Open-Source AI Tool Warned of $292 Million Kelp DAO Vulnerability 12 Days Ago

BroadChain has learned that at 12:16 on April 20, according to TechFlow, on April 18, Kelp DAO suffered a theft of $292 million due to a LayerZero cross-chain bridge configuration vulnerability, making it the largest DeFi security incident so far in 2026. The root cause of the vulnerability lies in its OFT bridge adopting a 1-of-1 DVN validator node configuration, allowing attackers to forge cross-chain messages by compromising just a single node, thereby minting 116,500 rsETH out of thin air on the Ethereum mainnet. As early as April 6, an open-source AI audit report had explicitly flagged this risk, pointing out that its DVN configuration was opaque, had a single point of failure, and the attack pattern was highly similar to historical bridge attacks on Ronin and Harmony. The report's overall score was 72/100 (medium risk), but it acknowledged that the scoring was too lenient and did not elevate the cross-chain bridge risk to a "high-risk" level. After the attack, the stolen rsETH was used as collateral to borrow approximately $236 million in WETH from protocols such as Aave and Compound, resulting in about $177 million in bad debt on Aave V3 and affecting rsETH holders and unrelated depositors across multiple chains. This incident has exposed systemic flaws in DeFi protocols regarding cross-chain architecture configuration, governance blind spots, and risk pricing.