DeFi plays the blame game

, , , ,
by Protos Staff

For all its talk of decentralized, autonomous, permissionless finance, the DeFi sector’s response to Saturday’s $290 million Kelp DAO hack tells a different story.

The firms involved are playing a messy, very human blame game over responsibility for the $14 billion fallout.

While the projects shirk responsibility, users have funds stuck in what had been considered the safe, reassuringly boring side of DeFi, and are potentially facing haircuts to cover bad debt.

Meanwhile, amid the uncertainty, the industry as a whole bleeds credibility.

Influential voices are urging the three key parties involved to get together and come up with a path forward. But, so far, it seems the firms are determined to play hardball.

LayerZero blames Kelp DAO’s choice of validator setup, while Kelp DAO says it followed LayerZero’s defaults. Aave stays out of it, hoping to get back to business as usual while avoiding its own role in driving rsETH’s deep integration.

Let’s take a look at the case against each of the projects involved.

DeFi sector in $14B meltdown as $290M rsETH hack fallout burns Aave

Read more: Resolv hack shows DeFi learned nothing from last contagion

Kelp DAO

Kicking off with Kelp DAO, whose rsETH token was hacked on Saturday, there’s not an awful lot to go on.

The firm kept quiet for 48 hours after its initial acknowledgement of Saturday’s hack. 

Users waiting to hear how losses might be distributed were finally presented with a brief statement that provided no new information.

It merely confirmed the mechanics of the exploit, congratulated, highlighted that Kelp DAO’s 1/1 DVN configuration is “the default for any new OFT deployment,” and congratulated itself on blocking a further $95 million hack attempt.

Read more: Hyperbridge exploited less than two weeks after April Fools’ day hack prank

It even came off as rather tame, given the potential attack of LayerZero which had been teased the previous day.

As for loss distribution, the firm says it’s “concurrently assessing the potential next steps.”

In praising Arbitrum’s decision to seize stolen ether (ETH), it didn’t give much more away, saying it’s “pursuing all available avenues to… mitigate the impact of the incident across the Defi ecosystem.”

We’ll keep waiting, then.

LayerZero

LayerZero has faced plenty of criticism, not just from Kelp DAO, that its architecture passes off the burden of security onto individual project teams, or ““empowers each application and asset issuer to define their own security posture,” as LayerZero puts it.

While the firm claims it recommends individual asset issuers to choose a secure setup, analysis from Dune suggests that almost half of over 2,500 OApp bridging contracts use a 1/1 DVN configuration.

One example, highlighted by blockchain security expert Taylor Monahan, explicitly states “use the LZ defaults” in its code comments.

Read more: Inside the $280M Drift hack: weeks of setup, minutes to drain

Indeed, in the wake of Saturday’s incident, many well-known crypto and DeFi projects paused bridging of their assets through LayerZero, including Ethena, EtherFi, WBTC, Tron and Curve.

Another point of contention is the lack of disclosure of the specific attack vector which granted access to its infrastructure leading to manipulation of the DVN, operated by Layer Zero itself.

Aave

Despite being furthest from the actual theft, DeFi’s former number-one protocol (now knocked off the top spot due to recent outflows) created the conditions for such widespread damage.

The use of rsETH as collateral in e-mode with targeted total value locked by allowing highly leveraged looping of ETH-correlated liquid (re)staking tokens, one of Aave’s key uses.

The risk assessments for these setups focused on “market and liquidity risk”, with bridging configurations deemed “a structural feature of composability rather than a scope question.”

Bridged rsETH had the same parameters as on mainnet, discounting any cross-chain risk entirely.

It appears likely that rsETH was specifically targeted for its deep liquidity, a feat achieved thanks to these decisions.

Aave appeared untouchable just a few months ago, but recent turmoil, hindsight on past hubris, and contributors lashing out at competitors, paints a different picture altogether.

Read more: Oracle error adds to turmoil at DeFi giant Aave

Arbitrum’s silver lining

Earlier today, Arbitrum’s security council pulled off a rescue of over 30,000 ETH ($71 million) of the hacker’s proceeds in the nick of time.

Shortly after, laundering of funds began on Ethereum. On-chain analysts confirmed DPRK involvement, spotting links to other TraderTraitor-related hacks, BTC Turk and ByBit.

While some of DeFi’s decentralization zealots may have an issue with the move, having the ability to seize illicit funds and not doing so would be the worst of both worlds, argued Curve Finance’s Michael Egorov.

Such a move is not without precedent, after all. In 2023, proceeds from the preceding year’s Wormhole hack were recovered with the help of Oasis, and in 2024, Blast seized $97 million from a rogue developer.

Yearn’s banteg also hopes that Arbitrum will have now scared off future attempts by Lazarus. 

Important questions remain over the potential for similar actions in the future, centering on the need for a court order or a defined threshold above which to step in.

More pressingly, though, the question of how to redistribute the seized funds also remains to be answered.

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on XBluesky, and Google News, or subscribe to our YouTube channel.