Kelp DAO Hack

Hi, this is Charles Hoskinson broadcasting live from rough and rugged Wyoming. I'm up here at my clinic doing all kinds of crazy stuff, and I'm having a lot of fun. However, something happened a few days ago, and I was waiting for enough news to aggregate enough RCA's to form so I could actually comment on it. It's a major event, and a lot of people ask about these things. As many of there was a very large hack in the Ethereum ecosystem involving restaked Ether, and it happened with KiltDAO.

I want to try something a little new and different. Typically, when a hack occurs in the cryptocurrency space, I get an incident report that contains a lot of intel and various other things. We discuss it at the executive level when we have time and ask ourselves, "What does this mean for us? Do we have to change strategy? Is this a new attack vector?

" What I decided to do is take some of that content and use AI to build a website. We're going to follow along and talk about what occurred, and I'll show you the website that I created. You ready? Okay. Here is the website on KiltDAO, cloud-generated.

How about that? Basically, $292 million was stolen on April 18th, roughly $116,500 restaked Ether from KiltDAO's Ethereum escrow. There are three RCA's that came out, and none of them tend to agree with each other. The protocol-level TVL is somewhere between $1.5 billion to $2 billion, and $292,000 was stolen.

That's a pretty big exploit. On Saturday, April 18th, an attacker exploited KiltDAO's cross-chain bridge to restake tokens, and about $116,000 was taken from a holding contract. It's the largest DeFi exploit of the year. I showed some background concepts here, and staking and restaking. If you're in Cardano land, you just click delegate, but that's not how it works in Ethereum.

In Ethereum, your funds are locked, and you can't do anything with them. People don't like not having liquidity, so they created a new protocol called Lido. Lido allows you to take your locked Ether and turn it into liquid Ether, which they call STETH. You don't have to do that in Cardano land because we're liquid non-custodial, but in Ethereum land, you have to do that. Ethereum people are degens, and they want to increase the amount of yield they get.

They're not happy with staking rewards, so they say, "What you need to do is restake." Shareem and his friends working with us created a paper called Minotaur, and later on, he turned that into something called Eigenlayer, which created a restaking protocol. This allows you to redeploy and make more yield above and beyond what you make with your staked Ether from Lido. KiltDAO is a restaking protocol. Basically, people took their Ether, staked it, created liquid Ether through Lido, and then used Kilt to create restaked Ether.

A lot of steps here. Every time you do this, you create some form of risk because every time you have a wrapper on that layer underneath, it controls its own contracts and infrastructure. Any flaw in this can break the transitivity, and you no longer have that one-to-one backing. When you move down to cross-chain bridges, if you're going to move a token from Ethereum to Arbitrum or some other place, you generally need to have some form of bridge to facilitate that, and it's usually a three-phase process. You have the original token in an escrow contract on the source chain, and then it sends it to a destination chain.

Once it's locked, you mint on the destination chain. To reverse it, you need to burn the wrapped token, and then it releases it on the origin chain. The hard problem is how does the destination chain know that the source chain event actually happened? How do we know that if you burn it on Arbitrum, it actually happened and that was a real burn transaction? You need some form of verification step.

That's basically what these big bridge providers do. It's a game of numbers, trust, scale, and standards for all this stuff. Almost all the bridge hacks occur when they mess up this verification step, which is the nine to ten figure issue. Layer Zero is a cross-chain messaging protocol, and they have this thing called OFT, the Omnichain Fungible Token. It's a standard for a single token that natively exists across many networks.

If you have Cardano or Solana and you're sending it to multiple networks, you have to maintain a conservation of supply. There should only ever be 45 billion ADA or 21 million Bitcoin; you can't print them out of thin air. When Layer Zero sends a message to a destination chain, a set of verifiers called DVMs confirm that the message is authentic. This is one of the reasons Layer Zero is investing in Jolt; they want to bring it to the network because they don't want to just send a message over. They want to send proofs over too.

This is going to be a capability that Midnight has because of Nightscreen. We can use a folding system to roll up an entire chain. When people send messages, they can verify that what they're seeing is correct. Typically, you have a trust threshold of multiple DVMs, and you take the best out of a collection of two of three or three of five. Independent DVMs sign off, and they have separate configurations and logic.

The problem with Kilt is they only had a one-of-one configuration, so only one DVM was activated. They used the default network. There's one other piece of this puzzle. There are lending protocols like Aave, Compound, and Euler. As a user, you deposit your token as collateral and borrow a different token against it.

This is Bitcoin DeFi at its core. People don't want to sell their Bitcoin, so they deposit their Bitcoin and get a stable coin for it. If you have this Kilt restaked Ether, you could deposit it in something like Aave, Compound, or Euler and get another token from it. That token serves as collateral against the borrowed token. If an attacker deposits freshly released stolen tokens and borrows something liquid against it, like wrapped Ether, the attacker can walk away with the borrowed assets.

You have an unbacked asset sitting in the lending protocol. Those are kind of the four things here. Ether is not like Bitcoin or Cardano; it's not liquid. When you lock it, it gets locked. That's Vitalik's design.

