KelpDAO Cascading Risks and Emergency Disposition Rights During a Crisis

Key Points: KelpDAO’s $290 million bridge vulnerability triggered a chain reaction, freezing over $6.7 billion worth of WETH liquidity across five chains, affecting users who had never interacted with rsETH. The incident also revealed the practical boundaries of “permissionless” systems: the Arbitrum Security Council, through governance, authorized an atomic contract upgrade that enforced a forced state transition, transferring 30,766 ETH without holder signatures.

On April 18, 2026, KelpDAO’s rsETH cross-chain bridge was attacked, resulting in a loss of approximately $290 million, making it the largest DeFi security incident of the year. Initial attribution points to Lazarus Group, a state-level attack organization with documented long-term targeting of crypto infrastructure [1]. The attack did not exploit a smart contract bug but instead poisoned the RPC infrastructure relied upon by a single decentralized verification network (DVN) node, forging cross-chain messages and releasing rsETH tokens on the source chain without corresponding burns.

LayerZero [1] and KelpDAO [2] have provided detailed explanations of the attack itself. This article approaches from a different angle: not recounting the attack process but examining what happened afterward: how a single point of infrastructure dependency caused a cascade that froze billions of dollars in liquidity across five chains, and how this cascade forced a decentralized governance framework to exercise centralized emergency powers in the public eye.

The causal chain of the KelpDAO incident spans three layers of the “decentralized” tech stack: reliance on a single point DVN enabled the attack; DeFi composability (the “DeFi Lego” characteristic of protocols interlocking like building blocks) then transformed this bridge vulnerability into a systemic liquidity crisis; and the scale of the crisis in turn exposed the embedded centralized emergency powers within governance frameworks.

Background: Summary of the KelpDAO Attack

KelpDAO is the issuer of rsETH. rsETH is a liquidity re-staking token (LRT) representing ETH staked positions across multiple operators. To enable cross-chain circulation of rsETH, KelpDAO integrated LayerZero’s messaging protocol, which relies on a DVN (decentralized verification network) to confirm the legitimacy of cross-chain messages before execution on the target chain.

Key configuration choice: KelpDAO’s rsETH OApp used a 1-of-1 DVN setup, relying solely on the DVN operated by LayerZero Labs as the sole verifier. This means the entire cross-chain security of rsETH depends on a single verification entity. LayerZero’s documentation explicitly recommends using a redundant multi-DVN setup, and LayerZero had communicated this best practice to KelpDAO before the incident [1]. KelpDAO responded that the 1/1 configuration is “documented in LayerZero’s docs and deployed as the default configuration for any new OFT” and “was explicitly deemed suitable during L2 scaling phases” [2].

The attacker compromised two RPC nodes used by LayerZero Labs’ DVN, replacing their binaries with malicious versions. These malicious nodes only returned forged on-chain state data for the DVN’s IP addresses, appearing normal to all other observers (including LayerZero’s own monitoring infrastructure). Meanwhile, a DDoS attack targeted the non-compromised RPC nodes, forcing a failover to the poisoned nodes. The result: the DVN confirmed a cross-chain message on the source chain that never actually occurred, and without a corresponding burn on the source chain, released 116,500 rsETH tokens on Ethereum via the adapter (0x85d4…8ef3) [1, 3]. The release transaction was 0x1ae232…db4222. On-chain evidence is clear: Ethereum’s target endpoint accepted nonce 308, while the Unichain source endpoint’s max outbound nonce remained 307 [10].

KelpDAO detected anomalies within 46 minutes and paused all related contracts. This prevented further attacks involving an additional 40,000 rsETH (~$95M) [2]. But by then, the attacker had moved to the next phase: converting the stolen rsETH into lending assets via DeFi protocols.

