Kelp DAO has publicly disputed a report characterizing the rsETH bridge incident as an exploit, arguing that LayerZero default settings, not a deliberate attack, were responsible for a reported $290 million loss. The dispute reframes the April 18 incident from external exploitation to infrastructure configuration failure.
What the rsETH bridge attack report claimed
What was reportedly lost
A security assessment published by CredShields described the rsETH bridge incident as an exploit involving Kelp DAO’s cross-chain bridge infrastructure, citing approximately $290 million in losses. The report used language consistent with a deliberate external attack.
Why the incident was described as a bridge attack
The CredShields report framed the event using exploit terminology, implying a threat actor identified and leveraged a vulnerability in the bridge mechanism. This characterization positioned the incident alongside other high-profile DeFi bridge hacks rather than treating it as an operational failure.
However, the wording in the headline itself signals a disputed characterization. Kelp DAO’s response, documented in an Aave governance thread, challenges the exploit-first interpretation directly.
Why Kelp DAO disputes the attack narrative
Kelp DAO’s central rebuttal
Kelp DAO’s counter-position, presented in the Aave governance discussion, rejects the attack label entirely. The protocol maintains that the loss resulted from how LayerZero’s cross-chain messaging defaults were configured, not from an adversary discovering a novel exploit path.
This is not a minor semantic distinction. Classifying an incident as an attack implies security negligence in defending against external threats. Classifying it as a configuration failure shifts responsibility toward infrastructure defaults and integration choices.
Which parts of the report are being contested
Kelp DAO contests both the causation mechanism and the implied narrative. The protocol does not dispute that losses occurred, but it disputes the CredShields characterization of how and why those losses happened.
The conflict is specific: the CredShields report assigns causation to an exploit vector, while Kelp DAO’s governance rebuttal assigns causation to LayerZero default parameters that were insufficient for the value being secured.
How LayerZero default settings became the focal point
The role of default settings in Kelp DAO’s version of events
According to Kelp DAO’s account in the governance thread, LayerZero’s default settings for cross-chain message verification lacked the security guarantees necessary for high-value bridged assets. The protocol argues these factory defaults created the conditions for the loss without requiring a sophisticated exploit.
Default settings in cross-chain messaging determine how transactions are validated across networks. If left unchanged, they may apply the same verification threshold to a $100 transfer and a $100 million transfer, creating risk proportional to value without proportional security.
Why a configuration issue differs from an attack claim
If Kelp DAO’s framing holds, the incident becomes a shared-responsibility question between protocols that build on cross-chain infrastructure and the messaging layers they depend on. This is fundamentally different from a scenario where an external attacker found a zero-day vulnerability.
A separate report noting LayerZero’s acknowledgment of the Lazarus Group as a likely actor in related cross-chain incidents adds complexity. The existence of state-level threat actors targeting bridge infrastructure does not automatically validate either the exploit or configuration framing for this specific incident.
What the $290 million loss means for rsETH and DeFi risk
Why the $290 million figure matters
The reported loss places this among the largest DeFi incidents in 2026. For rsETH holders and protocols with rsETH exposure, the root-cause determination directly affects recovery expectations, insurance claims, and trust in the asset going forward.
The Aave governance discussion reflects how downstream protocols are reassessing exposure to liquid restaking tokens. When a bridge incident of this scale occurs, counterparties must evaluate whether the underlying asset’s infrastructure meets their risk standards, a concern similar to those raised when institutions hold significant ETH positions across complex custody arrangements.
Questions rsETH holders and counterparties will ask next
The classification dispute has practical consequences. If the incident is ruled a configuration failure, responsibility may fall partly on LayerZero for inadequate defaults and partly on Kelp DAO for not overriding them. If ruled an exploit, Kelp DAO faces sharper scrutiny over bridge security design.
Projects building cross-chain functionality, including those pursuing fresh funding for infrastructure development, will face harder questions about their messaging layer configurations. The incident highlights a gap in DeFi security standards: no industry-wide requirement currently mandates that protocols override default bridge settings before going live with user funds.
For protocols concerned with responsible governance and transparency, the dispute underscores that incident classification is not merely academic. It determines who pays, who rebuilds trust, and what changes in how cross-chain infrastructure is deployed.
FAQ about the Kelp DAO and rsETH incident
Did Kelp DAO confirm an rsETH bridge attack?
No. Kelp DAO explicitly disputes the “attack” characterization in the Aave governance thread, arguing the loss resulted from LayerZero default configuration settings rather than a deliberate exploit by an external attacker.
What did Kelp DAO blame for the $290 million loss?
Kelp DAO pointed to LayerZero’s default settings for cross-chain message verification, claiming these defaults were inadequate for securing the value transiting the bridge.
Why are LayerZero default settings central to the dispute?
Default settings determine how cross-chain messages are validated. Kelp DAO argues that unchanged defaults created a security gap that led to the loss, making it a configuration responsibility issue rather than a novel exploit.
Is this being framed as a hack or a configuration issue?
Both framings exist in the public record. The CredShields report uses exploit language, while Kelp DAO’s governance rebuttal attributes the loss to default settings. The classification remains disputed as of April 2026.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
Source: https://coincu.com/defi/kelp-dao-rseth-bridge-attack-report-layerzero-290m-loss/
