•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cardano founder Charles Hoskinson used a recent livestream to argue that the roughly $292 million KelpDAO exploit was not simply another bridge failure, but a broader warning about how Ethereum’s restaking, cross-chain messaging, and lending stack can allow a single compromise to spread across the ecosystem.
Hoskinson said the April 18 attack highlighted what he views as the most fragile element of modern DeFi: not application-level smart contract logic, but the verification layers and protocol interdependencies that sit between systems.
In his account, the exploit involved about 116,500 rsETH drained from KelpDAO’s Ethereum escrow. He said the event should prompt a wider industry discussion around bridge trust assumptions, verifier design, and how quickly bad collateral can propagate through lending markets.
Rather than present a conventional postmortem, Hoskinson said he used internal incident-report material and AI to create a website explaining the mechanics of the exploit. He argued the failure did not originate from broken contract logic within KelpDAO or an obvious accounting flaw at LayerZero.
Instead, he said the core issue was a forged cross-chain message that was accepted as legitimate and allowed funds to be released on Ethereum.
“So, this was not a smart contract issue with Kelp and this was not a smart contract issue with LayerZero, but this was a cross-chain message forgery.”
Hoskinson repeatedly pointed to the reported use of a one-of-one verifier configuration. He said best practice would involve a multi-verifier model such as three-of-five, but KelpDAO’s setup relied on a single active DVN, creating what he described as an unacceptable single point of failure.
“The failure was in the verification logic, not the application logic… The application’s working well. It’s the bridge configuration.”
Hoskinson said that after the exploit, three separate root-cause analyses emerged: one from LayerZero, one from KelpDAO, and one connected to LlamaRisk and Aave governance discussions. He said none of the analyses fully agree, leaving open where the break occurred—whether in the messaging layer, verifier setup, KelpDAO’s acceptance logic, or the “seams” between components.
Hoskinson argued the event’s significance extended beyond the theft itself. He said the attacker allegedly did not immediately dump the stolen rsETH on decentralized exchanges; instead, the rsETH was used as collateral in lending markets to borrow additional liquid assets. In his view, this transformed an exploit into a balance-sheet problem for other protocols, leaving “poisoned collateral” behind.
“It wasn’t just a bridge hack. It spread to lending which then created bad debt contagion inside these lending protocols. It created a bank run and we saw $13 billion of TVL pulled in a very short period of time for a $290 million hack.”
Hoskinson said the liquidity shock affected more than KelpDAO alone, citing public reporting referenced in his walkthrough. He said at least nine directly affected protocols were identified.
He also cited figures for Aave losses, stating Aave saw between $6.6 billion and $8.45 billion in losses. He further said rsETH traded in a volatile range between about $1,600 and $2,500 during the 24 hours following the attack.
Hoskinson raised the possibility of Lazarus involvement, while acknowledging that attribution remains unconfirmed. He said there is evidence suggesting Lazarus connections, but that no independent forensics firms had definitively proven it.
At press time, Cardano (ADA) traded at $0.2504.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
