Hi, this is Charles Hoskinson broadcasting live from rough and rugged Wyoming. I'm here at my clinic doing all kinds of crazy stuff and having a lot of fun. However, something happened a few days ago, and I was waiting for enough news to aggregate enough RCAs to form so I could actually comment on it. It's a major event, and a lot of people ask about these things.
As many of you know, there was a very large hack in the Ethereum ecosystem involving restaked Ether, and it happened with KelpDAO. I want to try something a little new, a little different. Typically, when a hack occurs in the cryptocurrency space, I get an incident report containing a lot of intel and various other things. Then we talk about it at the executive level when we have time and say, "Okay, what does this mean for us? Do we have to change strategy? Is this a new attack vector?"
What I decided to do is take some of that content and use AI to build a website. We're going to follow along and talk about what occurred, and I'll show you the website that I created. You ready? Here it is—the website on KelpDAO. Cloud-generated, how about that?
Basically, $292 million was stolen on April 18th—roughly 116,500 restaked Ether from KelpDAO's Ethereum escrow. There are three RCAs that came out, and none of them tend to agree with each other. The protocol-level TVL is somewhere between $1.5 billion to $2 billion, and $292 million was stolen. This is a pretty big exploit.
On Saturday, April 18th, an attacker exploited KelpDAO's cross-chain bridge for restaked tokens, and about 116,000 was taken from the holding contract. It's the largest DeFi exploit of the year. I showed some background concepts here. In Cardano, you just click delegate to stake, but that's not how it works in Ethereum. In Ethereum, your funds are locked, and you can't do anything with them. People don't like not having liquidity, so they created a new protocol called Lido. Lido allows you to take your locked Ether and turn it into liquid Ether, called stETH.
You don't have to do that in Cardano because we're liquid non-custodial, but in Ethereum, you have to. Ethereum users want to increase their yield, so they're not happy with staking rewards. They say, "You need to restake." Sharim and his friends created a paper called Minotaur, which later turned into EigenLayer, creating a restaking protocol that allows you to redeploy and make more yield beyond what you earn with your staked Ether from Lido. KelpDAO is a restaking protocol, so people took their Ether, staked it, created liquid Ether through Lido, and then used Kelp to create restaked Ether.
Every time you do this, you create some form of risk. Every time you have a wrapper on that layer underneath, it controls its own contracts and infrastructure, and any flaw can break the transitivity, meaning you no longer have that one-to-one backing. When you move tokens across-chain, you generally need a bridge to facilitate that. It's usually a three-phase process: the original token is locked in an escrow contract on the source chain, then sent to a destination chain where it's minted. To reverse it, you need to burn the wrapped token, which releases it on the origin chain.
The hard problem is how the destination chain knows that the source chain event actually happened. You need some form of verification step, which is what these big bridge providers do. Almost all bridge hacks occur when they mess up this verification step. LayerZero is a cross-chain messaging protocol with a standard for a single token that natively exists across multiple networks. If you have Cardano or Knight or Soul and you're sending it to various networks, you must maintain a conservation of supply.
When LayerZero sends a message to a destination chain, it sends verifiers called DVNs to confirm that the message is authentic. This is one reason LayerZero is investing in Jolt—they want to send proofs over, too. This capability will be part of Midnight because of Nightstream. We can use a folding system to roll up an entire chain, allowing people to verify what they're seeing is correct.
Typically, you have a trust threshold of multiple DVNs, taking the best out of a collection—two of three or three of five. Independent DVNs sign off with separate configurations and logic. The problem with Kelp is they only had a one-of-one configuration, meaning only one DVN was activated, using the default network.
Now, let's talk about lending protocols like Aave, Compound, and Euler. As a user, you deposit your token as collateral and borrow a different token against it. This is Bitcoin DeFi at its core. People don't want to sell their Bitcoin, so they deposit it and get a stablecoin in return. If you have Kelp restaked Ether, you could deposit it in Aave, Compound, or Euler and get another token from it, using that as collateral. If an attacker deposits freshly released stolen tokens and borrows something liquid against it, like wrapped Ether, they can walk away with the borrowed assets, leaving an unbacked asset in the lending protocol.
Ether is not like Bitcoin or Cardano; it's not liquid. When you lock it, it gets locked. That's Vitalik's design. It's not necessary, but he decided to do it. You have Lido, and then people take their Lido and say, "I want more money," leading to the creation of the restaking protocol where Kelp comes into play. You also have cross-chain bridges, and LayerZero is involved in that. You can move tokens from one system to another, but the independent networks must maintain DVNs to confirm the messages.
Here's what happened: this was a cross-chain message forgery. The attacker tricked the destination chain logic into accepting a message that was never legitimately produced on the source chain. They created a fake message and sent it across; it was never produced there. This was not a smart contract issue with Kelp or LayerZero but a cross-chain message forgery.
