The rsETH bridge contract of KelpDAO has been under hacker attack for over 30 hours, involving an amount equivalent to approximately $290 million. LayerZero, Kelp DAO, and Aave have made statements in succession, but most of them are to absolve themselves of responsibility and emphasize their own innocence. So far, they have not come up with a unified compensation and solution plan, and the entire incident has reached a stalemate.

1. Core of the event: Who should be responsible for this attack?

Based on the disclosure by LayerZero and the analysis by security institutions such as SlowMist, the direct cause of this attack has been clearly identified: the downstream RPC infrastructure relied upon by LayerZero's decentralized verification network (DVN) was breached; coupled with Kelp DAO's adoption of a 1/1 DVN verification configuration in the bridge contract, the attacker only needed to forge verification information that passed once to complete the attack. In terms of assigning responsibility, the industry consensus is basically clear:

Kelp DAO's primary responsibility lies in adopting a 1/1 single-point verification model, which constitutes a clear security design flaw and is the most direct cause for the ease of attack implementation. Therefore, it should bear the primary responsibility.

As the underlying cross-chain protocol, LayerZero allows project parties to set the number of validation nodes and thresholds independently. Although the 1/1 configuration is Kelp's own choice, as the underlying architecture provider, it bears an inescapable responsibility for not imposing restrictions or warnings on such high-risk configurations.

Aave's Indirect Liability. In order to expand its business, Aave granted excessive borrowing limits and collateral permissions to LRT assets like rsETH, which directly enabled hackers to quickly collateralize, cash out, and exit the market after their success. More notably, Aave's former risk control team, BGD Labs, had already pointed out the DVN configuration risks of Kelp DAO as early as January 2025. Although Kelp expressed adoption at the time, no actual modifications were made; subsequently, Aave did not continue to follow up on risk control, ultimately reaping what it sowed.

Brief summary: Kelp bears primary responsibility, LayerZero bears secondary responsibility, and Aave bears indirect risk control responsibility.

II. Embarrassing reality: the responsible party cannot afford to compensate, while the wealthy party does not want to compensate

The theoretical responsibility is clear, but the actual situation is extremely tricky.

As the primary responsible party, Kelp DAO has limited financial resources and is simply unable to cover the huge deficit of $290 million;

Whether it is to have all rsETH holders collectively take a haircut or to have L2 users bear the losses, both paths lead to a dead end for the project;

LayerZero and Aave are the ones with real solvency, but both have publicly claimed that their protocols are flawless, clearly indicating their unwillingness to easily take on the responsibility.

Thus, a typical deadlock was formed:

Kelp DAO has been nearly paralyzed and is unable to lead the compensation process;

Due to its reputation crisis, LayerZero has been suspended from access by multiple institutions such as Bitgo, Tron, Ethena, and Curve, putting its cross-chain business share in jeopardy;

Aave is facing a huge potential bad debt and continuous loss of TVL, but it is still trying to avoid a full guarantee.

However, this tug-of-war is difficult to sustain for a long time. LayerZero cannot abandon the OFT cross-chain ecosystem, and Aave cannot bear the continuous outflow of funds and chain bank runs. Both parties have strong motivations to resolve the incident as soon as possible.

III. The key to the three-party game: Aave's statement has exposed its true position

In its latest statement, Aave emphasized that "there are still sufficient assets backing rsETH on the Ethereum mainnet." The stance behind this statement is worth pondering. rsETH is a liquidity repledging certificate issued by Kelp DAO. Its underlying asset path is: ETH → Lido → EigenLayer → Kelp DAO → rsETH. The mainnet rsETH is the original certificate, while the L2 rsETH is a mapped asset bridged through LayerZero. When each L2 rsETH is issued, the corresponding token on the mainnet will be locked and managed. This hacker attack was not a "coin minting out of thin air," but rather a fraudulent act that involved forging cross-chain messages to trick the contract into releasing 116,500 rsETH that were originally locked on the mainnet. The hacker then pledged these real rsETH to Aave to borrow WETH and complete the cash-out. Aave's so-called "sufficient backing of mainnet rsETH" carries a very clear subtext:

The mainnet assets are real, and Kelp DAO should allow Aave to redeem the corresponding underlying ETH;

As for the L2 version of rsETH that has lost the backing of mainnet assets, Aave tends to no longer provide coverage.

Although this will result in approximately $359 million in bad debts in its L2 lending pool, Aave has evidently chosen to "sacrifice the lesser to preserve the greater," prioritizing the preservation of its core mainnet business. However, this path is difficult for LayerZero to accept. Once the L2 mapping tokens are directly reset to zero, LayerZero's cross-chain reputation will suffer a devastating blow, and the entire OFT ecosystem will be shaken.

IV. Industry analysis: Three solutions, each with fatal flaws

Industry insiders have conducted multiple rounds of discussions on the compensation path. DefiLlama founder 0xngmi summarized three possibilities, but all of them have obvious flaws:

All rsETH holders collectively took a haircut of approximately 18.5%, with losses borne proportionally by all token holders. Kelp DAO was held responsible, and Aave absorbed approximately $216 million in mainnet bad debts. Disadvantages: It undermined the confidence of token holders, putting the entire LRT ecosystem under pressure.

Abandoning the L2 mapping version of rsETH and preserving the mainnet asset Aave can maintain the mainnet business, but the L2 ecosystem will collapse directly, and the reputations of Kelp and LayerZero will be ruined. Disadvantage: It will greatly damage the cross-chain ecosystem.

Compensation will be made in full based on the snapshot before the attack, with subsequent holders bearing the loss. Compensation for real users before the attack will be made, while users who bought or transferred after the attack will bear the risk themselves. Disadvantages: Funds have already flowed extensively, making traceability and enforcement nearly impossible.

Yishi, the founder of OneKey, proposed a more realistic approach:

Prioritize negotiating with hackers, offering a 10%–15% bounty, to recover most of the funds with minimal cost and impact;

If the negotiation fails, the LayerZero Ecological Fund will bear the majority of the compensation to preserve the OFT ecosystem;

Kelp DAO has the weakest financial resources, but it can be compensated through tokens and future income, or even be acquired entirely by LayerZero or Bitmine;

Aave relies on Umbrella and stkAAVE as the final safety net, but it must not allow WETH depositors to bear any haircuts, otherwise it will trigger a full repricing across Morpho, Spark, Fluid, Euler, and other products, leading to a comprehensive blacklisting of the LRT track and causing the entire DeFi industry to regress by at least three years.

V. Prediction of the outcome: We cannot afford to delay, and ultimately someone must pay the bill

With hundreds of millions of dollars at stake, all parties will inevitably engage in fierce competition and repeated tug-of-war, with no one willing to become the biggest "sucker". However, the matter cannot be delayed for long:

LayerZero has been suspended from access by a large number of partners, and the longer the delay, the more severe the loss in the ecosystem;

The utilization rate of multiple Aave fund pools is approaching 100%, and depositors have been "trapped";

If the price of ETH falls sharply, clearing failures will lead to more bad debts, and the risk will snowball out of control, potentially shaking the entire DeFi foundation.

It can be foreseen that under the pressure of reputation, ecosystem, and survival, LayerZero and Aave will ultimately have to jointly bear most of the losses, while Kelp DAO will compensate with project assets and future earnings. The possibility of completely shifting the blame and escaping unscathed is almost non-existent.