Stolen: $290 million, Three Parties Refusing to Acknowledge, Who Should Foot the Bill for the KelpDAO Incident Resolution?

Original Title: "Trilemma in a $290 Million Hole: Aave, L0, Kelp – Who Will Foot the Bill?"
Original Author: Azuma, Odaily Planet Daily

It has been over 30 hours since the rsETH bridging contract of Kelp DAO was exploited. The involved parties (LayerZero, Kelp DAO, Aave) have made statements one after another (mostly shifting blame and emphasizing their innocence), but have not yet provided a final solution.

Therefore, this article aims to discuss the current positions and attitudes of the parties involved, explore the reasons for the delayed solution, and speculate on how the event may ultimately be resolved.

Editor's Note: For background information, please refer to "No Bugs in the Code, Yet Hacked – What's the Story Behind the 2026's Largest Hack via DVN Configuration Vulnerability?".

Who Should Take Responsibility?

First, let's discuss the issue of responsibility.

According to details disclosed by LayerZero, the direct cause of the incident is quite clear. The decentralized validator network (DVN) operated by LayerZero relied on downstream RPC infrastructure that was compromised (see the analysis by SlowMist founder, Cosine, below), and because Kelp DAO's bridging contract adopted a 1/1 DVN, the attacker only needed to complete a forged message verification to execute the attack.

LayerZero believes that Kelp DAO, which used the 1/1 DVN configuration, bears the most direct responsibility for this incident. There's no doubt about it; such an obvious "single point of failure" is absurd.

However, as the underlying cross-chain protocol, LayerZero should also shoulder some responsibility. LayerZero allows each upper-layer application to configure the number and threshold of DVNs independently. While the 1/1 DVN was Kelp DAO's own choice, as the architectural designer, LayerZero should have avoided such obviously flawed settings.

Lastly, there are lending protocols like Aave (with a focus on Aave in this case). Although they are also indirectly affected, objectively speaking, Aave, in pursuit of expansion, granted excessive borrowing power to LRT assets like rsETH, which directly contributed to its current passive situation. Additionally, it is worth mentioning that Aave's former risk team, BGD Labs (now separated from Aave), explicitly pointed out Kelp DAO's DVN issue in January of last year. While Kelp accepted the advice at that time, it clearly did not make any changes... Aave did not continue to supervise and take corresponding measures, leading to their own downfall.

So the liability is very clear, with Kelp DAO as the primary responsible party, LayerZero as the secondary responsible party, and Aave also bearing some indirect responsibility.

The Awkward Reality

Reality is always more complex than theoretical expectations. The most critical issue is that the Kelp DAO team, who should bear the primary responsibility, cannot come up with such a large sum of money to cover the deficit... Whether directly deducting the losses from all rsETH holders or betraying Layer 2 token holders, it is essentially a dead end.

So, who has the money? The first is LayerZero, which has suffered a reputation crisis due to this incident and has been temporarily disabled by many institutions and protocols such as Bitgo, Tron, Ethena, Curve, ether.fi, watching a potential loss of a large amount of cross-chain TVL; the second is Aave, facing a huge potential bad debt and witnessing billions of dollars in TVL outflow.

Therefore, the "buck-passing" among all parties is now very clear. The primary responsible party, Kelp DAO, is basically paralyzed and unable to lead the subsequent compensation. It needs to discuss with the two big brothers on how to proceed; meanwhile, the secondary responsible party with the compensation ability and the indirectly responsible party, LayerZero and Aave, have both stated that their protocols do not have any vulnerabilities and have made it clear that they are not willing to easily take on such a huge responsibility. So the current situation seems to be a bit deadlocked.

But I do not believe this situation will last long, because both protocols have the need to resolve the issue as soon as possible—LayerZero cannot give up its OFT cross-chain ecosystem map, and Aave cannot ignore the continuous outflow of funds.

Key to Multi-party Game

This morning, Aave issued an updated statement on this incident, with the most important piece of information being—Aave emphasizes that "rsETH on the Ethereum mainnet is well-supported."

How should this statement be understood? We need to start with the design of rsETH.

rsETH is essentially a liquidity-backed re-staking certificate token issued by Kelp DAO, with each rsETH having one ETH in the underlying collateral and restaking system. The path is "ETH - Lido - EigenLayer - Kelp DAO - rsETH".

rsETH on the mainnet is the original proof-of-stake token issued by Kelp DAO on Ethereum. To expand into the Layer 2 ecosystem, Kelp DAO will utilize LayerZero's cross-chain bridging contract (the very system involved in this incident) to map mainnet rsETH to various Layer 2 solutions. For each rsETH minted on Layer 2, an equivalent amount of mainnet rsETH will be held in Kelp DAO's custody contract, to be released only upon cross-chain transfer back to the mainnet.

