DeFi, it's the most dangerous time: the real hole is not in the code

Drift: Human meat signing ($285 million)

KelpDAO's cross-chain bridge runs on 1-of-1 DVD (Decentrazed Verifier Network, go to the centralized certifier network) - that is, only one certifier. One node is enough to approve a cross-link message. "Decentreization" is a term, not a structure。

The attack took place in stages. The attackers first invaded the internal RPC nodes on which the certifier relied to read the source chain, then launched a coordinated DDoS attack on the outside nodes, forcing the system to retreat to the contaminated infrastructure. When the data sources were in their own hands, they forged a cross-link message instructing KelpDAO to forge rsETH with a "never since none of the chains" destruction contract。

UTC 17:35, the contract released 116,500 rsETH - valued at approximately $292 million, or about 18 per cent of the currency's circulation - to address controlled by the attackers. Within a few minutes, these rsETHs were placed as collateral in Aave and each was valued at approximately $2,500. The attackers borrowed the real WETH, USDC, WBTC with unsupported collateral and eventually removed more than 82,600 ETH (approximately $191 million) before KelpDAO suspended the contract at UTC 18:21。

The UTC 18:26 and 18:28 follow-up attempts to remove 40,000 rsETH each time were rolled back. The suspension stopped further losses, but not the original one。

There is no re-entry loophole, no missing access check, no little prophecies within Kelp's own logic. The accounting variable that defines the cross-chain bridge — the asset released on the purpose chain must be equal to the asset destroyed on the source chain — was violated at the system level, not at the transaction level. One node, hundreds of millions of dollars in losses。

What follows is an open dispute: which side is the responsibility? LayerZero's initial ex post facto report dumped the pot directly to Kelp on the grounds that Kelp had chosen 1-of-1 DVD in violation of the guidelines. In a rebuttal memorandum dated May 5, Kelp drew another picture: 47 per cent of the active Layer Zero OApp contract - about 1,250 applications with a combined market value of more than $4.5 billion - ran on the same single certifying officer configuration. Kelp claims that the home of LayerZero, the OFT Quickstart, GitHub Example and Developer Template, used LayerZero Labs, the home DVD, as a mandatory authenticator when leaving the factory, and did not have a second one; and showed Telegram screenshots from LayerZero staff, who told the Kelp team in two and a half years, eight integration discussions, that "the default value is fine". The security researcher Sujith Somraaj (former Auditor LayerZero) had submitted a gap report describing this pattern of attack precisely in Immunefi, which was rejected by LayerZero on the grounds that "the certifier network chose to belong to the application layer."。

LayerZero responded to Kelp's memorandum by saying that the statement was misleading. The gap reward excludes the "appliance layer configuration" and is a standard "platform/ application" boundary (LayerZero spokesperson notes that otherwise "any application can set itself up as the only DVD and receive a bad faith reward"); the default value of the protocol under almost all routes is actually multiple DVDs; as for those templates that appear 1-of-1s, the only DVN that points to a seating contract called "DeadDVN" will reject all information and force developers to install their own security posts ahead of the line. For Kelp, LayerZero indicates that Kelp initially deployed multiple DVDs, which were later manually downgraded to 1-of-1 - not "a default value". Platform vs. The boundaries of application are indeed real points of contention, and rational engineers will disagree on the issue of whether "the template can be configured as a platform in a dangerous state, or whether it is responsible for the configuration actually deployed by the user."。

Not to mention, the second part of LayerZero's final response. On May 8, three weeks after the first report, LayerZero reversed and apologized: "We made a mistake, allowing our DVD to operate as 1-of-1 DVD in high-value transactions. We're not restrained by our own DVDs for protection reasons. The agreement stopped supporting 1-of-1 in the DVD system, moved the default value to 5-of-5, referred to 7-of-10 from 3-of-5 and announced a new distribution monitoring platform (Console). Whether the bottom configuration is Kelp’s fault, LayerZero’s fault, or – most likely – a joint failure between a platform that can be deployed to a hazardous state and an active downgraded integrated equation, the final response of both sides is condensed to the same answer: 1-of-1 proved to be unsafe on a scale, and the industry should not have learned about this with $292 million。

