Cardano founder Charles Hoskinson used a recent livestream to cast the April 18 KelpDAO exploit — roughly $292 million lost — not as just another bridge hack but as a wake-up call about structural fragility in modern Ethereum DeFi. In his view, the incident exposed how restaking, cross-chain messaging, and layered lending infrastructure can turn a single compromise into system-wide contagion.
What happened
Hoskinson walked viewers through the attack using a website he created with AI from internal incident-report material. According to his reconstruction, about 116,500 rsETH was drained from KelpDAO’s Ethereum escrow. Crucially, he argued the failure wasn’t a buggy KelpDAO contract or a simple accounting flaw at LayerZero; instead it stemmed from a forged cross-chain message that was accepted as legitimate and triggered fund releases on Ethereum.
A single verifier as a single point of failure
Hoskinson zeroed in on the verifier configuration. KelpDAO reportedly relied on a one-of-one verifier (a single active DVN), which he described as an unacceptable single point of failure in an ecosystem already layered with staking wrappers, restaking protocols, bridges and lending venues. He recommended multi-verifier designs (for example, three-of-five) as safer practice, arguing the breach was “in the verification logic, not the application logic.” By his account, KelpDAO’s contracts were sound and audited — it was the bridge and verification setup that failed.
Conflicting postmortems
The industry still lacks a unified root-cause narrative. Hoskinson summarized three different analyses — from LayerZero, from KelpDAO, and from threads tied to LlamaRisk and Aave governance — that do not fully agree on whether the break occurred in the messaging layer, verifier setup, KelpDAO’s acceptance logic, or in the seams between them. That ambiguity, he said, leaves unresolved questions about responsibility and trust assumptions for cross-chain infrastructure.
From theft to contagion
What made the incident especially dangerous, Hoskinson emphasized, was what the attacker did with the stolen rsETH. Rather than immediately selling on DEXs, the attacker reportedly used the funds as collateral in lending markets to borrow liquid assets. That behavior turned a $292 million theft into a balance-sheet problem for other protocols and created “poisoned collateral” that spread risk across the system. Hoskinson called this the novel aspect: “It wasn’t just a bridge hack. It spread to lending which then created bad debt contagion inside these lending protocols. It created a bank run and we saw $13 billion of TVL pulled in a very short period of time for a $292 million hack.”
Scope and impact
Citing public reporting referenced in his walkthrough, Hoskinson said at least nine protocols were directly affected. He noted Aave faced the largest impact, with estimated losses in the range of $6.6 billion to $8.45 billion, and pointed to extreme rsETH volatility — roughly $1,600 to $2,500 within 24 hours after the breach.
Attribution remains uncertain
Hoskinson also raised the possibility of links to the Lazarus Group, but he acknowledged that attribution is unconfirmed and that no independent forensics firm had definitively proven such ties.
Market note
At press time Cardano (ADA) traded at $0.2504.
Why it matters
Beyond the headline dollar amount, Hoskinson’s argument reframes the KelpDAO exploit as a systems-design problem: fragile verifiers, ambiguous trust assumptions across messaging layers, and liquidity routing through lending markets can magnify a single exploit into a much larger crisis. The episode underscores the need for clearer standards around cross-chain verification, multi-party attestations, and the risk modeling of wrapped and restaked assets used as collateral.
Read more AI-generated news on: undefined/news
