Open Source AI Tool Warned of Kelp DAO's $292 Million Vulnerability 12 Days Ago

BroadChain has learned that at 18:46 on April 20, according to PANews, on April 18, Kelp DAO suffered a theft of $292 million due to a LayerZero cross-chain bridge configuration vulnerability, marking the largest DeFi security incident so far in 2026. The root cause of the vulnerability lies in its OFT bridge adopting a 1-of-1 DVN validator node configuration, allowing attackers to forge cross-chain messages by compromising a single node and minting 116,500 unsecured rsETH on the mainnet. When the author used its open-source AI auditing tool to conduct a risk assessment of Kelp on April 6, it had already explicitly flagged critical information gaps such as "DVN configuration opacity" and "single point of failure risk across 16 chains," and pointed out that its architecture closely resembles the historical bridge attack patterns of Ronin and Harmony. After the attack, the attacker deposited the stolen rsETH as collateral into protocols such as Aave V3, borrowing approximately $236 million in WETH, resulting in about $177 million in bad debt for Aave and affecting rsETH holders and unrelated protocol users across multiple chains. This incident highlights the systemic risks in cross-chain architecture configuration and governance control within DeFi protocols, rather than merely smart contract vulnerabilities.