From Forged Tokens to Lending Assets

The attacker did not directly sell the stolen rsETH. The 116,500 tokens were dispersed into seven wallets, then liquidated through various channels, including direct swaps for ETH via aggregators, depositing into Compound V3, and bridging to Arbitrum [10]. But the most impactful route was through Aave: the attacker deposited 89,567 rsETH (~$221 million) into Aave markets on Ethereum and Arbitrum—Ethereum Core and Arbitrum. Using Aave’s E-Mode (a feature allowing higher loan-to-value ratios for related assets), the attacker borrowed 82,620 WETH and 821 wstETH against the rsETH collateral [3].

These positions were leveraged to the limit. The health factors of the attacker’s seven addresses ranged narrowly from 1.01 to 1.03, just above liquidation thresholds [3]. This was possible because Aave’s E-Mode set an LTV of 93% for rsETH, with a liquidation threshold of 95%, leaving only a 2% safety buffer.

Details of the attacker’s positions across the two markets are summarized below:

Table 1: Attacker’s rsETH collateral and WETH/wstETH borrowings on Aave’s two markets

Data source: On-chain data aggregation from Etherscan, Arbiscan, and DeBank, as of 2026-04-22 16:51 UTC. USD values reflect token prices at the time of each transaction.

Cascade Effect: How a Bridge Vulnerability Frozen WETH on Five Chains

The diagram below outlines the full cascade across chains. Steps 1 and 2 (bridge vulnerability and Aave collateral deposits) are described above. This section analyzes steps 3 to 5: why WETH had to be frozen, which parameters shaped the severity of the cascade, and what the actual costs of freezing were.

Figure 1: Cascade from bridge vulnerability to WETH freezing on five chains

Why WETH Had to Be Frozen

On April 19, Aave’s Protocol Guardian froze all rsETH and wrsETH markets on Aave V3 and V4, prohibiting new deposits and borrowings with rsETH as collateral [8]. This was the expected first response.

The unexpected second step occurred on April 20: Aave froze WETH reserves on Ethereum, Arbitrum, Base, Mantle, and Linea [3, 8].

Why freeze WETH? Because it’s an asset unaffected by the attack and unrelated to the cross-chain bridge. The attacker’s deposited rsETH was minted without any corresponding assets on the source chain. Aave’s price oracle continued to price these tokens at full market value, treating them as valid collateral indistinguishable from legitimate bridged rsETH. The attacker exploited this information asymmetry to borrow real WETH against uncollateralized liabilities, effectively draining WETH from the lending pools. This pushed the utilization of affected markets to 100%. At full utilization, existing WETH deposits could not be withdrawn, and liquidators could not access the underlying assets needed to execute liquidations. The core liquidation mechanism—Aave’s defense against bad debt—was effectively paralyzed [3].

If WETH borrowings remained open, remaining pools on other chains could also be drained via the same mechanism: deposit rsETH, borrow WETH, then exit. Freezing WETH was not optional but the only way to contain the damage.

Three Parameters Shaping the Cascade

The severity of this cascade was not accidental. Three protocol parameters determined the scale of direct damage and the extent of freeze propagation.

1. LTV: How much healthy assets can be extracted per unit of contaminated collateral

Aave’s E-Mode set an LTV of 93% for rsETH, meaning depositing $1 of contaminated rsETH could borrow $0.93 of WETH. By comparison, Spark Protocol’s rsETH LTV was 72%, Fluid about 75% [3]. Aave’s parameter was the most aggressive in the market.

This was a deliberate design choice, not oversight. In January 2026, Aave governance increased rsETH’s E-Mode LTV from 92.5% to 93%, further tightening the already thin safety margin from 2.5% to 2%. The base (non-E-Mode) LTV was set close to zero (0.05%), effectively forcing all meaningful rsETH borrowing to occur via the high-LTV E-Mode path.

[3] 2. Pool depth: How vulnerable each market’s liquidity pool is to extraction

The same amount borrowed impacts different pools differently depending on their depth.

