How Distributed Trust Absorbs Shocks: Lessons from the KelpDAO Incident and stETH's Resilience

This article reflects the author's own independent research into Lido’s article(https://blog.lido.fi/steth-liquidity-held-ground-during-stress-event/).

Key Takeaways

• In April 2026, ~$292 million worth of assets were stolen from KelpDAO. The incident marked the collapse of a structure that had concentrated trust at a single point. Over the same period, Lido's staking token stETH, which sat outside the direct path of the damage, felt the shock of the incident but recovered quickly.
• stETH was not a target of the theft, but as the broader market turned to risk aversion, its exchange ratio against ETH drifted by as much as roughly -59 basis points, and execution costs widened temporarily. Even so, trading remained possible throughout the stress period. The direct foundation for this absorption lay in liquidity spread across many venues and in onchain data that could be verified in real time.
• Behind the depth and trust that stETH came to hold lies Lido's design, which avoids placing trust at a single point through measures such as validator decentralization, halting mechanisms that cannot move funds, exit rights at the governance level, and onchain treasury operations. This incident illustrated how a structure that concentrates trust and one that distributes it diverge when faced with the same shock.

1. Introduction

On April 18, 2026, KelpDAO's restaking token rsETH was stolen from a LayerZero-based bridge in an amount of roughly $292 million, equal to about 18% of its circulating supply. KelpDAO's bridge had adopted a setup with only a single validator to attest to the authenticity of messages. The attacker took control of the offchain node that this single validator relied on, causing a valid signature to be applied to a forged message, and then withdrew the assets locked in the bridge. The stolen rsETH was immediately deposited as collateral on Aave, which led to roughly $177 million in bad debt, and several lending markets that had accepted it as collateral froze the affected markets.

Meanwhile, among the ETH-related assets that lay outside the direct path of the damage during this period, one took the shock yet returned to normal levels relatively quickly. That asset was Lido's staking token stETH. As the most widely used benchmark collateral among ETH-based liquid staking tokens (LSTs), stETH rested on a structure that does not concentrate trust at a single point. Because of this, the spread of the shock across the broader market was held back accordingly, a point that drew relatively little attention in the discussions immediately after the incident. This article examines how stETH absorbed the shock despite not being a direct target, at a time when the market had broadly turned to risk aversion, and what design foundation made that absorption possible.

2. How stETH Absorbed the Shock

Source: Lido

stETH, Lido's liquid staking token, and wstETH, a wrapped version of stETH created for better compatibility with various DeFi projects, were not directly stolen in this incident, yet their price and liquidity were temporarily affected right after it. According to Lido's report, during the stress period from April 18 to 28, the daily average execution price in Curve's main pool drifted to about 0.9941 ETH per stETH, reaching as far as -59 basis points (a basis point, or bp, is 0.01%). The median price impact of selling $1 million worth of wstETH also widened from -0.1 bp over the 30 days before the incident to -5.0 bp.

This happened because, as rsETH turned into bad collateral, lending markets across the board reduced their risk limits, and as participants holding ETH-based collateral trimmed their positions, selling and hedging demand concentrated on stETH, the most liquid ETH collateral.

stETH and wstETH were not direct targets of the incident, but the fact that execution costs widened at one point to dozens of times their usual level is a clear sign of stress, and it would be hard to say the shock passed them by entirely. Even so, execution for stETH remained measurable and routable throughout the stress period, and it returned to its earlier level within a short time, without any cascading side effects.

The factors that made this absorption possible can be organized into the following three points, as Lido noted in a blog article.

1. stETH's liquidity is not concentrated in any single pool or path. Curve plays a central role, but many exchanges, aggregators, lending markets, market makers, and institutional routing infrastructure together form the depth of execution, so that even if the depth of one path shrinks, another path can absorb the selling volume.
2. The key data on stETH can be observed onchain in real time. Because pool balances, transaction histories, and routing depth are all public, arbitrage participants could quickly confirm that stETH was not on the path of the compromised assets and step in with trades that pushed it back toward normal. This stands in contrast to the situation faced by holders of wrapped rsETH spread across more than 20 chains during the same period, who struggled even to confirm the collateral status of their own tokens.
3. ETH-based demand for stETH is broad enough that it would not disappear from a single shock.

These three factors ultimately come down to the fact that stETH is a sufficiently deep and widely integrated asset. This depth of liquidity and broad integration into the ecosystem do not form over a short period. They are the result of trust as a base asset accumulating over a long time.

In this incident, the direct foundation on which stETH withstood the shock was the secondary market depth and observability that had already been built up. That said, behind the long-term accumulation of trust in stETH lies Lido's design, which avoids placing trust at a single point, and the following section gives a broad overview of that design.

3. Lido's Distributed Trust Structure

If KelpDAO's incident stemmed from a structure that concentrated trust at a single point, Lido's design points in the opposite direction, distributing trust across many places and putting multilayered safeguards in place so that a breach at one point does not translate directly into a loss for the whole. Among the four pillars examined below, the one directly involved in the recovery from this incident is the last, observability, while the other three serve as the long-term foundation that keeps stETH trusted as a base asset. With this distinction in mind, each pillar is examined in turn.

