The $293 million bug wasn't in the code; so, what's the deal with the "DVN Configuration Bug," which led to the largest hack of 2026?
On April 18, 2026, the liquidity restaking protocol of Kelp DAO was exploited, with the attacker siphoning off 116,500 rsETH from a cross-chain bridge within hours, amounting to approximately $293 million at the time. The entire process was efficiently executed with a hint of anomaly, starting from a forged cross-chain message to laundering the stolen funds across Aave V3, Compound V3, and Euler lending protocols with real assets borrowed. The attacker swiftly exited with $236 million worth of WETH on the same day. Aave, SparkLend, and Fluid promptly froze the rsETH market.
This marks the largest DeFi exploit event of 2026.
However, one aspect distinguishes this attack from most hacking incidents. The smart contract code of Kelp DAO had no vulnerabilities. Security researcher @0xQuit, involved in the investigation, stated on X, "From what I currently understand, this is a combination of two issues: a 1-of-1 DVN configuration and the compromise of the DVN node itself." In their official statement, LayerZero did not blame the contract code, categorizing the issue as an "rsETH vulnerability" rather than a "LayerZero vulnerability."

$293 million was not in any line of code. It was concealed within a misconfigured parameter during deployment.
The common logic behind DeFi security audits is: find the contract, read the code, find vulnerabilities. This logic operates quite smoothly when dealing with code logic vulnerabilities. Tools like Slither and Mythril are mature in detecting known patterns such as reentrancy attacks and integer overflows. The widely promoted LLM for assisting in code audits also has some capability in identifying business logic vulnerabilities (e.g., flash loan arbitrage paths).

However, in this matrix, two rows are marked in red.
Configuration-level vulnerabilities fall into a structural blind spot in tool-based audits. The issue with Kelp DAO was not in a .sol file but in a parameter—DVN threshold—written during protocol deployment. This parameter determines how many validating nodes a cross-chain message must pass through to be considered valid. It's not in the code, not within Slither's scanning scope, nor in Mythril's symbolic execution path. According to Dreamlab Technologies' comparative study, Slither and Mythril detected 5/10 and 6/10 vulnerabilities in the tested contract, respectively. However, these results are based on the premise that the vulnerabilities exist in the code. According to IEEE research, even at the code level, existing tools can only detect 8%-20% of exploitable vulnerabilities.
From the perspective of the current audit paradigm, there is no tool that can "detect whether the DVN threshold is reasonable." To detect this type of configuration risk, what is needed is not a code analyzer, but a specialized configuration checklist: "Is the number of DVNs for the cross-chain protocol ≥ N?" "Is there a minimum threshold requirement?" Such questions are currently not covered by standardized tools and there is no widely recognized industry standard.
Also within the red zone is key and node security. In @0xQuit's description, it is mentioned that a DVN node was "compromised," which falls under Operational Security (OpSec) and is beyond the detection boundary of any static analysis tool. Whether it is a top-tier auditing firm or an AI scanning tool, none have the ability to predict whether a node operator's private key will be leaked.
This attack simultaneously triggered two red zones in the matrix.

DVN is the cross-chain message verification mechanism of LayerZero V2, fully named Decentralized Verifier Network. Its design philosophy is to entrust security decision-making to the application layer: each protocol connecting to LayerZero can choose the number of DVN nodes required to confirm before allowing a cross-chain message to pass.
This "flexibility" has created a spectrum.
Kelp DAO chose the far-left end of the spectrum with a 1-of-1, requiring only one DVN node to confirm. This means a fault tolerance of zero, as an attacker only needs to compromise that single node to forge any cross-chain message. In contrast, Apechain, also connected to LayerZero, configured more than two required DVNs and was not affected by this event. The wording in the LayerZero official statement was, "All other applications remain secure," implying that security depends on the selected configuration.
The standard industry recommendation is at least 2-of-3, where an attacker would need to compromise two independent DVN nodes simultaneously to forge a message, increasing fault tolerance to 33%. A high-security configuration like 5-of-9 can raise fault tolerance to 55%.
The issue is that external observers and users cannot see this configuration. Also known as being "supported by LayerZero," the backend could range from 0% fault tolerance to 55% fault tolerance, both referred to as DVN in the documentation.
Seasoned crypto investor Dovey Wan, who experienced the Anyswap incident, directly stated on platform X: "LayerZero's DVN turned out to be a 1/1 validator... All cross-chain bridges should immediately undergo a comprehensive security review."