On April 30th, Wasabi, a small order of magnitude than the other two, is also the most embarrassing. It was a "silent hacker"。

EOA - an address 0x5c629/f8c0b5368f523c85bfe79d2a8efb64fb0c8 - has ADMIN ROLE in the permanent contract manager deployed in Wasabi on the Etherum, Base, Blast and Bera chains. No more signatures. The contractual framework would have supported the timelock, but the configuration is zero。

Asymmetric Domino

The KelpDAO incident is more than the dollar amount per se because it happened after that... This is DeFi's first real stress test in the context of a failed operation. It is also one of the best examples to date of "how ridiculously asymmetric extended mathematics is"。

Set up the scale: rsETH TVL at KelpDAO was about $1 billion at the time of the incident; Aave crossed all chains with AUM over $25 billion. An agreement of about 4 per cent of Aave's size, with a single incident taking $8.45 billion from the Aave family within 48 hours -- an increase of $15.1 billion in three and a half days -- the entire DeFi TVL fell in that 48-hour window by $13.41 billion over the same period. Asymmetrical is the real story. A small agreement with the wrong configuration of a cross-chain bridge triggered a bank run over a much bigger agreement that, according to all its own contractual targets, was "run by the rules."。

When the assailant casts the unsupported rsETH and puts it in Aave, Aave's contract is strictly regulated. Its prophecy machine, in the short window where the attackers borrowed, still reads rsETH close to 1:1. The lending pool released a real WETH against a collateral that appears to be "effective" for all systems in the chain。

The market response is immediate. rsETH trades in depth at DEX within hours, reflecting a real uncertainty -- is the remaining 82% supply fully supported or not? Aave V3 and V4 freeze the rsETH market; Fluid, Compund, Euler, Morpho follow up within hours (SparkLend had fallen off rsETH as early as January). Arbitrum, Base, Mantle, Linea, Blast, Scroll holders of rsETH cannot be convinced at this point that the tokens in their hands will be: 1:1 back to the host network of the Ether。

The subsequent outflow was not because Aave was hacked, but because the depositor was unable to determine whether the collateral secured for their loan was even solvent. Ave has accumulated a considerable rsETH position in the weeks prior to the incident because the user is leveraging the re-admittance; the agreement makes a fee and does not cap the opening. So the spread is not a purely "innocent bystander" logic — that Aave has chosen to take the risk of rivalry himself — but the trigger is outside its own contract and beyond what it can detect in its own governance。

Aave ' s response to this event deserves a separate note, as it sets a benchmark against which other large lending agreements can be measured. Within hours of the incident, the emergency manager of the agreement frozen the rsETH market on all the affected chains of V3 and V4, setting the LTV to zero and sealing the post-losses. Within an hour, Aave's service providers issued a detailed incident report at the Governance Forum, which publicly modelled two different bad debts — $123.7 million if Kelp socialized the losses among all rsETH holders; and $231.1 million if the losses were isolated into L2 deployments — along with a chain-by-chain breakdown of which markets would bear the gaps。

Aave's founder, Stani Kulechov, personally, committed 5,000 ETH to recovery; the DeFi United Alliance, led by Aave's service provider, - pulling into Lido, EtherFi, LayerZero, Mantle, etc. - secured over $300 million in commitments to fill the rsETH gap. This is the largest cross-arranged rescue in the industry to date。

The criticism is narrower and should be seen separately from the response: Aave's posture has drifted as the bad accounts became clearer. The Umbrella reserve was initially promised to cover the gap and was softened to "exploring the path to filling the gap" within days. The narrative is small but noteworthy — in abstracto it sounds like an agreement-level insurance that becomes negotiable once the figures are specific. Aave has handled it properly at the operational level, without changing the structural reality: depositors who deposit USDC into the agreement bear the risk of a countervailing charge that they may not know of at all, while the insurance mechanism of the agreement is ultimately more binding than is implied in the document。

