gm from the Day One Law team!

Today’s legal update includes:

• A deep dive into the legal fallout from the KelpDAO bridge exploit 

Why the KelpDAO exploit is more than a cybersecurity story

On April 18, a group of hackers linked to the North Korean government hacked the KelpDAO bridge, stealing roughly $292 million in liquid restaked Ethereum and triggering a DeFi-wide liquidity crisis. The incident shows how unforeseen security flaws can lead to massive financial losses throughout the DeFi ecosystem, and how a single architectural weakness can expose an entire ecosystem to cascading losses.  

The hackers stole 115,500 rsETH, Kelp DAO’s liquid restaking token, not through breaking a smart contract, but by targeting off-chain infrastructure — a bridge, designed by LayerZero to connect rsETH to Ethereum mainnet. The attack wasn’t easy to pull off, and involved the hackers both compromising an internal RPC node and performing a DDoS attack on the external nodes. 

Effectively, they tricked the verification network into approving an artificial token burn, causing the Ethereum contract to release funds that were never actually locked. Because only one verifier had to be fooled, there was no independent check to catch the fraud. This meant that once the hackers were able to trigger the fake token “burn” they could remove the corresponding rsETH tokens and transfer them to their own wallet. 

From the transaction layer it didn’t look like anything had gone wrong. Because there was no third party that needed to verify the messages, the hackers could sneak away with the money unchecked. 

The exploit raises questions about whether DeFi infrastructure providers can face liability when protocols rely on insecure default configurations or fail to adequately disclose architectural risks to counterparties and users. Lawyers must now litigate whether LayerZero, the company which built the bridge, or Kelp DAO, which configured the bridge, were negligent, and decide who had the duty of care to protect users from such an exploit. 

LayerZero initially placed blame on Kelp DAO, asserting it had repeatedly urged KelpDAO to implement a multi-decentralized verification network (DVN) setup. This would have diversified verification and eliminated the single point of failure. 

However, Kelp DAO claims that the single-DVN setup was the default configuration and thus that LayerZero was responsible for the weak verification system. LayerZero has now taken some responsibility for the attack publicly, but ultimate liability isn’t resolved. 

Otherwise, KelpDAO seems to be doing what it can to improve security and restore the stolen funds. The group has now shifted to Chainlink’s oracle-based infrastructure, the Cross-Chain Interoperability Protocol (CCIP), instead of bridges between the liquid staking token and ethereum mainnet, shifting cross-chain verification to on-chain data rather than off-chain infrastructure. It’s also working with a coalition called DeFi united to gradually replenish collateral through independent financial contributions. 

Legally, those measures might protect KelpDAO from negligence claims if a court decides those moves meet the duty of care. But because the implications stretch beyond the immediate protocol, negligence could also be extended to third parties. 

The decentralized lending platform Aave, for example, was affected because Lazarus Group used the unbacked rsETH tokens as collateral, triggering a $10 billion liquidity crisis as users rushed to withdraw from Aave. Aave has since updated its minimum standards to evaluate the protocols of collateral tokens for their cybersecurity and technical infrastructure. 

Aave also filed an emergency motion in federal court opposing the redirection of $71 million in recovered ETH toward North Korea terrorism judgments. The funds, frozen by the Arbitrum Security Council, were intended for KelpDAO exploit victims. Problems remain for several other adjacent DeFi protocols. 

Many suggested this could have been avoided if the KelpDAO bridge had included multiple points of verification; either by LayerZero making the default function a multi-DVN setup, or Kelp DAO manually configuring a more complex verification infrastructure. But because neither party bolstered the bridge infrastructure this way, KelpDAO users and the broader DeFi ecosystem suffered significant losses, both through the $300 million rsETH stolen and the other borrowed assets for which the collateral disappeared. 

The dispute thus highlights a recurring infrastructure-law question: whether a platform provider can avoid responsibility for insecure default configurations when customers deploy those defaults in production. Developers who want to avoid the same legal risk need to ensure they’ve taken all the steps available to them to secure the protocol which they created. 

There is also now a legal battle taking place over the recovered Eth intended for KelpDAO victims, and it is unclear whether KelpDAO and LayerZero will eventually be held liable for damages. DeFi developers should see the fallout and reconsider the cybersecurity of their own systems and make sure that all points of verification require multiple parties to minimize their attack surface.

You should know: DeFi developers and infrastructure providers cannot assume that default configurations or off-chain verification shortcuts will shield them from liability when exploits occur. Courts and regulators are likely to scrutinize whether protocols implemented reasonable security measures, adequately disclosed architectural risks, and maintained appropriate verification safeguards, particularly where a single point of failure can create cascading ecosystem-wide losses.

That’s it for your legal update.

As always, please reach out if you have questions or just want to riff on what we’re seeing in the market and the implications of any of the above.

Talk soon.

Nick Pullman
Day One Law