The KelpDAO $292M crypto hack: What IT execs must know

What happened: Incident breakdown

KelpDAO is a liquid restaking protocol where users deposit Ether cryptocurrency, earn yield and receive a receipt token called rsETH in return.

Attack vector

KelpDAO moved rsETH between networks using a bridge built on LayerZero's messaging infrastructure. That bridge used a single verifier to confirm that cross-chain transfer instructions were legitimate. On April 18, an attacker compromised two RPC nodes, the servers that relay blockchain data to the verifier, feeding them forged data while reporting accurately to every other monitoring system. A simultaneous DDoS attack forced the verifier to fail over to the poisoned nodes.

Amount stolen

The verifier approved a fraudulent instruction, and the bridge released 116,500 rsETH, roughly 18% of the circulating supply and approximately $292 million in value, to an attacker-controlled address. A staging wallet funded through Tornado Cash ten hours before the attack was the first indicator of what was to come.

The blame dispute

LayerZero has since blamed KelpDAO's single-verifier configuration. KelpDAO countered, stating that LayerZero's default setup uses the same configuration, and that roughly 40% of protocols on LayerZero use the same single-verifier setup.

The cascade: from hack to bank run

The attacker deposited 89,567 rsETH into Aave as collateral and borrowed $190.86 million in wrapped Ether against it. Aave's pricing oracle, an automated feed that checks market value but not the origin of deposited assets, was still valuing rsETH at its pre-exploit rate. By the time Aave froze rsETH markets, $190 million in real ether had been lost.

Over 48 hours, Aave lost $8.45 billion in deposits, bringing its total to $17.9 billion. Across DeFi, more than $13 billion was withdrawn, mostly from pools with no rsETH exposure.

Why this matters for IT executives

The mechanics of this attack are specific to DeFi. The failure patterns are not. Four structural weaknesses in this incident have direct parallels across enterprise infrastructure.

Third-party risk management in interconnected systems

KelpDAO's bridge held reserves backing rsETH across more than 20 downstream networks. One compromised integration point simultaneously impaired every system that had accepted rsETH as collateral. The enterprise parallel is direct -- API gateways, shared services layers and middleware that underpin multiple business units carry the same concentration risk.

"Organizations routinely build critical workflows around single points of trust, a single approval authority for privileged access," said Bradley Smith, senior vice president and deputy CISO at BeyondTrust. "When attackers compromise that one point, the system does exactly what it was designed to do, just for the wrong party."

Learn how to create a third-party risk management policy.

Automated systems processing unvalidated inputs

Aave's system lacked a mechanism to verify the source of deposited collateral. That gap has a direct parallel in traditional finance.

"Source of funds validation has been a cornerstone of financial regulation since 1970," said Michael Sweeney, director of preemptive cyber defense at Silent Push. "The principle hasn't changed. Before you take money from someone, verify where it came from. Aave doesn't do any of that. Its only gatekeeper was an oracle that checks price, not provenance."

Shane Barney, CISO at Keeper Security, identifies the same root problem in enterprise terms. "Automated systems that validate who is asking but not what they are actually authorizing are common," Barney said. "And the ones connected to high-value assets are the ones that hurt you when they get it wrong."

The velocity of a digital bank run

In 48 hours, Aave lost $8.45 billion. The gap reflects a pattern familiar to anyone who has managed a crisis. When confidence breaks, people act before the facts are clear.

"The speed reflects decision-making under uncertainty," said Jordan Schoenherr, scientist at Humanix. "If we know the cost of leaving but are uncertain about the cost of staying, people will leave. If many people are doing the same mental math, and seeing others do so, this will create a cascade."

Cross-chain bridge vulnerability and architectural complexity

A single verification point stood between an attacker and $292 million. That is not a crypto problem. It is an architectural one, and it appears in enterprise environments wherever a single compromised relationship can unlock downstream systems.

"No upstream input in sensitive or high-value systems will survive implicit trust patterns against these threats," Smith said. "Organizations need to enforce explicit trust validation per transaction for the complete transaction flow."

Actionable recommendations for IT executives

Blockchain security for enterprises is still an emerging discipline, and the KelpDAO incident is another case study for what insufficient controls look like at scale. While the KelpDAO incident is specific to DeFi, for enterprise IT leaders, the more useful exercise is turning its failure modes into an internal checklist before a similar incident forces the issue.

Immediate actions

• Audit third-party integrations. Map every external dependency in critical financial and data systems, identify single points of failure in your integration architecture and review the security posture of API gateways and middleware. Smith puts the question directly. "Enterprise security teams should be auditing their own environments for the same structural weakness -- where does a single compromised trust relationship give an attacker the keys?"
• Stress-test data feed systems. Implement multi-source validation and build circuit breakers that halt processing when anomalies are detected. Sweeney suggests that IT leaders ask a simple question -- "Does your vendor's risk framework evaluate upstream infrastructure, or just the data that reaches their system?"
• Review incident response plans for speed. Response plans built around 24-hour triage windows assume stakeholders will wait. They will not. Establish pre-approved freeze mechanisms for compromised assets before you need them. Smith is direct about what the baseline looks like now. "Pre-drafted communications, pre-authorized containment decisions and the ability to execute both within the first hour are the baseline now," he said.

 Medium-term initiatives (30-90 days)

• Implement enhanced monitoring. Deploy real time anomaly detection across all integration points and set automated alerts for unusual transaction patterns. For any cross-platform or blockchain infrastructure, require independent security audits before deployment and set clear security standards that third-party integrations must meet. Avoid over-concentration on a single platform or provider.
• Strengthen cross-platform security governance. Risk is not limited to a single platform or technology. For organizations with crypto or blockchain exposure, Smith's guidance is clear:

• • Private key management and smart contract deployment authority should live inside your enterprise PAM/IdAM framework.
  • Enforce least privilege and per-transaction validation.

"Most organizations treat crypto and blockchain tooling as a separate technology domain with its own access controls and key management, disconnected from enterprise privileged access governance. That separation creates the trust gaps attackers exploit," Smith said.

Strategic considerations (90+ days)

• Map supply chain exposure. Even organizations with no direct crypto holdings may have payment processors, treasury partners or vendors with blockchain exposure.
  "If a counterparty in your financial supply chain touches crypto infrastructure, their exposure is yours," Smith said. "Discover it before an attacker discovers it for you."
• Evaluate crypto and blockchain infrastructure plans. If your organization is evaluating crypto payments, tokenization or blockchain infrastructure, use this incident as a case study. Assess whether your security team has the expertise to evaluate digital asset security risks, DeFi protocols and smart contract risks and whether the operational complexity aligns with your risk tolerance.
• Run a tabletop exercise. A tabletop exercise is how organizations discover how a plan might work, or not. "Identify key decision points where actions can be taken, and those that are likely out of your control," Schoenherr said. "Focus on resiliency, not just prevention."

 Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.