Kelp DAO Disputes rsETH Attack Report, Cites LayerZero Defaults

Kelp DAO has publicly disputed a report characterizing the rsETH bridge incident as an exploit, arguing that LayerZero default settings, not a deliberate attack, were responsible for a reported $290 million loss. The dispute reframes the April 18 incident from external exploitation to infrastructure configuration failure.

What the rsETH bridge attack report claimedWhat was reportedly lost

A security assessment published by CredShields described the rsETH bridge incident as an exploit involving Kelp DAOs cross-chain bridge infrastructure, citing approximately $290 million in losses. The report used language consistent with a deliberate external attack.

Why the incident was described as a bridge attack

The CredShields report framed the event using exploit terminology, implying a threat actor identified and leveraged a vulnerability in the bridge mechanism. This characterization positioned the incident alongside other high-profile DeFi bridge hacks rather than treating it as an operational failure.

However, the wording in the headline itself signals a disputed characterization. Kelp DAOs response, documented in an Aave governance thread, challenges the exploit-first interpretation directly.

Why Kelp DAO disputes the attack narrativeKelp DAOs central rebuttal

Kelp DAOs counter-position, presented in the Aave governance discussion, rejects the attack label entirely. The protocol maintains that the loss resulted from how LayerZeros cross-chain messaging defaults were configured, not from an adversary discovering a novel exploit path.

This is not a minor semantic distinction. Classifying an incident as an attack implies security negligence in defending against external threats. Classifying it as a configuration failure shifts responsibility toward infrastructure defaults and integration choices.

Which parts of the report are being contested

Kelp DAO contests both the causation mechanism and the implied narrative. The protocol does not dispute that losses occurred, but it disputes the CredShields characterization of how and why those losses happened.

The conflict is specific: the CredShields report assigns causation to an exploit vector, while Kelp DAOs governance rebuttal assigns causation to LayerZero default parameters that were insufficient for the value being secured.

How LayerZero default settings became the focal pointThe role of default settings in Kelp DAOs version of events

According to Kelp DAOs account in the governance thread, LayerZeros default settings for cross-chain message verification lacked the security guarantees necessary for high-value bridged assets. The protocol argues these factory defaults created the conditions for the loss without requiring a sophisticated exploit.

Default settings in cross-chain messaging determine how transactions are validated across networks. If left unchanged, they may apply the same verification threshold to a $100 transfer and a $100 million transfer, creating risk proportional to value without proportional security.

Why a configuration issue differs from an attack claim

If Kelp DAOs framing holds, the incident becomes a shared-responsibility question between protocols that build on cross-chain infrastructure and the messaging layers they depend on. This is fundamentally different from a scenario where an external attacker found a zero-day vulnerability.

A separate report noting LayerZeros acknowledgment of the Lazarus Group as a likely actor in related cross-chain incidents adds complexity. The existence of state-level threat actors targeting bridge infrastructure does not automatically validate either the exploit or configuration framing for this specific incident.

What the $290 million loss means for rsETH and DeFi riskWhy the $290 million figure matters

The reported loss places this among the largest DeFi incidents in 2026. For rsETH holders and protocols with rsETH exposure, the root-cause determination directly affects recovery expectations, insurance claims, and trust in the asset going forward.

The Aave governance discussion reflects how downstream protocols are reassessing exposure to liquid restaking tokens. When a bridge incident of this scale occurs, counterparties must evaluate whether the underlying assets infrastructure meets their risk standards, a concern similar to those raised when institutions hold significant ETH positions across complex custody arrangements.

Questions rsETH holders and counterparties will ask next

The classification dispute has practical consequences. If the incident is ruled a configuration failure, responsibility may fall partly on LayerZero for inadequate defaults and partly on Kelp DAO for not overriding them. If ruled an exploit, Kelp DAO faces sharper scrutiny over bridge security design.

Projects building cross-chain functionality, including those pursuing fresh funding for infrastructure development, will face harder questions about their messaging layer configurations. The incident highlights a gap in DeFi security standards: no industry-wide requirement currently mandates that protocols override default bridge settings before going live with user funds.

For protocols concerned with responsible governance and transparency, the dispute underscores that incident classification is not merely academic. It determines who pays, who rebuilds trust, and what changes in how cross-chain infrastructure is deployed.

FAQ about the Kelp DAO and rsETH incident

Did Kelp DAO confirm an rsETH bridge attack？

No. Kelp DAO explicitly disputes the “attack” characterization in the Aave governance thread, arguing the loss resulted from LayerZero default configuration settings rather than a deliberate exploit by an external attacker.

What did Kelp DAO blame for the $290 million loss？

Kelp DAO pointed to LayerZeros default settings for cross-chain message verification, claiming these defaults were inadequate for securing the value transiting the bridge.

Why are LayerZero default settings central to the dispute？

Default settings determine how cross-chain messages are validated. Kelp DAO argues that unchanged defaults created a security gap that led to the loss, making it a configuration responsibility issue rather than a novel exploit.

Is this being framed as a hack or a configuration issue？

Both framings exist in the public record. The CredShields report uses exploit language, while Kelp DAOs governance rebuttal attributes the loss to default settings. The classification remains disputed as of April 2026.