DeFi's $290M Kelp DAO Hack Sparks Blame Game Among Projects, Leaving Users in Limbo

The DeFi sector, often touted as decentralized, autonomous, and permissionless, is facing a credibility crisis following the $290 million hack of Kelp DAO on Saturday. Instead of a unified response, the involved projects are engaged in a contentious blame game, leaving users with frozen funds and potential haircuts to cover bad debt.

Amid the chaos, industry voices are calling for collaboration among the key parties to address the fallout. However, the firms involved appear determined to protect their own interests. LayerZero blames Kelp DAO’s validator setup, while Kelp DAO argues it followed LayerZero’s defaults. Meanwhile, Aave distances itself, aiming to resume normal operations without addressing its role in the deep integration of rsETH.

Let’s break down the case against each project involved in this unfolding saga.

Kelp DAO’s Silence and Uncertainty

Kelp DAO, the project behind the hacked rsETH token, remained silent for 48 hours after acknowledging the incident. Users, desperate for clarity on loss distribution, were met with a terse statement that provided no new information. The statement merely reiterated the exploit’s mechanics, praised Kelp DAO’s 1/1 DVN configuration as “the default for any new OFT deployment,” and boasted about blocking a further $95 million hack attempt.

New reports suggest Kelp DAO is preparing to challenge LayerZero’s post-mortem, which blamed Kelp for the exploit. According to leaked internal memos, Kelp DAO’s legal and public relations teams are engaging in open conflict with LayerZero. A tweet by Andy (@andyyy) on April 20, 2026 highlighted this escalating dispute.

Regarding loss distribution, Kelp DAO claims it is “concurrently assessing the potential next steps.” While praising Arbitrum’s decision to seize stolen ETH, the firm offered no concrete details, stating it is “pursuing all available avenues to mitigate the impact of the incident across the DeFi ecosystem.”

LayerZero’s Architectural Criticism

LayerZero has faced significant backlash, not only from Kelp DAO but also from security experts. Critics argue that its architecture shifts the burden of security onto individual project teams, with LayerZero stating it “empowers each application and asset issuer to define their own security posture.”

Data from Dune Analytics reveals that nearly half of over 2,500 OApp bridging contracts use a 1/1 DVN configuration, despite LayerZero’s recommendations for secure setups. Blockchain security expert Taylor Monahan highlighted one example that explicitly states:

“The 1/1 DVN setup is not recommended for production use due to the single point of failure.”

This raises questions about whether LayerZero’s defaults contributed to the exploit.

Aave’s Detachment from the Fallout

Aave has largely stayed out of the public discourse surrounding the Kelp DAO hack. The project appears focused on resuming normal operations and avoiding scrutiny over its deep integration with rsETH. By distancing itself, Aave risks further eroding trust in its commitment to user protection and transparency.

Industry Fallout and User Impact

The hack has left the DeFi sector reeling, with the total fallout estimated at $14 billion. Users, who once saw certain DeFi protocols as safe and reliable, are now facing uncertainty over their funds. The incident underscores the fragility of decentralized finance and the urgent need for improved security measures and accountability.

As the blame game continues, industry leaders are urging the involved parties to collaborate on a solution. However, with each project prioritizing its own interests, the path to resolution remains unclear. For now, users are left waiting—and hoping for a resolution that protects their investments.