Kelp DAO lost $290 million. Now everyone’s blaming each other.
The hack hit Kelp DAO’s rsETH token hard, and the fallout spread across $14 billion in DeFi infrastructure. LayerZero, Kelp DAO, and Aave are all caught up in the mess, each pointing at the others while users wait to see if they’ll get their money back. The whole thing turned into a blame game pretty fast, with companies scrambling to defend their role in what went wrong.
Two Days of Radio Silence
Kelp DAO went quiet for two full days after the breach. When they finally spoke up, the statement confirmed how the exploit worked but didn’t say much about paying people back. They did mention stopping another attack worth $95 million, which is something. But internal messages from Kelp reportedly pushed back hard against LayerZero’s version of events. LayerZero put out a post-mortem that basically blamed Kelp for the security failure, and Kelp didn’t like that one bit.
The company’s silence frustrated a lot of people. Two days feels like forever when your money’s gone and nobody’s talking. When the statement finally dropped, it left more questions than answers. No clear plan for restitution. No timeline. Just confirmation that yes, the hack happened, and yes, they managed to block an even bigger one.
LayerZero’s Default Settings Under Fire
LayerZero’s catching heat for how it handles security. The company lets individual projects set up their own security measures, which sounds reasonable until you look at the numbers. Almost half of the 2,500-plus bridging contracts on LayerZero use a default configuration that security experts call weak. That’s a problem.
Taylor Monahan, a blockchain security expert who knows her stuff, pointed out that tons of projects just stick with LayerZero’s default settings. Those defaults might’ve played a role in the vulnerability that got exploited. LayerZero recommends secure configurations, sure, but recommending something and making it the default are two different things.
And LayerZero still hasn’t fully disclosed the attack vector. That lack of transparency spooked several major crypto projects into hitting pause on their asset bridging. Ethena did it. So did EtherFi, WBTC, Tron, and Curve. They’re all reassessing their security protocols now, trying to figure out if they’re vulnerable too.
The criticism comes down to this: LayerZero put the security burden on individual teams who might not have the expertise to configure things properly. When half your users default to the insecure option, maybe the problem isn’t just user error.
Aave’s Collateral Problem
Aave didn’t cause the hack directly. But their setup made things worse.
The platform accepted rsETH as collateral without really thinking through cross-chain risks. Their risk assessments focused on market risks and liquidity risks—the usual stuff. They missed the bigger picture. That oversight let people build massive leveraged positions using rsETH, which made it a juicy target for hackers. More leverage means more potential damage when things go sideways.
Aave’s facing backlash now for not catching that vulnerability. The integration of rsETH as collateral seemed fine on paper, but it created conditions that amplified the exploit’s impact. When you’re running a lending protocol, you’ve got to think about all the ways things can break, not just the obvious ones.
Arbitrum Steps In
Arbitrum’s security council managed to claw back 30,000 ETH from the hacker. That’s $71 million worth of stolen funds, now sitting in Arbitrum’s hands instead of the attacker’s. Pretty impressive recovery work.
But it sparked a whole different debate. Arbitrum seized those funds without a court order, which raises questions about how decentralized finance should handle these situations. Some people praised the move—getting money back from hackers is good, right? Others worried about the precedent. If Arbitrum can freeze and seize funds unilaterally, what does that mean for the whole “decentralized” part of DeFi?
The recovered ETH sits in limbo now. Nobody knows how it’ll get redistributed. Do affected users get it back proportionally? Does Kelp DAO control the distribution? What about future hacks—will Arbitrum intervene every time, or was this a one-off? The sector doesn’t have clear answers yet.
The ethics get murky fast. Decentralization means no central authority making these calls, but when $71 million is on the line, somebody’s got to act. Arbitrum acted. Whether they should have is still up for debate.
What Happens Next
Users affected by the hack are stuck waiting. Kelp DAO hasn’t clarified how losses will get distributed or if full restitution is even possible. The $290 million loss is huge, and even with Arbitrum’s recovery, there’s still a massive shortfall.
The DeFi sector’s watching closely. Security defaults matter. Risk assessments need to consider cross-chain vulnerabilities. And the community needs to figure out when intervention is justified and when it crosses a line.
LayerZero’s default configuration problem isn’t going away. If half of 2,500 contracts are using insecure settings, that’s 1,250 potential vulnerabilities sitting out there. Other projects pausing their bridging might be smart, but it also shows how fragile trust is right now.
Aave’s oversight on cross-chain risks will probably change how lending protocols evaluate collateral going forward. One $290 million lesson is enough for most people.
Arbitrum’s recovery sets a precedent whether anyone wanted one or not. The next time a major hack happens, everyone will ask: will Arbitrum step in again? Should they? The answer depends on who you ask, and right now, nobody agrees.
The blame game continues. Kelp blames LayerZero’s architecture. Critics blame LayerZero’s defaults. Others point at Aave’s risk models. Meanwhile, users just want their money back, and the companies involved keep pointing fingers instead of working together on solutions.
Monahan’s criticism about default security settings hit a nerve because it’s true. Developers take the path of least resistance, and if the easiest path is insecure, that’s a systemic problem. LayerZero can recommend better configurations all day long, but until the default is secure, projects will keep getting exploited.
The paused bridging from major projects like Ethena and Curve shows how one hack can ripple across the whole ecosystem. These aren’t small players—they’re major DeFi protocols with billions in total value locked. When they all pause at once, it sends a message that LayerZero’s infrastructure needs serious scrutiny.
Kelp DAO’s $95 million attack prevention didn’t get much attention, but it probably should have. Stopping a second attack while dealing with the first one takes skill and quick thinking. But good crisis management doesn’t erase the initial failure, and users care more about getting their $290 million back than hearing about what didn’t get stolen.
The lack of a clear restitution plan from Kelp DAO is the biggest ongoing problem. Companies can argue about whose fault it was forever, but affected users need concrete information about if and when they’ll be made whole. Every day without an answer erodes trust further.
DeFi’s promise was always about removing intermediaries and creating trustless systems. But when hacks happen, people want someone to step in and fix things. That tension between decentralization and intervention isn’t going away, and the Kelp DAO hack just made it more obvious.
Post Views: 1
Frequently Asked Questions
How much did Kelp DAO lose in the hack?
Kelp DAO lost $290 million in the hack affecting its rsETH token, with the broader impact spreading across $14 billion in DeFi infrastructure.
How much did Arbitrum recover from the hacker?
Arbitrum’s security council recovered 30,000 ETH worth $71 million from the stolen funds, though the redistribution plan remains unclear.
Which major DeFi projects paused bridging after the hack?
Ethena, EtherFi, WBTC, Tron, and Curve all paused their asset bridging through LayerZero to reassess security protocols following the exploit.