Woke up to rsETH hack, started googling.

Lots of people are accusing Kelp of negligence.
Then I came across @stacy_muur's newly posted research re the exploit, and so far this is the most detailed piece on CT.
TL;DR on what actually happened ↓
~116,500 rsETH (~$292M) was drained from the bridge.
But this was NOT:
– a mint exploit
– not a smart contract bug
– not reentrancy
This is important.
What happened was a fake cross-chain message that Ethereum accepted as real.
Think of it like this:
Ethereum received a message saying
“hey, release funds – they were burned on the other chain”
Except… they were never burned.
The message looked 100% legit structurally, so the system executed it.
Important:
– rsETH collateral on mainnet is intact
– existing rsETH holders face no direct haircut right now
And here's the realistic picture of the responsibility zones:
@KelpDAO:
▪ 1:1 DVN config. This is the min LayerZero setup.
▪ This config was in place for at least 90 days – not a rushed mistake
▪ 11 of 12 Kelp inbound routes were 1-of-1 – this was their standard pattern
▪ Kelp responded and froze contracts, blocking further attacks
@LayerZero_Core:
▪ The sole required DVN is Etherscan-labeled "LayerZero: DVN"
▪ A packet was verified and committed by this DVN without a real source event
▪ The same DVN is operating normally on hundreds of other routes
Basically, LayerZero's DVN is the component that verified a message. Whether that was due to a compromised key, a software bug, or a bad upstream input is the central unanswered question.