KelpDAO Hack Exposes DeFi Security Risks From Complex Infrastructure

The KelpDAO hack, the largest security breach of the year, is prompting fresh scrutiny of how complex infrastructure can create security risks in decentralized finance.

CoinDesk reported on May 16 that crypto industry participants view the KelpDAO breach not as a simple coding flaw, but as an incident tied to bridges, operating systems and dependence on external infrastructure.

The hack has been linked to a vulnerability in LayerZero's ZRO bridge infrastructure. As DeFi services become more tightly interconnected, the industry increasingly sees failures in a single system as capable of triggering cascading damage across multiple platforms.

"Most smart contracts worked as designed," Eugene Mamin, chief technology officer at the Lido Labs Foundation, said. "The problem was that the party carrying out that design did not have legitimate authority."

DeFi projects have increasingly adopted bridges, validation systems, multisigs, cloud services and outside projects. The concern is that when one piece of infrastructure fails, damage can spread rapidly across connected services.

"In the past, smart-contract bugs were the main cause of hacks, but most recent incidents have come from operational security issues," Sam MacPherson, chief executive officer of Phoenix Labs, said. Overreliance on the same infrastructure can turn an isolated problem into systemic risk.

The incident has also reinforced a shift away from high-yield, high-risk structures and toward stability and predictability, according to industry participants. Mamin said the protocols trusted by large pools of capital are those that have operated reliably over long periods. "Boring" is becoming a strength in itself, he added.