For all the talk about decentralized, autonomous, permissionless finance, the DeFi sector’s response to Saturday’s $290 million Kelp DAO hack tells a different story.
The companies involved are playing a messy, very human blame game over responsibility for the $14 billion consequences.
Although the projects shirk their responsibility, users are left with money stuck in what was considered the safe, comfortingly boring side of DeFi, and may face write-offs to cover bad debts.
Meanwhile, amid the uncertainty, the industry as a whole is losing credibility.
Influential voices are urging the three main stakeholders to come together and figure out a way forward. But so far, it seems the companies are determined to play hardball.
LayerZero blames Kelp DAO’s choice of validator configuration, while Kelp DAO says it followed LayerZero’s defaults. Aave remains out of it, hoping to return to normal operations while avoiding its own role in driving rETH’s deep integration.
Let’s look at the case against each of the projects involved.
DeFi sector collapses by $14 billion as $290 million rSETH hack fallout burns Aave
Kelp DAO
We’ll start with Kelp DAO, whose rSETH token was hacked on Saturday, and there’s not much to go on.
The company remained silent for 48 hours after the initial acknowledgment of Saturday’s hack.
Users waiting to hear how the losses would be distributed were ultimately shown a short statement that provided no new information.
It merely confirmed the exploit’s operation, congratulated it, emphasized that Kelp DAO’s 1/1 DVN configuration is “the default for any new OFT implementation” and congratulated itself on blocking another $95 million hack attempt.
NEW: KelpDAO will push back on the LayerZero post-mortem where Kelp was blamed for the exploit, rather than taking the blame for their internal infrastructure exploit.
An internal Kelp memo/draft is said to have been leaked.
Teams play PvP in the open with lawyers and public statements instead of… https://t.co/EooM2OqQ2O pic.twitter.com/jt15CBSClt
— Andy (@andyyy) April 20, 2026
In fact, it seemed rather tame considering the potential LayerZero attack teased the previous day.
As for loss sharing, the company said it is “concurrently assessing potential next steps.”
In praising Arbitrum’s decision to seize stolen ether ($ETH), it didn’t reveal much more, saying it is “pursuing all available avenues to… mitigate the impact of the incident in the Defi ecosystem.”
Then we keep waiting.
Low Zero
LayerZero has received a lot of criticism, not just from Kelp DAO, that the architecture shifts the burden of security onto individual project teams, or “allows each application and asset publisher to define its own security posture,” as LayerZero puts it.
While the company claims that it recommends that individual asset issuers opt for a secure setup, Dune analysis shows that nearly half of the more than 2,500 OApp bridge contracts use a 1/1 DVN configuration.
One example, highlighted by blockchain security expert Taylor Monahan, explicitly states “use the LZ defaults” in his code comment.
oh lord 😭https://t.co/7GQIbybxvg https://t.co/ToUwOX3cA5 pic.twitter.com/xFPoNgeb4c
— Tay 💖 (@tayvano_) April 20, 2026
In the wake of Saturday’s incident, many well-known crypto and DeFi projects have stopped bridging their assets through LayerZero, including Ethena, EtherFi, WBTC, Tron, and Curve.
Another point of contention is the lack of disclosure of the specific attack vector that granted access to the infrastructure, leading to manipulation of the DVN, managed by Layer Zero itself.
Aaf
Despite being the furthest from the actual theft, DeFi’s former number one protocol (now bumped from the top spot due to recent outflows) created the conditions for such widespread damage.
Using rsETH as collateral in e-mode where the targeted aggregate value is captured by enabling highly leveraged $ETH-correlated liquid (re)staking tokens, one of Aave’s main applications.
The risk assessments for these setups focused on “market and liquidity risk,” with bridging setups considered “a structural feature of composability rather than a question of scope.”
Bridged rsETH had the same parameters as on mainnet, completely ignoring any cross-chain risk.
It seems likely that rsETH was specifically targeted for its deep liquidity, a feat achieved thanks to these decisions.
Aave seemed untouchable just a few months ago, but the recent turmoil, in retrospect over past hubris and contributors lashing out at competitors, paints a very different picture.
The silver lining of Arbitrum
Earlier today, Arbitrum’s security council rescued more than 30,000 people $ETH ($71 million) of the hacker’s proceeds in the nick of time.
Soon after, money laundering on Ethereum began. On-chain analysts confirmed the DPRK’s involvement and discovered links to other TraderTraitor-related hacks, BTC Turk and ByBit.
While some DeFi decentralization fanatics may have a problem with this move, having the ability to seize illicit funds and not doing so would be the worst of both worlds, argued Michael Egorov of Curve Finance.
After all, such a step is not without precedent. In 2023, proceeds from the previous year’s Wormhole hack were recovered with the help of Oasis, and in 2024, Blast seized $97 million from a rogue developer.
Yearn’s banteg also hopes that Arbitrum will now have deterred future attempts by Lazarus.
Important questions remain about the possibilities for similar actions in the future, with an emphasis on the need for a court order or a certain threshold above which to intervene.
But more importantly, the question of how the seized funds should be redistributed also remains to be answered.