Table 2: WETH reserves and attacker’s direct extraction ratio across Aave V3 markets on different chains

The attacker only deposited rsETH into Aave V3 markets. Aave V4 (deployed only on Ethereum, launched March 2026) also adopted preemptive rsETH freezing ### but is not reflected here. WETH reserve data from LlamaRisk [8]; attacker’s borrow data from the position details above.

The attacker focused on Ethereum Core and Arbitrum. But the key concern is what happened on chains the attacker never touched. Since rsETH was accepted as collateral on Mantle, Base, and Linea, any existing user positions there are at potential risk if the underlying bridge support is broken. Aave’s decision to preemptively freeze WETH on all five chains was a rational response: leaving these markets open would expose them to the same extraction mechanism already verified on Ethereum and Arbitrum [3, 8].

[3] 3. Cross-chain deployment count: How far freeze propagation spreads

rsETH was collateral in 11 of 23 Aave V3 markets, with 7 having substantial exposure ###. The attacker only operated on two chains, but the preemptive freeze of WETH affected at least five, including markets where the attacker never deposited a single token. LTV determines how much can be extracted per chain, while pool depth influences the impact on each market. Ultimately, the number of chains accepting rsETH as collateral determines the scope of freeze propagation.

These parameters are not static. Nine days before the attack, on April 9, Aave’s Risk Steward increased rsETH’s supply cap: Ethereum Core from 480,000 to 530,000, Mantle from 52,000 to 70,000 [3]. While this does not imply causality (the attacker’s preparation likely predates these adjustments), it highlights how routine parameter changes can inadvertently expand the potential impact of future events.

Actual Impact of the Freeze

The result: a $290 million bridge vulnerability caused WETH liquidity to freeze on five chains, with combined affected reserves exceeding $6.7 billion.

The direct loss was limited to the attacker’s borrowed amount. But in DeFi lending, freeze events are far from minor operational disruptions. They lock user liquidity, prevent withdrawals, disrupt active positions, and weaken the protocol’s ability to liquidate bad debt. Most affected users had never interacted with rsETH, KelpDAO, or any cross-chain bridge. They are WETH depositors and borrowers on Aave, participating in what they reasonably believed to be straightforward lending markets.

WETH is the most fundamental liquidity asset in DeFi. Freezing it is akin to shutting down the largest bank’s withdrawal channels because another financial institution was scammed using a product most depositors had never heard of.

LlamaRisk’s incident report [3] modeled two bad debt scenarios, providing chain-by-chain shortfall forecasts, the most detailed risk propagation analysis to date. But even this analysis focuses on potential bad debt, not the broader operational costs of freezing—such as withdrawal locks, position disruptions, and weakened liquidation capacity across affected markets. A comprehensive quantification of the cascade’s overall impact remains an open question.

If the cascade is complex, recovery is equally complicated. Composability constrains repair as well as destruction. Aave cannot simply “unfreeze everything.” Each market must be evaluated independently, considering local rsETH exposure, WETH utilization, and attacker activity, facing different risk profiles. The timeline illustrates this clearly:

• April 19: Protocol Guardian froze all rsETH and wrsETH reserves on Aave V3 and V4 [3].
• April 20: WETH was frozen on Ethereum, Arbitrum, Base, Mantle, and Linea [8].
• April 21: WETH on Ethereum Core V3 was unfrozen, with LTV kept at zero as a precaution. WETH on Ethereum Prime, Arbitrum, Base, Mantle, and Linea remained frozen [8].
• Four days after the attack, only one of the six affected markets was unfrozen. The recovery process is as layered and cautious as the attack itself: protocol-by-protocol, chain-by-chain, each step requiring governance coordination and risk assessment.

Emergency Response: How Arbitrum Transferred 30,766 ETH Without Holder Signatures

While Aave managed the lending cascade, Arbitrum also took parallel emergency action. On April 21, the Arbitrum Security Council announced a swift measure: freezing 30,766 ETH held by the attacker on Arbitrum One [6]. These funds were moved to an intermediate freeze address (0x…0DA0), pending disposition via subsequent Arbitrum governance vote [7].

