On April 18, a cross-chain message spoofing attack led to the withdrawal of 116,500 re-staked ETH from KelpDAO, triggering what Cardano founder Charles Hoskinson described as the largest DeFi attack of the year, along with a domino effect that, within 48 hours, caused billions in total value locked to be withdrawn from the broader ecosystem.

Charles Hoskinson, founder of Cardano and co-founder of Ethereum, analyzed the attack in a video published from Wyoming, guiding viewers through a custom AI-generated incident reporting website.

“The standard threat model of DeFi assumes that smart contract bugs are the dominant risk,” said Charles Hoskinson. “That is no longer true.” He added:

“Bridges can be very problematic. A one-to-one verifier is not good. Don’t do it. And then the problem is that, if the money is stolen, DeFi lending becomes the exit route. So basically, you can deposit, you can lend, and when you receive those tokens, you’re getting tokens that are not linked to the theft, and the collateral becomes effectively tainted.”

The attacker sent a forged LayerZero message that reached the v2 endpoint contract connected to Kelp’s restaking adapter, which then released tokens from an escrow on Ethereum. The forged packet indicated the origin as endpoint ID 30320 of Uni-Chain. Kelp’s cross-chain configuration relied on a single decentralized verifier network, a “one-to-one” setup that provided the attacker with a single point of vulnerability.

The stolen tokens were not sold directly on decentralized exchanges (DEXs), which would have caused the price to collapse. Instead, the attacker deposited the re-staked ETH as collateral in lending markets such as Aave before Kelp or its partners could freeze the positions, borrowing liquid wrapped ether in return and walking away with assets unrelated to the original theft. The tainted collateral remained within lending markets.

The joint incident report from Llamarisk, published on April 20, confirmed 83,471 ETH distributed across seven attacker wallets on Ethereum Core and Arbitrum. The report outlined two resolution scenarios. The first distributes a 15.12% haircut across all re-staked ETH holders, generating approximately $123 million in bad debt absorbed by Ethereum Core reserves. The second isolates losses at the layer-two (L2) level, repricing tokens to 26.46% backing and generating around $230 million in bad debt concentrated in Mantle, Arbitrum, and Base, without affecting Ethereum Core.

Aave alone recorded between $6.6 billion and $8.45 billion in outflows. Wrapped ETH pools on Arbitrum, Base, Mantle, Linea, and Plasma reached near 100% utilization, effectively locking withdrawals. At least nine DeFi protocols were classified as directly affected, including Compound, Morpho, Lido, Ethena, Pendle, Euler, Beefy, and Lombard Finance.

KelpDAO, LayerZero, and Llamarisk have published three independent post-mortems. None agree on who is responsible. LayerZero announced on April 20 that it would no longer sign or verify messages for any application running a single-verifier DVN configuration, pushing for a protocol-level migration toward multi-verifier setups. Kelp maintains that LayerZero’s default configuration included single-source verification on Ethereum, BNB Chain, Polygon, Arbitrum, and Optimism, and that an estimated 40% to 50% of all LayerZero OFT applications currently use the same “one-to-one” configuration.

On-chain forensic analyses suggest connections to the Lazarus Group, a state-sponsored hacking collective linked to North Korea. No independent forensic firm has issued a formal attribution, and the Federal Bureau of Investigation has made no public comment.

Hoskinson pointed to the attack as evidence that failures in bridge verification have replaced smart contract bugs as the primary threat vector in DeFi. He cited the 46-minute interval between the initial breach and Kelp’s emergency pause as a sign that incident response matters, but cannot outpace the speed at which stolen assets can be deployed across lending markets.

“What makes this novel is the contagion,” Hoskinson explained in his video. “It wasn’t just a bridge hack. It spread into lending, which in turn triggered bad debt contagion within these lending protocols. It caused a massive withdrawal of deposits, and we saw $13 billion in TVL pulled out in a very short period of time from a $290 million hack. That’s a crisis of confidence.”

He attributed Cardano’s lower exposure to its liquid, non-custodial staking design, which removes the need for the staking-to-wrapped-to-liquid-staking-to-restaking chain that created the attack surface in Kelp. Hoskinson argued that Midnight, Cardano’s privacy-focused sidechain, addresses the underlying vulnerabilities involved.

Its Nightstream protocol embeds full chain states into proofs that travel alongside cross-chain messages, enabling forged messages to be verified before acceptance. “When people send messages, they can verify that what they see is correct,” he said. Compatibility with multi-party computation on Midnight would allow LayerZero to implement “two-of-three” or “five-of-seven” DVN configurations out of the box, with less operational friction.

Zero-knowledge proofs would block malicious messages at the verification layer. Network anonymization would make it harder to execute the DDoS component of this type of attack. He stated that AI tools—including cutting-edge models that the Lazarus Group reportedly has access to through individuals bribed within major AI labs—are enabling attackers to scan entire codebases for emerging vulnerabilities that no human reviewer would detect on their own.

“Cyberattacks are part of life,” he said, “and they are going to get much, much worse for everyone.”