audit

KelpDAO is a liquid restaking protocol built on EigenLayer, founded in 2023, that issues rsETH as a yield-bearing liquid restaking token. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor / UNC4899) exploited a single-point-of-failure DVN configuration on KelpDAO's LayerZero bridge to drain 116,500 rsETH worth approximately $292 million — the largest single DeFi exploit of 2026. The attack triggered $13.21 billion in DeFi TVL outflows within 48 hours and precipitated an industry-wide bailout coalition called DeFi United, which ultimately restored rsETH to full backing by May 25, 2026.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.