BroadChain has learned that at 19:30 on April 22, the DeFi sector suffered another heavy blow. The liquidity restaking project Kelp DAO was recently attacked, resulting in losses as high as $292 million. This incident not only drained the project's own treasury but also triggered a chain reaction through DeFi's composability, leading to over $200 million in bad debt for the lending protocol Aave.
Security analysis indicates that the attacker did not exploit a smart contract vulnerability but instead transmitted forged data to the cross-chain protocol LayerZero by contaminating the underlying RPC nodes. However, the fatal weakness lay in the project's core mechanism, which employed a 1/1 single-signature permission system, allowing the hacker to proceed unimpeded after the data was contaminated and transfer massive assets in one go. On-chain tracking points to the North Korean hacker group Lazarus Group, whose efficient money laundering path highlights the threat posed by state-level attackers.
After the incident, responsibility attribution became contentious. Kelp DAO accused LayerZero's infrastructure of having vulnerabilities, while the latter countered that the issue lay with the project's blind trust in RPC data. Aave suffered collateral damage for accepting Kelp DAO's assets as collateral. Although it plans to use a protection fund to cover the losses, this exposes the systemic risk of "one loss, all losses" in the DeFi ecosystem.
This attack has sparked deep reflection within the industry on the mismatch between DeFi risks and rewards. Users chase single-digit annualized returns or points while bearing the risk of total principal loss. To compete for Total Value Locked (TVL), many protocols adopt low-fee models, whose meager revenues are insufficient to support the security investments needed to defend against high-level attacks, creating a fragile structure of "privatized profits, socialized risks."
Faced with the trend of accelerating institutional capital entry, the industry is beginning to re-examine the value of compliant custody. Separating business logic from asset custody, with professional custodians managing treasuries, can effectively eliminate single points of failure. Independent intent-based risk control engines can intercept and review abnormal transactions off-chain, providing trust-level protection that code alone cannot offer. This may become essential infrastructure for DeFi protocols to attract mainstream capital and achieve long-term development.