Cardano founder Charles Hoskinson pointed out in a recent livestream that the approximately $292 million hack of KelpDAO is not just another cross-chain bridge incident, but also reveals the risk of systemic contagion triggered by a single vulnerability when restaking, cross-chain messaging, and lending protocols are stacked within the Ethereum ecosystem. He believes the attack on April 18 exposed the most fragile part of modern DeFi—not the application-layer smart contracts, but the verification layer and interdependencies between protocols.
Hoskinson emphasized that the attack, which involved stealing approximately 116,500 rsETH from KelpDAO's Ethereum escrow contract, should prompt the industry to re-examine cross-chain bridge trust assumptions, validator design, and the speed at which bad collateral spreads in lending markets. He particularly noted that the core of the incident lies in forged cross-chain messages being incorrectly validated as legitimate, leading to funds being released on Ethereum, which represents a new type of attack pattern.
He strongly criticized the one-to-one validator configuration used in the involved system, arguing that best practices should involve a multi-validator model (such as three out of five). In a complex layered system that already includes staking wrappers, restaking protocols, cross-chain bridges, and lending platforms, a single active DVN constitutes an unacceptable single point of failure. Hoskinson stated that the problem lies in the validation logic, not the application logic, as KelpDAO's own contracts were audited and functioning normally.
The subsequent impact of the incident is particularly severe. Instead of selling the stolen assets on decentralized exchanges, the attacker used the stolen rsETH as collateral to borrow more liquid assets in lending markets, turning the exploit into a balance sheet problem for other protocols. Hoskinson described this dynamic as the truly novel aspect of the incident: it is not just a cross-chain bridge hack, but one that spread to lending markets and generated bad debt contagion, ultimately triggering a bank run—a $290 million hack led to $13 billion in TVL being withdrawn in an extremely short time.
According to public reports he cited, at least nine protocols were directly affected, with losses for Aave alone estimated between $6.6 billion and $8.45 billion. Within 24 hours after the attack, the price of rsETH fluctuated wildly between $1,600 and $2,500. Hoskinson also mentioned that the North Korean hacker group Lazarus might be involved but acknowledged that attribution has not yet been confirmed by independent forensic firms. As of press time, Cardano (ADA) is priced at $0.2504.