Home
News
Details

Ripple CTO Highlights Security Risks Behind Kelp DAO $292M Loss

iconCoinpedia
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
XRP
$1.41502-0.83%
AI summary iconSummary

expand icon
Ripple CTO Emeritus David Schwartz addressed the Kelp DAO security breach, noting the $292 million exploit was foreseeable. He reviewed DeFi bridging systems for RLUSD and found many providers made advanced security features optional. On April 19, Kelp DAO paused contracts after spotting suspicious cross-chain activity. D2 Finance traced the breach to a leaked private key. Schwartz suggested Kelp may have used a minimal security setup via LayerZero, creating a single point of failure. On-chain news shows such vulnerabilities remain a risk in cross-chain protocols.
XRP Japan carry trade impact

David Schwartz, CTO Emeritus at Ripple, had a pointed observation this week after the Kelp DAO rsETH bridge was exploited for approximately $292 million.

He had seen this coming. Not this specific attack, but the conditions that made it possible.

“I evaluated a lot of DeFi bridging systems for use by RLUSD,” Schwartz wrote on X. “I was almost exclusively focused on the security and risk aspect. One thing I noticed is that most schemes were very well designed and had really strong mechanisms available to protect against exactly the type of attack the KelpDAO situation seems to have been caused by.”

The Sales Pitch That Buried the Security Features

What Schwartz described is a pattern he encountered repeatedly during his evaluation process. Bridge providers would pitch their most advanced security features prominently, then almost immediately suggest that those features were optional and that most customers chose not to use them.

“They generally in effect recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs,” he wrote. “We were frequently pitched the simplicity and ease of adding more chains with the implicit assumption we wouldn’t bother using the best security features they had.”

“Their sales pitch was that they have the best security features but they’re easy to use and scale, assuming you don’t use the security features,” he said.

What Actually Happened to Kelp DAO

On April 19, Kelp DAO identified suspicious cross-chain activity involving rsETH and paused contracts across mainnet and multiple Layer 2 networks. Approximately 116,500 rsETH was drained through LayerZero-related contract calls, worth around $292 million at current prices.

On-chain analysis from D2 Finance traced the root cause to a private key leak on the source chain, creating a trust issue with OApp nodes that the attacker exploited to manipulate the bridge.

Schwartz offered his own hypothesis about what likely went wrong at the protocol level. “I have a funny feeling part of the problem is going to be something like KelpDAO choosing not to use key LayerZero security features out of convenience,” he wrote.

LayerZero itself offers robust security mechanisms including decentralised verification networks. The question investigators are now examining is whether Kelp DAO configured its implementation using a minimal security setup, specifically a single point of failure with LayerZero Labs as the sole verifier, rather than the more complex but significantly more secure options available.

Tags
Crypto newsRipple (XRP)
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.