That is the deeper structural problem. Single-pool designs that give Aave deep mobility and a simple experience also mean that a bad collateral is mounted, creating an explosion radius across the protocol. Even though Aave's own governance is diligent and well-contracted, the deal is still in the downstream of a much smaller rivalry's security failure — and this downstream opening is enough to press down nine-digit depositors' funds and trigger a market freeze in nine agreements。

The combination that underpins DeFi's growth, and it's also its spread channel, was the first time that this bill was cleared in a scaleed manner in April 2026. The law is not clear. The combination of what drove DeFi's growth has now become the channel of transmission "how one agreement's failure turned into another agreement's bank."。

IV. THE TRUTH OF OPENFI

We're going around an industry that's been avoiding dialogue。

To call it OpenFi: access is unlicensed, chainable, but at the key node of the "out-of-the-centre argument that intermediaries should be removed" the operation remains dependent on the financial infrastructure of trusted third parties. By this definition, most of the things marketed today in the name of DeFi are OpenFi. A security council with the authority to transfer control of the administrator. A cross-link bridge with only 1-of-1 certifiers. A deploymenter with cross-chain ADMIN ROLE. A governance token, like Nouns, focused enough to capture the treasury of the patient minority. Each of them is a "privileged stitch" in a system called seamless。

It is worth recalling what the original argument said. Szabo's "reduced trust" calculations, Butterin's "credible neutral" infrastructure, Cypherpunk's insistence on "privacy and freedom to demand removal rather than auditing intermediaries" are not about "transparency". Transparency is necessary and easy. The real hard idea -- the idea of all the friction payments for running the Global Status Machine on tens of thousands of redundant nodes. “No one in the system can be coerced, captured, bribed or invaded to change the rules.” A public account book that you can examine, but which you can't influence, and a public account that the administrator's private key is lying in someone's safe in his hardware wallet, is two things. OpenFi kept the first half of the deal and quietly lost the second half。

Different agreements rely on different types of trust and different models of failure. It's useful to name them: Trust in trust (someone holds the real asset for you, and you trade it with claims — cross-chain bridges, packaging tokens); upgrade trust (someone can change contractual behaviour — agent, security council — after you deposit); predictor trust (someone provides data that the contract itself cannot produce — price feeding); and live trust (the system is functioning on the basis of continuous operation — some people can do it after you deposit it). — sorter, Relayer, Keeper; governance trust (given currency holders, or the small fraction of the quorum that can be found in the contested ballot). Most agreements rely on three or four of them simultaneously. Most marketing writings bring them all down to the word "decent" and allow readers to guess the rest。

The larger problem is that some of these assumptions are completely hidden. In an apology in May, Layer Zero admitted that three and a half years ago, one of its multiple signatories had made a personal deal with the production of environmental hardware wallets. This failure was repaired internally and was never disclosed to the user, and eventually surfaced as part of one of the reinforced announcements, and was packaged into routine consolidation rather than voluntary recognition. There is no way for users of the trust system to know about this, nor is there any way to price the risk that it actually happened。

There is a euphemism in the industry about this gap: "training wheel." The point of sale is that the administrator's private key and Security Council is transitional -- it exists today, and it will be removed when the agreement is mature enough to walk independently. Training wheels are almost never taken off in practice. They have been renamed, repackaged, renewed or secretly transferred to the foundation. The Stage 0 / Stage 1 / Stage 2 framework for L2Beat is the cleanest exception to the existence of "the industry, if it wishes, can honestly describe its real trust assumptions". There is little agreement to use the L2Beat expression in its own marketing, which is in itself evidence that "in honesty is structural, not sporadic"。

