The $292 million exploit of the Kelp DAO has sparked a wave of backlash across the crypto industry, with developers and traders warning that the incident exposed deeper flaws in how decentralized finance (DeFi) is built.
Data shared by market participants shows that the immediate fallout spread far beyond the hacked protocol.
“rsETH hack leads to withdrawals across all lending protocols, even on solana and unaffected protocols,” 0xngmi said in a post on Sunday, pointing to steep outflows including “Aave: -6,200m (-23%) net inflow” and smaller but notable declines across Morpho, Sky and JupLend. rsETH is liquid restaking protocol Kelp DAO’s restake ether is a Liquid Restaking Token (LRT) that allows users to earn ether staking and restaking rewards while keeping their assets liquid even when locked in staking.
That pressure quickly turned into something more serious. A widely circulated post by Josu San Martin described rampant liquidity stress in the lending markets: “ETH depositors can’t withdraw the ETH, so they borrow stables to ‘raise’ funds… This is a full run on AAVE.”
While Stani Kulechov, Aave’s founder, said the exploit was external and the protocol’s contracts were not compromised, depositors panicked. The total value of locked (or deposits) fell from $26.4 billion on April 18 to nearly $20 billion in the US morning hours on Sunday, as of DefiLlama. The AAVE token also fell by more than 18% as depositors tried to withdraw their funds over the weekend.
A ‘case study’
The exploitation itself has become a focal point for engineers and developers.
Several developers pushed back on early assumptions that the problem stemmed from the core infrastructure. “The KelpDAO exploit (~$290M, is NOT a LayerZero protocol flaw. It’s a configuration issue and a case study that every project with a cross-chain token needs to look at today,” read a technical breakdown by cryptogoblin ).
The thread described how a single point of verification enabled the attack. “One signature and 116,500 rsETH materialized out of thin air on Ethereum,” said the post, which describes a system where “the [smart] contracts were not broken. The verification layer was,” the post claimed.
Others argued that the problem runs deeper than a single setup choice.
A critique by Fishy Catfish on X framed it as a design flaw, claiming that: “there is no security floor… A configuration could be a 1/1 DVN, and the DVN you chose could be a single node powered by a single device.” A DVN (Decentralized Verifier Network) in DeFi, specifically within LayerZero V2, is an independent entity responsible for validating and attesting the authenticity of messages sent across different blockchain networks. Essentially, DVNs verify message hashes between a source chain and a destination chain.
To make the point clearer, the author made a real-world comparison: “imagine if a roller coaster manufacturer allowed theme parks to individually decide what the minimum safety specifications were.” Basically, the author is simply saying that flexibility without guardrails can create hidden risks.
The post went so far as to claim that the setup was the problem in the design. “I personally think this is a flawed design. Modular security is a valuable design space, however, the security domain should have a built-in security floor that is pretty strong, and then allow *further* layering of security on top of that for more valuable use-cases.”
‘DeFi is dead’
It is not only the volume and complexity of the exploitation that has given rise to the harsh, panicked criticism. The extent of the exploitation has increased the concern.
About 116,500 rsETH, about 18% of the supply, was affected. The attacker tricked LayerZero’s cross-chain messaging layer into thinking a valid instruction had arrived from another network, triggering Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
Protocols responded by freezing markets and pausing functions. Aave stopped rsETH activity. Lido paused deposits linked to the asset. Other projects took similar steps to limit exposure as the situation developed.
Beyond the technical debate, sentiment across crypto turned sharply negative. One post perhaps captured the mood shift in stark terms: “DeFi is dead … ‘just use aave’ is dead,” while adding that “the age of crypto is over” and asking, “If you’re reading this – why are you still in crypto?”
While the response may sound like an overreaction, this kind of ‘knee-jerk’ reaction is not unusual after great achievements, but the breadth of this event stands out.
The attack affected cross-chain infrastructure, rebuilding models and lending markets simultaneously. It also follows a series of recent events. The hack lands in an unusually hostile stretch for DeFi, especially this month. The Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-linked actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
‘Check your configurations’
Despite all the explanations, there are still more questions than answers.
Even LayerZero is still trying to figure out the full details of the exploit. “We are fully aware of the rsETH exploit and have been in active remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain secure,” said a post on X. “We are still identifying the root cause with @_SEAL_Org and others. We will publish a full post mortem with @KelpDAO as soon as we have all the information.”
KelpDAO echoed this sentiment. “Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across the mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts at RCA. We will keep you updated as we learn more about this situation.”
Still, some developers see a clearer lesson in the chaos.
The exploit did not rely on breaking encryption or bypassing smart contracts. Instead, it revealed how fragile systems can become when they rely on layered assumptions.
Simply put, the tools worked as designed. The way they were configured didn’t.
That distinction can shape what comes next. Builders are now encouraging projects to review their setups, especially those that rely on cross-chain messaging.
As cryptogoblin puts it bluntly: “Check your configurations. Be safe out there.”
Read more: DeFi yields are crashing so hard they can’t compete with a traditional savings account