It's not necessary, but he decided to do it. You have Lido, and then people take their Lido and say, "I want more money," so they have a restaking protocol, and that's where Kilt comes into play. You have the concept of cross-chain bridges, and Layer Zero is involved in it. You can move it from one system to another, and they have this OFT idea where a message goes through. But the independent networks have to maintain DVMs to confirm things, and those networks have to decide how many DVMs they have.

Best practice would be something like three or five, but a lot of people are apparently doing one of one. So here's what happened. This was a cross-chain message forgery. The attacker tricked the destination chain logic into accepting a message that was never legitimately produced on the source chain. They had a source chain and a destination chain, created a fake message, and sent it across.

It was never produced there. They didn't find a bug in the contract math or accounting; this was not a smart contract issue with Kilt or Layer Zero. This was a cross-chain message forgery. No joint root cause analysis has been published. Instead, there have been three parallel unilateral postmortems: Layer Zero's statement, KiltDAO's rebuttal, and a LamaRisk AaveLab's bad debt model on the Aave Governance Forum.

The accounts disagree on the responsibility and exposure. CredShields noted that the break could still sit in the messaging layer, the verifier configuration, Kilt's acceptance logic, or the seams between them. In other words, nobody really knows or agrees exactly what happened and how this cross-chain message forgery occurred. I created a diagram down here. It started with a TornadoCache attack path, then went to the attacker wallet.

You had an obfuscated origin from where the initial Ether came from. The attacker wallet was there to send the message, crafted a forged message, and that went into the RPC poisoning and DDoS fallover into that DVM. For some reason, it got accepted, and it said, "Oh, this is a legitimate 116,000 restaked Ether that needs to be released." They took the majority of it, put it in lending, got another coin for it, and left the broken collateral inside the borrowing markets. The public technical analysis report states that the attacker submitted a spoofed inbound Layer Zero message that reached the endpoint V2 contract, Kilt's restaked OFT adapter, which then released 116,500 restaked Ether from the escrow on Ethereum.

The spoof packet claimed Unichain endpoint ID 30320 as the source. Through the underlying DVM compromise, the attacker could have spoofed any source the adapter trusted. Now, regarding responsibilities, the responsibility for the one-of-one DVM configuration is contested. Both parties have published preliminary postmortems, but neither has conceded. Layer Zero's statement on April 20 announced that they will no longer sign or attest messages for any application using a one-of-one DVM configuration.

That's probably a good idea, forcing a protocol-wide migration to multi-verifier architectures. Kilt sources say the same configuration is currently used by roughly 40% of all Layer Zero's OOPS. An independent review by a URIN core developer confirms Layer Zero's public V2 OOPS quick stop shifts with a single source verification default across Ethereum, BSV, Polygon, Arbitrum, and Optimism. Evidence tilts towards the technical dispute towards Kilt's framing, though neither party has released specific route and communications either side references. Here's the timeline: the attack starts, is drained, and the outflows were flagged publicly.

It was about 46 minutes from when it was drained to when they executed an emergency pause. They tried some reverts, but unfortunately, it was already put into the lending markets. This is the contagion problem, showing how interconnected DeFi actually is. The attacker did not dump the restaked ETH directly on decentralized exchanges, which would have crashed the pricing cap. Instead, the stolen tokens were posted as collateral in lending markets before freezes could take effect.

LamaRisk Aave Labs published a joint incident report on April 20, now the authoritative exposure data superseding earlier headline estimates. Aave confirms 83,471 F equivalent were put in, amounting to about $190 million across seven attacker wallets on Ethereum Core and Arbitrum. The attacker's positions resulted in 89,567 restaked ETH as collateral across seven wallets. LamaRisk model two resolution pass: Scenario one socializes a 15.12% haircut across all restaked ETH holders, producing $123 million of bad debt, largely absorbed by Ethereum Core's reserve.

Scenario two isolates losses of the layer two, repricing those tokens to 26.46% backing and generating about $230 million of bad debt concentrated in Mantle, Arbitrum, Base Inc., with Ethereum Core left untouched. The Aave DAO treasury stands at $181 million, and the wrapped ETH umbrella module holds about 23,000 wrapped ETH as slashable coverage. LamaRisk recommended an immediate umbrella pause as a precaution.

ACI Mark Zeller estimates a 5% to 8% haircut. In other words, just catastrophe. The contagion actually spreads beyond that. Sievers classified at least nine DeFi protocols as directly affected. Beyond Aave, Sparklin, Fluid, Compound, Euler, and Upshift, the list includes Morpho, Limited Exposure, Lido, Earneth, Athena, Pendle, Yearn, Beefy, and Lombard Finance.

The broader liquidity shock was larger than the direct theft. DeFi TVL fell over $13 billion over a 48-hour period per DeFi Lama. Aave alone lost between $6.6 billion to $8.45 billion with wrapped ETH pools on Core, Arbitrum, Base, Mantle, Lenia, and Plasma.