THIS IS AN ENGINEERING REALITY AND IS SHAPED AT EVERY LEVEL BY THE INCENTIVES THAT BUILDERS ACTUALLY FACE. IF YOU WANT TO GET ON THE LINE QUICKLY, RESPOND TO LOOPHOLES WITHOUT A FORK AGREEMENT, SUPPORT NEW COLLATERAL TYPES, INTEGRATE WITH OTHER PARTS OF THE ECOLOGY, YOU NEED LEVERAGE. CONTRACTS THAT ARE COMPLETELY IMMUTABLE AND ARE NOT SUBJECT TO PRIVILEGED ACCESS ARE INDEED ROBUST, BUT THEY ARE ALSO FRAGILE — ANY CHANGE NEEDS TO BE FULLY MIGRATED, ANY LOOPHOLE BECOMES PERMANENT, AND ANY NEW FUNCTIONALITY REQUIRES THE USER TO RE-OPT FOR NEW DEPLOYMENTS. IN ADDITION TO TECHNICAL FACTORS, THERE IS A REALITY THAT THE VC TIMETABLE DOES NOT ALLOW FOR A THREE-YEAR FORMALIZATION OF THE CERTIFICATION CYCLE, WITH FIRST-LINE AGREEMENTS TAKING ON LIQUIDITY。

Portfolio magnifies the problem: an inflexible agreement cannot access the new prophecies, cannot support the new chain and cannot repair the identified loopholes unless all users and integrated equations are forced to migrate. The result is that, for any individual team, the rational choice is "pull with the administrator's private key and promise to remove it in the future"; for any individual user, the rational choice is subject to this trade-off, because the alternative agreement either does not exist or is not liquid. OpenFi is not the moral failure of individual builders. It is the Nash balance in this field。

The honest expression is that DeFi has almost universally opted for a partial decentrization for operational feasibility. This choice is defenceable. What is dishonest is that the agreements are not weighed by name and continue to be marketed as "decentralized " , while their actual security model relies on a few signatories, a certifier, or a multiple signature that can be attacked by social workers。

The way forward is closer to "disclosed" rather than "revolutionary": mandatory labelling of trust based on the L2Beat model; long enough delay to allow users to exit before the privileges are completed; pricing "operating risk" rather than a fictional "pure code risk" insurance market; and a sobering split between "what parts of the system do need to be upgraded" and "what parts are simply made variable by structure habits." April 2026 did not prove that OpenFi was not feasible. It proves that it markets an OpenFi system as DeFi, and its users are not prepared for the failure patterns they actually have. To make such systems safe, the first step is to honestly admit that we built this thing。

V. Centralized two-sided coins

The core trade-off of OpenFi became visible in the Arbitrum freeze. After three days of exploitation of the KelpDAO loophole, Arbitrum's Security Council voted to freeze the attackers to 30,766 ETH - about $71 million - on Arbitrum One. The freezing, carried out in coordination with law enforcement authorities, is a good result by most criteria: stolen funds are prevented from being laundered, the attackers ' downstream passages are closed and some user losses may be recovered。

But please note what makes this freeze possible: Arbitrum has a Security Council that has the right to "transfer funds through the chain." This is not the nature of decentralised infrastructure. It's a centralised switch that exists by design -- It is justified on the grounds of an “emergency response” and is used in a way that critics have always feared — not necessarily bad, but with great consequences。

The same mechanism that allowed Arbitrum to act as a "good man" after Kelp is exactly the same mechanism that letd Drift be attacked -- – A small number of credible signatories have the power to carry out protocol-level operations, which is different only in terms of “how powerfully restrained this power”. On one occasion, this power was legally used to freeze stolen funds; on the other, it was hijacked by social engineering and used to draw deposits from dry users. Leverage, cut on both sides。

"Closing the switch" failed through at least five different channels — social engineering (Ronin, Drift), internal invasion (Multichain), sovereign coercion, legal coercion (Tornado Cash, USDC) and the management of hijacking (Beanstalk, Mango Markets). Each of them was a different attack, a different defense, and the phrase "Council failed" covered it all. It is a first step to start defending it by opening up concrete channels of failure。

This is DeFi's "centreized two-sided coin" and the most important thing about the state of the industry: Each one of the operational levers that can bring "good results" in an emergency situation is also a face of attack — it can bring bad results in another incident。

The deeper question is: in the case of Arbitrum, the word "good results" is too much. Legitimacy is socially constructed, and the same type of leverage has been pulled in circumstances where consensus is far from clean. The 2016 DAO split in Etheum is still a classic case: half the community insisted that the $60 million loophole was the most obvious and legitimate usage of social consensus; the other half insisted that it was a fatal betrayal of the "code is the law" and that it was broken out to allow the original chain to continue in the form of the Etheum Classic。