Now, back to the incident itself. As mentioned earlier, the reason for the theft was that the hacker, through deceiving DVN, spoofed a cross-chain message, causing the bridging contract to "mistakenly release" 116,500 rsETH—note that this was not the creation of new tokens out of thin air but the unauthorized release of the original proof-of-stake tokens from the mainnet.

The issue lies here: these tokens were already circulating on Layer 2 through mapping, while the mainnet tokens were in a frozen state. However, post-hack, the hacker deposited them into protocols like Aave, borrowed against more liquid WETH, and escaped—a fact to emphasize is that the deposited rsETH is genuine, hence Aave's support for collateralization and borrowing against the token.

Now, revisiting Aave's statement becomes intriguing. The phrase "mainnet rsETH has ample backing on Ethereum" is essentially saying, "These coins are all real, Kelp DAO, you should be helping us redeem ETH against these tokens (contract paused, redemption currently not possible)… As for the Layer 2 mapped rsETH that lost its mainnet backing, well, that's not my problem!"

This seems to be Aave's stance. Despite emphasizing the value of mainnet rsETH, thereby disregarding the value of Layer 2 mapped rsETH, and with Aave itself holding a significant rsETH debt position in its Layer 2 lending products (valued at approximately $359 million in real-time), this may lead to some bad debt. However, choosing the lesser of two evils, Aave likely evaluated the potential impacts of both options and concluded that preserving its core product on the mainnet aligns with its best interests.

Nevertheless, this represents Aave's perspective only. The final resolution of the incident will depend on reaching an agreement with LayerZero and Kelp DAO.

While the latter has not yet made any further statements, I personally believe that LayerZero is unlikely to accept this proposal, as sacrificing the Layer 2 pegged token would directly threaten LayerZero's cross-chain reputation.

Potential Solution

The problem will eventually need to be resolved. In recent days, various experts on social media have also been giving suggestions to Aave, LayerZero, and Kelp DAO.

DefiLlama founder 0xngmi deduced three possible paths, but also pointed out significant flaws in all three. The first path involves all rsETH holders collectively bearing a 18.5% haircut (proportion of lost tokens to total supply), with Kelp DAO taking the hit, and Aave also facing around $216 million in defaults on the mainnet; the second path is to disregard the value of all Layer 2 pegged rsETH, allowing Aave's mainnet product to remain intact, but the Layer 2 version is likely to collapse, and Kelp DAO's reputation will be damaged; the third path is to fully reimburse pre-hack rsETH holders based on a snapshot, while subsequent buyers or transferees would bear the losses themselves, but due to significant fund movement post-hack, this is almost impossible to execute in reality.

OneKey founder Yishi mentioned: "The best result now would be to negotiate with the hacker, offer a 10–15% bounty, reclaim the majority, and everyone is happy. If negotiation fails, LayerZero's ecosystem fund can cover the majority, as it is the wealthiest and has the most long-term interest, allowing the OFT ecosystem to be preserved. Kelp DAO is the poorest, either token + future income compensation, or simply selling the entire project to LayerZero or Bitmine. Aave's Umbrella and stkAAVE provide the ultimate backstop, but WETH depositors must absolutely not bear the haircut, otherwise Morpho, Spark, Fluid, Euler will all experience repricing, the LRT track will be tainted, and the entire DeFi industry will regress three years."

Regardless, all parties are surely going to continue to debate for a while, as it involves billions of dollars, and no one wants to be the biggest loser.

As for how much time is needed to provide a solution, as mentioned earlier, both giants are unwilling to delay for too long. LayerZero is currently under a forced pause by major collaborating institutions and protocols, and delaying further will undoubtedly lead these partners to switch cross-chain paths; Aave's situation is also not optimistic, with the utilization rates of multiple money markets already at 100%, leaving depositors in a 'trapped' state...If ETH were to suddenly plummet, Aave could likely experience more defaults due to the inability to liquidate effectively (which is the case currently), ultimately leading to a snowball effect of worsening issues—reaching this stage, the industry's foundation may suffer a blow, which clearly no one would be willing to see.

Original Article Link