In August 2022, a vulnerability was discovered in the Nomad cross-chain bridge. Someone replicated the initial attack transaction, made minor modifications, and found success, leading to hundreds of addresses replicating the exploit and draining $190 million in a matter of hours.
Postmortem analysis by Nomad attributed the vulnerability to "initializing the trusted root as 0x00 during a routine upgrade." This was a configuration error that occurred during the deployment phase. The Merkle proof validation logic and the code itself were sound; the issue stemmed from an incorrect initial value.
Combining this incident with previous ones involving Nomad, configuration/initialization vulnerabilities have now resulted in approximately $482 million in losses. In the history of cross-chain bridge exploits, this category's scale now rivals that of key exposure incidents (e.g., Ronin $624 million, Harmony $100 million, Multichain $126 million, totaling around $850 million).
However, the product design of the code auditing industry has never been focused on this category of vulnerabilities.
Most discussions in the industry still revolve around code logic bugs. Incidents like Wormhole's $326 million exploit due to signature verification bypass and Qubit Finance's $80 million loss due to a fake deposit event are well-analyzed with detailed vulnerability reports, CVE references, and reproducible PoCs, making them suitable for audit tool training and optimization. Configuration layer issues are not explicitly coded, making it challenging to address within the production cycle.
One notable detail is the distinct triggering mechanisms of the two configuration-related events. Nomad's error stemmed from inadvertently setting an incorrect initial value during a routine upgrade, constituting a mistake. On the other hand, Kelp DAO's 1-of-1 incident was an active configuration choice—LayerZero protocol did not prohibit this option, and Kelp DAO did not violate any protocol rules. A "compliant" configuration choice and a "mistaken" initial value both led to the same outcome in the end.

The execution logic of this attack was straightforward. A forged cross-chain message informed the Ethereum mainnet that "someone had already locked up an equivalent asset on another chain," triggering the minting of rsETH on the mainnet. The minted rsETH itself had no real backing, but its on-chain record was "valid" and could be accepted by lending protocols as collateral.
The attacker then dispersed 116,500 rsETH to Aave V3 (Ethereum and Arbitrum), Compound V3, and Euler, borrowing over a total of $236 million in real assets. According to multiple sources, the standalone default estimate for Aave V3 is around $177 million. Aave's security module Umbrella, used to absorb default losses, has a WETH reserve of around $50 million with a coverage ratio of less than 30%, with the remaining amount to be borne by aWETH stakers.
This ultimately falls on those who simply wanted to earn some WETH interest.
As of the time of writing, LayerZero is still conducting a joint investigation with the security emergency response organization SEAL Org and plans to release a post-incident analysis report in collaboration with Kelp DAO once all information is obtained. Kelp DAO has stated that they are working on "active remediation."
The $293 million exploit is not in the code. The phrase "audit passed" did not cover the location of that parameter.
Disclaimer: This content is provided for general branding and informational purposes only and doesn't constitute financial, investment, legal, or tax advice. Any events, rewards, online events, or related information mentioned herein should not be considered a recommendation, solicitation, or invitation to purchase, sell, trade, or otherwise deal in any crypto assets or to use any services. Crypto assets are highly volatile and may result in loss. WEEX services and online events may not be available in all regions and are subject to applicable laws, regulations, and eligibility requirements. You are responsible for ensuring that your use of WEEX services complies with local laws and for carefully assessing the risks before participating in any crypto-related activities.
You may also like

Noxa vanishes after fueling Robinhood Chain’s $4B memecoin boom

Trump Increases Tariffs: Brazil Taxed at 25%, Canada Threatened Over Smoke

Security Token Offering Compliance: A Practical 2026 Guide
Security token offering compliance guide explains audit, disclosure, custody, and smart-contract review questions. Explore the framework with WEEX.