Circe and Tether often freeze USDC and USDT addresses, sometimes in response to OFAC sanctions, sometimes on suspicion, and the affected users have no recourse - - The freeze is packaged as compliance, but essentially discretionary. Arbitrum's freeze worked. DAO fork, in a sense it worked. The USDC freeze works every day. The question of honesty is not whether "closing the switch will produce good results" but "who will decide what good results" – and what the users of the agreement have been told about this process。

No version of the trade-off can be "only one." Either you turn off the switch, or you have something that can be captured, manipulated, socialized; or you don't, you have to accept that something will be permanent and irreversible。

Nor are these leverages interchangeable. A combination of Arbitrum’s Security Council can quickly move funds at a low threshold through an emergency process – “speed + range” – to make the freeze possible, but the same combination also makes the failure pattern of Council’s own invasion catastrophic。

The leverage of THORchain is narrower: it can be suspended and recapitalized through RUNE, but has no right to seize or redirect user assets. Emergency managers in Aave can freeze markets and adjust risk parameters, but cannot transfer user balances. The emergency closure of MakerDAO was a one-way export, not a confiscation tool. Different forms, different trade-offs, but all the abbreviations are called "Close Switches." An agreement that is willing to be honest with its own trust model does not owe the user scope, but a specific form。

The industry also tends to avoid the other distinction between “leveraging in extreme circumstances” and “leveraging in the conventional rhythm”。

Bitcoin and Etheum in principle all have a sufficient degree of synergy between the switch closure — nodes, miners, certifyers and exchanges — and will be able to split any chain tomorrow. The two chains are still considered credible to minimize trust because the leverage has almost never been pulled, and the cost of each is a permanent community split. The DAO split for the past 10 years and remains the most controversial event in the history of Etherum. Bitcoin has never experienced anything like this. The existence of leverage, but the credible commitment to "activity" in conventional matters, is a long history of restraint that gives the bottom system a degree of trust that cannot be given by design features alone。

Retrospect Arbitrum's Security Council, it runs on the conventional rhythm. It regularly vote for an upgrade. Kelp carried out urgent actions prior to the freeze and more thereafter. It is not a reserve of dormant capacity, but an active governing body. OpenFi criticism applies to “active leverage” much more than to “hypnotic leverage”, because the restraint of the hibernation lever is itself a signal – the trust that operators with very high thresholds have won, and the leverage itself cannot be awarded. Active leverage doesn't have that signal. They can only be assessed by their own controls, which have repeatedly proved inadequate。

THORCHAIN has adopted a "no-leverage" route after having encountered a loophole in 2021, which has been criticized for lack of intervention. Arbitrum took the "Close Switch" route and received praise. Both options are defenceable. No one is free. The industry must stop pretending to have both — and must honestly tell users what kind of trade-offs each specific agreement actually makes。

The last turn: this trade-off will only worsen in one direction over time. Once an agreement can be frozen, regulators and courts are increasingly inclined to decide that it “must”. Initially an emergency compliance tool, USDC's freezing capacity has now become a mandatory response to the fact that the OFAC circular and the expanding State-level enforcement list. The decision to "take off the switch online" is also a decision to "continue to a list of mandatory uses that will continue to grow over the life cycle of the agreement", many of which are inconsistent with the direction that the agreement itself will support. THORchain’s “leverageless” position is therefore not only an engineering option, but also a regulatory posture – it pre-empts the “compliance obligation” by pre-empting “the possibility of compliance”. The question of whether such a posture can survive under continuing law enforcement pressure is open, but asymmetries are real: Leverage agreements can be forced to use them; no。

this honesty is much more important than marketing for institutions that look outside. an operational shut-down switch with clear disclosure with documented governance, key management and incident response - this is something that can be covered by a fund management team or insurance company. not a 2-of-5 agreement called trust minimization but running over zero timelock. the former is a legitimate engineering option. the latter is a risk that no one can price。

Six, what happens next