### Governance Action
The Arbitrum Security Council is a formal part of the Arbitrum DAO governance structure, not an external or ad hoc body. This emergency action was publicly announced on the Arbitrum governance forum [7], executed after confirming the attacker’s identity, with full transaction details available for verification. The Security Council acted within its delegated authority, balancing “commitment to the security and integrity of the Arbitrum community while not impacting any Arbitrum users or applications” [6].

This was not a secret backroom decision but a governance-authorized, transparent operation with on-chain evidence.

[6] Technical Mechanism
What makes this action notable is not the governance decision itself but how it was executed on-chain. Based on BlockSec’s Phalcon trace analysis ###, the Security Council employed an atomic three-step process:

• The Upgrade Executor temporarily upgraded the Ethereum inbox contract (DelayedInbox), adding a new function called sendUnsignedTransactionOverride.
• This function was used to create a cross-chain message impersonating the attacker’s address. The message was injected via Bridge.enqueueDelayedMessage, kind=3, corresponding to L1MessageType_L2Message in Arbitrum Nitro. This message type allows execution of L2MessageKind_UnsignedUserTx on L2. Crucially, this path does not require signature verification. The sender parameter switches from the standard msg.sender to an input controlled by the caller, carrying the attacker’s address via L1→L2 address aliasing.
• After the L2 transaction completes, the inbox contract is restored to its original implementation.

Both the L1 transaction [9] and the resulting L2 transaction [4] are publicly viewable on Phalcon Explorer. The L2 transaction appears as “from attacker to 0x…0DA0,” but this is not a standard user-signed transfer; it’s a chain-level forced state change—an asset transfer enabled by governance-level infrastructure upgrade, bypassing the owner’s private key.

[5] The Centralization Dilemma
The principle is straightforward: upgradeable contracts grant unlimited power. If a contract can be upgraded, its behavior can be modified to do anything, including transferring assets without owner signatures. This is an inherent capability of any system built on upgradeable contracts. The 30,766 ETH are currently stored in a frozen address, pending future governance decision. The atomic upgrade-execute-revert pattern leaves no permanent change to the inbox contract or other users/applications ###.

From a reasonable assessment standpoint, the Arbitrum Security Council’s action was appropriate. The attacker is identified as a state-level actor, law enforcement is involved, governance was transparent, and stolen assets worth $71 million have been recovered or at least prevented from further laundering.

But the capability that made all this possible is far-reaching. The same upgrade-execute-revert mechanism could, in principle, be used to transfer any asset held on Arbitrum One. The Security Council’s power is not limited to the attacker’s address or stolen funds; it’s a general authority, governed by governance norms rather than code.

This is the core dilemma. Users interacting with L2s often hold an implicit mental model: “My assets are controlled by my private key; no one can transfer them without my signature.” The KelpDAO incident’s emergency response shows this model is incomplete. On Arbitrum and any L2 with upgradeable bridge contracts and a Security Council, assets can be transferred via governance-level actions that bypass signatures entirely.

Arbitrum is not unique. Aave’s market freezes are also governance-driven emergency measures. In the KelpDAO case, multiple protocols exercised centralized emergency powers simultaneously: Aave froze markets on five chains; Arbitrum’s Security Council executed a forced transfer; KelpDAO globally paused contracts. These responses, while effective and transparent, are clear demonstrations of centralized authority within a “decentralized” ecosystem.

The question is not whether emergency powers should exist. The KelpDAO case underscores their necessity. The real issue is whether the boundaries, triggers, and accountability mechanisms of these powers are sufficiently transparent. Users depositing assets on L2s should be able to answer: under what circumstances can the Security Council transfer my funds? What are my recourse options?