Copy Trading in DeFi: A Practical Risk Framework for 2026
Copy trading in DeFi guide explains strategy transparency, execution gaps, wallet permissions, and risk limits. Learn the framework with WEEX.

AI Crypto Portfolio Tools: A Practical Review Framework
AI crypto portfolio tools guide explains data quality, automation limits, custody risks, and a disciplined review process. Learn with WEEX.
![[JJ Column] The Reason for Revisiting the Unsettling Books Written by Engels... The Political Economy of the AI Transition](/public-static/22_d448f7b258.png?format=avif)
[JJ Column] The Reason for Revisiting the Unsettling Books Written by Engels... The Political Economy of the AI Transition

Valuation Doubles to $1.2 Billion in Six Months as Flex Targets Stablecoin + AI Integration

Russia Cuts Off Oxygen for Cryptocurrencies. Banks to Get Powerful Weapon to Block Accounts

SBI Bets on RWA! Partners with Ondo to Promote Tokenization of Japanese Stocks and Introduce Yen Stablecoin Settlement

What is the funding rate? Trading Minute

Solana Surpasses 3 Trillion Won, Leading the Tokenized Securities Market

Project Eleven Develops Technology to Prove Bitcoin Ownership After Quantum Threat Becomes Reality

Grayscale Introduces Quarterly Cash Distribution for Solana ETF Staking Rewards

This Week's Highlights: South Korea Tightens Regulations on Single Stock Leveraged ETFs; US Inflation Cools; US-Iran Conflict Escalates

New Tool Aims to Improve Energy Efficiency in Bitcoin Mining

Who Will Become Pump.fun on the Robinhood Chain?

Uweb In-Depth Report: Global AIDC Transformation Cycle and Valuation Reconstruction Logic of Listed Companies

Bitcoin Leaves Extreme Fear Behind After Months of Pessimism

Ripple wins EU-wide access as ESMA adds it to MiCA register
![[New York Gold, Bonds, Dollar] Dollar and Gold Rise Amid Middle East Tensions... 10-Year Bonds Decline](/public-static/37_d544230b33.png?format=avif)
[New York Gold, Bonds, Dollar] Dollar and Gold Rise Amid Middle East Tensions... 10-Year Bonds Decline

Augur returns with decentralized layer for disputed prediction markets

Anthropic turns to Meta for $10B in computing power before IPO

CryptoQuant says Strategy still needs disciplined bitcoin buying and selling framework

Giant from Wall Street Bets on Altcoins. The First Actively Managed Crypto ETF Chooses These Tokens

Bitcoin Among the 10% Most Discounted in History: Is It Time to Buy?

UnitedHealth Surprises Wall Street and Signals Turnaround

Cardano Tests Support As ADA Traders Look For A Better Catalyst

Chainlink Holds Support As CCIP Adoption Becomes A Longer-Term Test

Solana Tests $77 Support As Risk-Off Pressure Spreads Across Layer 1s

XRP Stalls Below Resistance As Traders Wait For Regulatory Relief To Turn Into Demand
Noxa vanishes after fueling Robinhood Chain’s $4B memecoin boom
Trump Increases Tariffs: Brazil Taxed at 25%, Canada Threatened Over Smoke
Security Token Offering Compliance: A Practical 2026 Guide
Security token offering compliance guide explains audit, disclosure, custody, and smart-contract review questions. Explore the framework with WEEX.
Copy Trading in DeFi: A Practical Risk Framework for 2026
Copy trading in DeFi guide explains strategy transparency, execution gaps, wallet permissions, and risk limits. Learn the framework with WEEX.
AI Crypto Portfolio Tools: A Practical Review Framework
AI crypto portfolio tools guide explains data quality, automation limits, custody risks, and a disciplined review process. Learn with WEEX.









