BroadChain News, April 24, 15:06, April 18, 2026, an attacker stole 116,500 rsETH from the KelpDAO cross-chain bridge within 46 minutes, valued at approximately $292 million, making it the largest DeFi security incident of the year. The stolen tokens were deposited as collateral into protocols such as Aave V3, borrowing approximately $236 million in ETH, resulting in Aave incurring bad debts of $177 million to $200 million and a TVL evaporation of about $6 billion. This article analyzes liability from a civil law perspective, arguing that KelpDAO and LayerZero Labs should bear joint fault liability, with proportions of approximately 60% and 40%.
KelpDAO chose the lowest 1-of-1 DVN configuration recommended by LayerZero, relying on only one validator, while LayerZero explicitly recommends at least 2-of-3. This single point of failure protected approximately $1.6 billion in assets, akin to securing a vault with a padlock. According to tort law, the cost of prevention (B) is far lower than the probability of harm (P) multiplied by the scale of harm (L), constituting negligence. Industry peers such as SparkLend and Fluid set LTVs for rsETH at 72% and 75%, respectively, far below Aave's 93%, reflecting vigilance against bridging risks.
The DVN infrastructure operated by LayerZero was attacked via RPC poisoning, where the attacker forged verification by replacing binary files, selective deception, and DDoS failover. RPC poisoning is a known attack vector, and as the infrastructure operator, LayerZero should have implemented countermeasures such as cross-validation and anomaly detection. The principle of non-delegable duty means it cannot be exonerated by relying on RPC providers. The Drift Protocol attack ($285 million, April 1) provided constructive notice, further supporting the finding of negligence.
Under joint causation, both KelpDAO's configuration and LayerZero's failure were necessary conditions. Fault allocation is based on three points: KelpDAO actively chose the lowest configuration, LayerZero failed to defend against known threats, and the attacker's actions did not break the causal chain. Liability cap clauses in protocol terms of service may be unenforceable due to violation of public policy.