No joint root cause analysis has been published. Instead, there have been three parallel unilateral postmortems: LayerZero's statement, KelpDAO's rebuttal, and a Llama Risk Aave Labs bad debt model on the Aave governance forum. The accounts disagree on responsibility and exposure. CredShields noted that the break could sit in the messaging layer, the verifier configuration, Kelp's acceptance logic, or the seams between them. In other words, nobody really knows or agrees on exactly what happened and how this cross-chain message forgery occurred.
I created a diagram that started with a Tornado Cash attack path, leading to attacker wallets. There was an obfuscated origin from where the initial Ether came from, and the attacker wallet sent the message, crafting a forged message that went into the RPC poisoning and DDoS fallover into that DVN. For some reason, it got accepted, and it said, "This is a legitimate 116,000 restaked Ether that needs to be released." They took the majority of it, lent it, got another coin for it, and left the broken collateral inside the borrowing markets.
The public technical analysis report states that the attackers submitted a spoofed inbound LayerZero message, which reached the endpoint V2 contract to Kelp's restaked OFT adapter, releasing 116,500 restaked Ether from the escrow on Ethereum. The spoofed packet claimed unichain endpoint ID 30320 as the source. Through the underlying DVM compromise, the adapter trusted the spoofed message.
The responsibility for the 101 DVM configuration is contested. Both parties have published preliminary postmortems, but neither has conceded. LayerZero's April 20th statement announced they will no longer sign or attest messages for any application using a 101 DVM configuration. This is probably a good idea, forcing a protocol-wide migration to multi-verifier architectures. Kelp sources say the same configuration is used by roughly 40% of all LayerZero's OApps. An independent review by a Yearn core developer confirms that LayerZero's public V2 OApp quick stop ships with a single source verification default across Ethereum, BSC, Polygon, Arbitrum, and Optimism. Evidence tilts towards the technical dispute favoring Kelp's framing, though neither party has released specific root communications.
Here's the timeline: the attack starts, is drained, and the outflows were flagged publicly about 46 minutes after it was drained. They executed an emergency pause and tried some reverts, but unfortunately, it was already put into the lending markets. This is the contagion problem and illustrates how interconnected DeFi is. The attacker did not dump the restaked ETH directly on decentralized exchanges, which would have crashed the pricing cap. Instead, the stolen tokens were posted as collateral in lending markets before freezes could take effect.
Llama Risk Aave Labs' joint incident report published on April 20th is now the authoritative exposure document, superseding earlier estimates. Aave confirms 83,471 ETH equivalent were put at risk—about $190 million across seven attacker wallets on Ethereum core and Arbitrum. The attackers' positions resulted in 89,567 restaked Ether supplied as collateral across seven wallets. Llama Risk modeled two resolution paths: Scenario one socializes a 15.12% haircut across all restaked ETH holders, producing $123 million of bad debt largely absorbed by Ethereum core's reserve. Scenario two isolates losses of the layer two, repricing those tokens to 26.48% backing and generating about $230 million of bad debt concentrated in Mantle, Arbitrum, Base, Ink, with Ethereum core left untouched.
The Aave DAO treasury stands at $181 million, and the wrapped Ether umbrella module holds about 23,000 wrapped Ether as slashable coverage. Llama Risk recommended an immediate umbrella pause as a precaution. ACI Marc Zeller estimates a 5-8% haircut. In other words, just catastrophe. The contagion spreads beyond that; Sievers classified at least nine DeFi protocols as directly affected. Beyond Aave, the list includes Sparkline, Fluid, Compound, Euler, UpShift, Morpheus with exposure, Lido Earn ETH, Athena, Pendle, Yearn, Beefy, and Lombard Finance. The broader liquidity shock was larger than the direct theft. DeFi TVL fell over $13 billion over a 48-hour period per DeFi Llama. Aave alone lost between $6.6 billion to $8.45 billion with wrapped ETH pools on core, Arbitrum, Base, Mantle, Linea, and Plasma.
Justin Sun, because he never goes away, pulled 65,000 Ether from Aave and publicly asked the attacker to negotiate restaked Ether. Restaked Ether's 24-hour range from April 18th to 19th was roughly between $1,600 to $2,500 against a pre-attack mark of nearly $2,500, with an intraday depeg of roughly 35%.
So, who did it? It looks like it's Lazarus, a state-sponsored hacking collective connected to North Korea. There's a lot of evidence here suggesting Lazarus connections, although unfortunately, it's uncorroborated. We have not been able to definitively prove that it's Lazarus, and no independent forensics firms have issued their own attribution. TRM Labs spoke conditionally about a sustained state-driven campaign, but nobody's talking right now. We haven't seen anything from Chainalysis, Elliptic, SlowMist, or the usual suspects, nor have we heard from the FBI or others.
