In traditional finance, moving a million dollars involves multiple authorisations, checks, and audit trails. In DeFi when a similar failure occurs, they call it a ‘learning experience.’ This mindset is the real problem. The solution is not complicated. What is missing is the will to prioritise cybersecurity and governance over speed to market.
One transaction. Forty-six minutes. $292M gone. The ensuing panic wiped $13B in the nexct 48 hours. Decentralised Finance has yet to demonstrate the control manturity of a regulated institution.
First, the jargon decoded:
- rsETH is a receipt, proof you deposited real ETH
- Bridge transfers these receipts between blockchains
- Verifier is a smartcontract and off-chain software
- KelpDAO is a platform that lets users deposit ETH and earn yield.
- LayerZero Labs built the bridge KelpDAO relied on.
What exactly happened?
KelpDAO ran a single verifier. The attacker sent a crafted message claiming real ETH had been deposited and to release the receipts. The verifier only checked whether the signature was valid, not whether real ETH actually moved. One signature was enough. The bridge released 116,500 rsETH (receipts) to the attacker’s wallet.
KelpDAO under KernelDAO appears nominally governed by token holders, not a central company, which means no board, no regulator, no one accountable for a configuration choice.
Those receipts went into Aave Labs, a lending platform that had approved rsETH as collateral. Aave’s contracts were not compromised; however, the design assumed the receipt would always be genuine, with no real-time check asking: is this receipt actually backed by real ETH right now?
DeFi protocols are connected like dominoes. When Aave was compromised, panic spread fast. Large holders withdrew. Aave hit 100% utilization. SparkLend and Compound Foundation paused rsETH markets. Euler froze positions entirely. Within 48 hours, $13B was wiped out, not by hacking, but by fear-driven actions that spread in the absence of safeguards.
What needs to change?
Bridge security usually has three layers:
- technical verification (checking signatures),
- economic security (verifiers stake capital that gets destroyed if they approve a fake message), and
- consensus redundancy (multiple independent verifiers must agree).
Here, two of the three were absent. Lending platforms also need hard limits on how quickly any single collateral asset can be borrowed against, particularly for newer or less liquid tokens.
Sources:
- The KelpDAO rsETH Explot: $292M Minted From a 1-of-1 Bridge
- Kelp DAO Loses $293M in BRidge Exploit, Leaving Aave with Over $200M in Bad Debt
About the author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. With 30 years of navigating the intersection of technology, risk, and regulations, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.
Disclaimer: All views expressed here are entirely mine.