On April 18, 2026, attackers drained 116,500 rsETH, worth approximately $293 million at the time, from the cross-chain bridge of Kelp DAO's liquid restaking protocol within hours. The entire process was unusually efficient—from forging cross-chain messages to dispersing the stolen funds across three lending protocols, Aave V3, Compound V3, and Euler, to borrow real assets. The attackers exited the same day with $236 million in WETH. Aave, SparkLend, and Fluid promptly froze all rsETH markets.
This was the largest DeFi attack incident of 2026 to date.
But one thing set this attack apart from most hacking incidents. Kelp DAO's smart contract code had no vulnerabilities. Security researcher @0xQuit, who participated in the investigation, wrote on X, "From what I've gathered so far, this is the result of two issues叠加: a 1-of-1 DVN configuration and the DVN node itself being compromised." LayerZero's official statement also did not mention contract code, framing the issue as an "rsETH vulnerability" rather than a "LayerZero vulnerability."
$293 million, not found in a single line of code. It was hidden in a configuration parameter filled in incorrectly during deployment.
The general logic of DeFi security auditing is: find the contract, read the code, find the vulnerability. This logic works quite smoothly when dealing with code logic vulnerabilities; tools like Slither and Mythril have mature detection capabilities for known patterns like reentrancy attacks and integer overflows. LLM-assisted code auditing, heavily promoted in recent years, also has some capability against business logic vulnerabilities (such as flash loan arbitrage paths).
But two rows in this matrix are red.
Configuration-layer vulnerabilities are a structural blind spot in tool-based auditing. The problem with Kelp DAO was not in the .sol files, but in a parameter written during protocol deployment—the DVN threshold. This parameter determines how many validator nodes need to confirm a cross-chain message before it is deemed legitimate. It doesn't enter the code, doesn't enter Slither's scan range, and doesn't enter Mythril's symbolic execution path. According to comparative research by Dreamlab Technologies, Slither and Mythril detected 5/10 and 6/10 vulnerabilities in the tested contracts, respectively, but this achievement is based on the premise that "the vulnerability is in the code." According to IEEE research, even at the code level, existing tools can only detect 8%-20% of exploitable vulnerabilities.
From the perspective of current auditing paradigms, there is no tool that can "detect whether the DVN threshold is reasonable." To detect such configuration risks, what is needed is not a code analyzer, but a specialized configuration checklist: "Number of DVNs used by the cross-chain protocol ≥ N?", "Is there a minimum threshold requirement?" Such questions currently have no standardized tool coverage, nor even widely accepted industry standards.
Also in the red zone are key and node security. @0xQuit's description mentioned the DVN node being "compromised," which falls under operational security (OpSec), beyond the detection boundaries of any static analysis tool. Neither any first-tier auditing firm nor AI scanning tools have the ability to predict whether a node operator's private key will be leaked.
This attack triggered both red zones in the matrix simultaneously.
DVN is LayerZero V2's cross-chain message verification mechanism, short for Decentralized Verifier Network. Its design philosophy is to give security decision-making power to the application layer: each protocol integrated with LayerZero can choose how many DVN nodes need to confirm simultaneously before allowing a cross-chain message to pass.
This "freedom" creates a spectrum.
Kelp DAO chose the far left end of the spectrum: 1-of-1, requiring confirmation from only one DVN node. This meant a fault tolerance of zero; the attacker only needed to compromise that one node to forge any cross-chain message. In contrast, Apechain, also integrated with LayerZero, configured more than two required DVNs and was unaffected in this incident. LayerZero's official statement used the wording "all other applications remain secure," the subtext of which is: security depends on which configuration you chose.
The normal industry recommendation is at least 2-of-3, requiring an attacker to compromise two independent DVN nodes simultaneously to forge a message, increasing fault tolerance to 33%. High-security configurations like 5-of-9 can achieve 55% fault tolerance.
The problem is, external observers and users cannot see this configuration. Both might be called "powered by LayerZero," but behind it could be 0% fault tolerance or 55% fault tolerance. Both are called DVN in the documentation.
Veteran crypto investor Dovey Wan, who experienced the Anyswap incident, wrote directly on X: "LayerZero's DVN is actually 1/1 validator...... All cross-chain bridges should immediately conduct a comprehensive security review."
In August 2022, a vulnerability was discovered in the Nomad cross-chain bridge. Someone copied the first attack transaction, made slight modifications, found it also worked—so hundreds of addresses successively began copying, draining $190 million within hours.
Nomad's post-mortem wrote that the vulnerability source was "initializing the trusted root to 0x00 during a routine upgrade." This was a configuration error that occurred during the deployment phase. The Merkle proof verification logic was fine, the code itself was fine; the problem was an initial value filled in incorrectly.
This time, combined with Nomad, configuration/initialization class vulnerabilities have caused approximately $482 million in losses. In the entire history of cross-chain bridge thefts, this category's scale is now comparable to key leak class (Ronin $624 million, Harmony $100 million, Multichain $126 million, totaling approximately $850 million).
But the product design of the code auditing industry has never been targeted at this category.
The most discussed topics in the industry are still code logic vulnerabilities. Wormhole's $326 million hack due to signature verification bypass, Qubit Finance's $80 million theft due to fake deposit events. These cases have complete vulnerability analysis, CVE number analogies, reproducible PoCs, suitable for the training and optimization of auditing tools. Configuration-layer problems are not written in the code and struggle to enter this production cycle.
A noteworthy detail is that the triggering methods of the two configuration-class events were completely different. Nomad accidentally filled in a wrong initial value during a routine upgrade, a mistake. Kelp DAO's 1-of-1 was an active configuration choice—the LayerZero protocol did not prohibit this option, and Kelp DAO did not violate any protocol rules. A "compliant" configuration choice and a "mistaken" initial value ultimately led to the same consequence.
The execution logic of this attack was simple: a forged cross-chain message told the Ethereum mainnet that "equivalent assets have been locked on another chain," triggering the minting of rsETH on the mainnet. The minted rsETH itself had no actual backing, but its on-chain record was "legitimate" and could be accepted as collateral by lending protocols.
The attacker then dispersed the 116,500 rsETH into Aave V3 (Ethereum and Arbitrum), Compound V3, and Euler, borrowing over $236 million in real assets. According to multiple reports, Aave V3 alone faced an estimated bad debt of approximately $177 million. Aave's safety module, Umbrella, has a WETH reserve of about $50 million available to absorb bad debt, covering less than 30%, with the remaining portion to be borne by aWETH stakers.
This bill ultimately fell on those who just wanted to earn a little WETH interest.
LayerZero officials, as of writing, are still jointly investigating with the security emergency response organization SEAL Org, stating they will release a post-mortem report with Kelp DAO after obtaining all information. Kelp DAO stated it is conducting "active remediation."
The $293 million vulnerability was not in the code. The phrase "audit passed" did not cover the location of that parameter.