Current Status of Stolen Funds

Independent on-chain tracking (full visualization via MetaSleuth [6]) shows the attacker dispersed 116,500 rsETH into 7 primary addresses, most of which were deposited into Aave (Ethereum and Arbitrum) as collateral to borrow WETH and wstETH. The borrowed tokens were swapped via small DEX trades and then consolidated into a single address (0x5d39…7ccc) on both chains. As of 2026-04-22 05:42 UTC, the stolen funds are in four states:

Table 3: Distribution of stolen funds across four states (as of 2026-04-22 05:42 UTC)

Approximately 31% are frozen or intercepted, 23% remain in an untouched Ethereum address, and 46% have been or are being dispersed into 103 downstream addresses. The attacker’s rsETH collateral on Aave remains unredeemed, and the borrowed WETH and wstETH have not been returned; the lending positions have been abandoned.

The causal chain of the KelpDAO incident spans three layers of the “decentralized” tech stack:

• The starting point is a single point dependency. The 1-of-1 DVN configuration reduces cross-chain verification to a single entity, making the entire bridge vulnerable if that infrastructure is compromised. While the architecture supports decentralization, the configuration does not.
• Composability then turns this bridge vulnerability into a systemic liquidity crisis. The attack froze WETH, the most fundamental DeFi asset, across five chains, affecting billions in liquidity and impacting users unrelated to rsETH or KelpDAO. The scope of the cascade is shaped by quantifiable parameters: aggressive LTV settings, shallow pools, and widespread cross-chain collateral deployment.
• The scale of the crisis then forces decentralized governance to exercise centralized emergency powers. The Arbitrum Security Council, through governance, authorized an atomic contract upgrade to transfer 30,766 ETH without signatures. Aave’s emergency measures froze markets across multiple chains. These responses, while effective and transparent, are clear demonstrations of centralized authority within a “permissionless” ecosystem.

Single point dependency enabled the attack; composability amplified the damage; the crisis revealed embedded centralized powers. Addressing these interconnected issues requires coordinated action from all stakeholders:

• Protocol teams: The overall security depends on the weakest link, which in this case was the DVN infrastructure, not the smart contracts [11]. Effective security demands multi-layered coverage—code audits, infrastructure security, key management, operational security. On-chain monitoring enables rapid emergency responses; fast cross-chain asset tracking is crucial for asset freezes and recovery. For lending protocols, collateral models should be stress-tested against “full collateral compromise” scenarios, considering the three parameters discussed.
• L2 governance and DAOs: Emergency powers must be transparent and accountable. Most major L2s have such capabilities but often buried in technical docs rather than user-facing materials. Governance frameworks should clearly specify trigger conditions, scope, time limits, and post-incident accountability.
• Users: Understand the systemic risks inherent in DeFi composability. In this incident, users who had never interacted with rsETH or KelpDAO had their liquidity frozen across five chains. The risk of a single position is just part of the bigger picture; your assets’ safety depends on the protocols, pools, collateral types, and chains involved.

This comprehensive analysis underscores that while emergency powers are sometimes necessary, their boundaries and triggers must be transparent. Users should be able to answer: under what circumstances can the Security Council transfer my funds? What are my rights?

Current Status of Stolen Funds

On-chain tracking (full visualization via MetaSleuth [10]) shows the attacker dispersed 116,500 rsETH into 7 primary addresses, most of which were used as collateral on Aave (Ethereum and Arbitrum) to borrow WETH and wstETH. The borrowed tokens were swapped and consolidated into a single address (0x5d39…7ccc). As of 2026-04-22 05:42 UTC, the stolen funds are in four states:

• About 31% are frozen or intercepted.
• 23% remain in an untouched Ethereum address.
• 46% have been or are being dispersed into 103 downstream addresses.
• The attacker’s rsETH collateral remains unredeemed, and borrowed assets are not returned.

The causal chain of the incident involves reliance on a single point DVN, which enabled the attack; the systemic impact of the cascade exposed the embedded centralized powers within governance and infrastructure. Addressing these issues requires coordinated efforts across protocols, governance, and users to improve transparency, resilience, and accountability.