Justin Sun, because he never goes away, pulled 65,000 ETH from Aave and publicly asked the attacker to negotiate restaked. Restaked ETH's 24-hour range from April 18 to 19 was roughly between 1,600 to 2,500 against a pre-attack mark of nearly 2,500, with an intraday DPEG of roughly 35%. So who did it? It looks it's Lazarus, a state-sponsored hacking collective connected to North Korea. There's a lot of evidence here suggesting Lazarus connections, although unfortunately, it's uncooperative.

We have not been able to definitively prove that it's Lazarus, and no independent forensics firms have issued their own attribution. TRM Labs spoke about a sustained state-driven campaign, but nobody's talking right now. We haven't seen anything from Chainalysis, Elliptic, Slow Mesh, or the usual suspects, nor have we heard anything from the FBI or other agencies. What do we gain from this? Key lessons: It's not a good idea to trust a bridge unilaterally.

The failure was in the verification logic, not the application logic or Kilt's restaking. Kilt did everything right from their contracts; they're audited and working well. The standard DeFi threat model assumes smart contract bugs are the dominant risk, but that's not true anymore. Bridges can be very problematic. A one-of-one verifier is not good; don't do that.

If they steal the money, DeFi lending is the exit condition. You can deposit, lend, and when you get those tokens, you're getting tokens unconnected to the theft, and the collateral is poisoned effectively. Kilt responded about 46 minutes after the attack, which, to be honest, is not that bad. It's not the attackers just let "Hey, these things are happening." They noticed it and responded, but it tells you that your incident response is incredibly vital in these types of protocols.

It's a lot of fun to read about these things and see where they go and how they work, but it shows you why we built Midnight. When you have these Tornado Cash things, they are cesspits of Lazarus and other actors. You probably need a different kind of private DEX where that doesn't happen. If you have something that makes it easy to use trusted execution environments and multi-party computation, it means it's very easy to turnkey two of three, three of five, or seven of nine DVMs. When Layer Zero eventually comes over to Midnight, that can be done, and it's going to be more secure than ever before.

The zero-knowledge engine, this idea that instead of just a transaction or a message, you accrue a proof with that—a folded proof that's constant time verification and small—is a huge deal because it prevents any of these poison messages from working their way through. Network anonymization also helps because it makes it much harder to DDoS they did with this particular attack. Bridges combined with restaking and lending created this situation, along with poor design choices with Ethereum's staking model with Lido. They may be geniuses, but they know everything, and we know nothing. Liquid non-custodial staking doesn't exist—just talk to Justin; he doesn't believe it.

I get these reports, and they're boring and all written up. It's fun to see them in a website format where you can follow along the story and see visuals. Maybe one of these days I'll start publishing them on my personal site. But I wanted to share this with you guys. Hacks are a part of life, and they're going to get much worse for everyone, including Cardano because of Mythic.

When you see these frontier models, people can use them to scan every intricacy of your cryptocurrency and find any flaw anywhere. Oftentimes, flaws are not because of bad code; they're due to a collection of things that, when individually used, are correct. Emergently, they're not correct. Testing, security audits, and information security have gotten good enough that people are pretty good at detecting flaws or issues. Where the issue occurs is the emergence of things—third-party dependencies, multiple things working together.

You notice that when you chain a collection of things together, it creates an unexpected emergent bug that you'd never seen before. That can be exploited to shut down the system, gain privileges, or steal money. AI is exceedingly good at detecting that because it can put the whole thing in memory and look at the entire code base. Humans can't; we look at one part and another part. There are some mitigations: formal methods, good architecture, and good design.

Clean, clear interfaces following best practices, understanding how emergent behavior works, and modeling things as complex adaptive systems are crucial. It's an emerging field of testing complex adaptive systems and software architecture. You typically use model checking and temporal logics in these types of things, and ultimately, constant vigilance and multi-redundancies inside the system are necessary. The big three are the use of zero-knowledge proofs, multi-party computation, and trusted execution environments. When we look at Midnight, this is the design space that it lives in.

We knew we needed to have safe DeFi, and DeFi always has this: multiple chains, multiple protocols, lots of collateral moving around, many representations of the same asset, lots of bridges, and different trust models. You need some sort of regulating layer to sort all those things out, and it needs to be bespoke built to have these capabilities. When you look at Nightscreen, it rolls up and folds up the whole chain. It's a folding protocol, and you get beautiful proofs in real time about anything you care about—the state of any system. Show me the real-time state of Bitcoin.

Show me the real-time state of Ethereum. When you send the message, you send it with the proof. Knowing where to attack gives you the ability to DDoS or Eclipse. When you have a privacy-preserving system, you don't know where to attack, so you can't do these DDoS attacks or poison RPCs. MPC and TEE mean the hardware does exactly what it's supposed to do.

Even if you compromise one unit, multi-party computation means you compromise all but one slot. It's a good trust model when you think about it. This is why we thought a lot about these different things. Determinism helps a lot. Liquid non-custodial staking helps a lot.

Getting a DeFi kernel is also going to help tremendously, both on the Midnight and Cardano side. When we look at Pogon and all this other stuff, in some cases, it's fortuitous. Cardano doesn't tend to be hit by these things because we have a small DeFi marketplace, but these types of attacks are harder to conduct in these systems.