What do we gain from this? Key lessons: it's not a good idea to trust a bridge unilaterally. The failure was in the verification logic, not the application logic of Kelp's restaking. Kelp did everything right from their contracts; they're audited and working well. The application's functioning properly, but the issue lies in the bridge configuration. The state of the DeFi threat model assumes smart contract bugs are the dominant risk, but that's not true anymore. Bridges can be very problematic. A one-of-one verifier is not good; don't do that. If they steal the money, DeFi lending is the exit condition. You can deposit, lend, and when you get those tokens, you're getting tokens unconnected to the theft, and the collateral is poisoned.
Kelp responded about 46 minutes after the attack, which is not that bad considering the attackers didn't announce their actions. This shows that incident response is incredibly vital in these types of protocols.
Hacks are a part of life, and they're going to get much worse for everyone, including Cardano, because of mythic models. When you see these frontier models, people can use them to scan every intricacy of your cryptocurrency and find any flaw. Often, flaws are not due to bad code but arise from a collection of things that, when used individually, are correct, but emergently, they are not. Testing, security audits, and information security have improved, so people are generally good at detecting flaws. The real issues occur with the emergence of things. Third-party dependencies and multiple components working together can create unexpected emergent bugs that can be exploited.
AI is exceedingly good at detecting these issues because it can analyze the entire codebase at once. Humans can only look at parts. Some mitigations include formal methods, which we do, and Ethereum is starting to adopt. Most projects don't. Good architecture and design, with clean interfaces and adherence to best practices, are essential. Understanding how emergent behavior works and modeling systems as complex adaptive systems is an emerging field of testing.
Ultimately, constant vigilance and multi-redundancies inside the system are crucial. The big three are zero-knowledge proofs, multi-party computation, and trusted execution environments. When we look at Midnight, this is the design space that it occupies because we knew we needed safe DeFi. DeFi always involves multiple chains, protocols, collateral movement, and various representations of the same asset. You need a regulating layer to sort all those things out, built with the necessary capabilities.
Nightstream rolls up the whole chain, providing real-time proofs about anything you care about. When you send a message, you send it with proof. Knowing where to attack gives you the ability to DDoS or eclipse. A privacy-preserving system makes it much harder to target. Multi-party computation and TEE ensure the hardware functions as intended. Even if you compromise one unit, multi-party computation means you must compromise all but one slot, creating a good trust model.
We thought a lot about these different factors. Determinism and liquid non-custodial staking help. A DeFi kernel will also help tremendously on both the Midnight and Cardano sides. Cardano doesn't tend to be hit by these attacks because we have a smaller DeFi marketplace, and these types of attacks are harder to conduct in such systems. Other systems are built for mass liquidity, making it easy to move large amounts quickly. You can multi-chain attack something, and within 46 minutes, you've already moved a significant amount into lending protocols, creating contagion that spreads throughout the entire system.
Circuit breakers and mechanisms to slow things down are important, like a lending protocol with a delay if it's over a certain amount or if it's newly minted. There are many design features you can implement. If it's a DeFi protocol, unfortunately, it's the weakest link; someone will screw it up, creating contagion in the entire system. If the protocol enforces certain behaviors, everything upstream must follow best practices, leading to better outcomes.
It's sad to see this happen. I think the Kelp team will figure it out, socialize the risk, and move on. However, it raises a meta question: why do we continue to allow $290 million attacks to happen regularly? Despite criticism of Cardano, these incidents don't happen often on our side. Bitcoin has opted out of the game altogether, so they rarely experience hacks outside of potential quantum threats, which are universal for all cryptography.
There needs to be a conversation about creating best practices and marketplaces for quality, either by token price or insurance. Otherwise, these attacks will continue to happen because hackers are hyper-sophisticated. The Lazarus Group has access to decatrillion parameter frontier models and has bribed members of Frontier Labs to gain access to advanced resources. They use mythic-class models to find vulnerabilities, which is a known open secret in the information security world. Their capabilities will only increase, leading to an exponential rise in attacks.
As consumers, you should take a step back and ask, "How do I know and what chain of evidence do I have that the system is secure?" I remember the DAO hack, which made massive international headlines. Kelp is significantly larger, yet we're all just turning the page. What makes this novel is the contagion; it wasn't just a bridge hack. It spread to lending, creating bad debt contagion inside these protocols and leading to a bank run. We saw $13 billion of TVL pulled in a very short period for a $290 million hack. That's a crisis of confidence—about 10% of Ethereum's TVL in less than a day.
Thank you for listening. I hope you enjoyed this format. Let me know in the comments, and I'll keep on building and sharing interesting insights. Cheers!
1:07:35
26:05
26:19