side. On the Carroll Towing scale, when the cost of prevention is negligible and the potential loss is measured in billions, any deviation from industry-recommended practice becomes the plaintiff attorney's strongest evidence.

Implication for governance participants: Anonymous voting no longer equals anonymous immunity. If you are a delegate for a well-known fund and vote for aggressive LTV parameters without reviewing the underlying risks, Caremark duties may pierce through the DAO's governance shell to reach you personally. The Lido DAO precedent, whatever its final outcome, has irrevocably altered the legal landscape of DeFi governance.

Implication for infrastructure providers: "Our protocol wasn't hacked" is not a disclaimer. When you operate verification infrastructure, your liability follows your operational acts, not just your code architecture. The LayerZero case will be the test case for this principle.

The law is catching up. Protocols that don't adapt will find themselves on the wrong side of a 60/40 fault split.