3.1 Validator Decentralization: The Staking Router and Module Structure

Source: Lido

ETH deposited into Lido passes through a top-level contract called the Staking Router and is distributed to multiple Staking Modules, with an estimated 721 independent node operators participating across all three modules. This means that validation responsibility is split not across a single validator set but across modules with different risk profiles and operator characteristics.

Source: hex.tech

The Curated Module is made up of professional operators that the Lido DAO selects according to reliability and performance standards, and its operator composition also takes geographic, jurisdictional, infrastructural, and software diversity into account. The Simple DVT Module has been running Distributed Validator Technology (DVT) on the mainnet since 2024. This technology spreads the role of a single validator across multiple operators through tools such as Obol and SSV, so that the failure of one operator does not bring the entire validator to a halt, and it lowers slashing risk. The Community Staking Module (CSM) lets anyone take part as an operator by requiring an ETH-dominated bond(ETH, stETH, wstETH) rather than reputation, bringing even individual stakers into the validator set. Lido has been making continuous efforts to distribute the liquidity concentrated in the Curated Module, which has existed since the early days, across a wider range of modules.

The core of this module structure is that it does not create a single point of failure. In this respect it can be seen as a design that contrasts with KelpDAO's structure.

3.2 Halting Mechanisms for Emergencies: The Deposit Security Module, Bunker Mode, and the Circuit Breaker

Lido has several safeguards that activate when anomalies are detected, and they all share one trait. None of them can move funds; they can only halt operations.

The Deposit Security Module (DSM) verifies deposit data and halts deposits when an anomaly is confirmed, and all related information is published onchain. GateSeal is an emergency tool for quickly halting specific functions, such as withdrawals or operator exits, when a critical vulnerability is found. It activates only with the agreement of at least three members of a six-person committee, and the halt is limited to 14 days. This period is meant to give the community time to review the matter and vote on a response, and once it passes, the contract automatically resumes operation.

Bunker mode applies to situations where losses occur, such as mass slashing, and it spreads those losses across all stETH holders in an orderly way, preventing a rush of withdrawals in which those who exit first gain an advantage.

Lido has a mechanism called the GateSeal as its emergency halting system. GateSeal was a tool that paused specific functions for a set period through committee agreement, but it was a one-time design that expired once triggered, so each time it required redeploying a new instance and reassigning permissions. Thus, Lido has been transitioning GateSeal to a new mechanism called CircuitBreaker. Unlike GateSeal, the CircuitBreaker uses a permanent address, removing the redeployment procedure that had been repeated each year. Even when one contract is halted, permissions over the others remain independent, and the committee is required to prove its readiness onchain through periodic heartbeat transactions. By structurally lowering the operating cost of maintaining an emergency halt, the CircuitBreaker leaves room to gradually reduce its trust assumptions, which also places it in line with the design philosophy of not binding trust to a single place.

3.3 Exit Rights at the Governance Level: Dual Governance

One of the hardest risks to handle in a staking protocol lies not in a technical breach but in governance. This is because those who hold the power to change the protocol may make decisions that work against stETH holders. Lido responded to this risk by activating Dual Governance on the mainnet on July 2025.

In this structure, a timelock contract sits between the DAO's decision and its actual execution. If stETH holders oppose a particular decision, they can signal their opposition by depositing stETH into a separate contract. When the deposited amount reaches 1% of all staked ETH, execution of that proposal is delayed for at least five days. When it reaches 10%, the system enters a rage-quit state, freezing execution of the proposal while letting the opposing stakers withdraw their own ETH. In other words, even if governance token holders try to push through a change that works against stETH holders, those holders are structurally guaranteed the right to recover their assets before that change takes effect.

In the KelpDAO incident, holders of wrapped tokens spread across more than 20 chains had no such means of exit, and they were in a position where they could not even control the state of the base asset backing their tokens. By contrast, stETH holders not only hold the base asset directly but also have a path to recover their assets in the worst case, which puts them in a stronger position during an emergency.

3.4 Treasury Operations: The Aragon Agent and the Treasury Management Committee

Even if validators, emergency tools, and governance are distributed, the distribution of trust is not complete if the treasury that holds and manages the protocol's assets is opaque or dependent on a single entity. The Lido DAO's treasury is held and executed onchain through an Aragon Agent contract, and it covers the stETH that remains with the DAO after rebases and operator settlements, along with ETH and stablecoin revenue.

This treasury is not run at the discretion of a single decision-maker. It is executed through treasury management principles approved by the DAO and through dedicated committees operating under DAO oversight. Measures such as diversifying stablecoins to secure operating funds, or using part of the treasury for buybacks, also go through governance approval on a case-by-case basis. The fact that the treasury's holdings and execution can be verified onchain is, like the safeguards described earlier, an extension of a design that places trust in open rules and procedures rather than in the discretion of any single entity.

3.5 Observability

For the mechanisms described above to work effectively, and for the market to trust stETH, anyone must be able to verify what is happening inside the protocol. Lido's deposit data can be verified through onchain data, and through the Accounting Oracle the protocol regularly updates figures such as total deposits, rewards, exited validators, and whether any slashing has occurred. The quick return of the stETH price to normal, mentioned earlier, stems directly from this transparency. Because arbitrage participants could verify stETH's collateral status in real time, they were able to confirm that stETH was not among the compromised assets and step in to buy, even at a moment of high market uncertainty. Assets whose status can be verified tend to recover relatively quickly, whereas assets that are hard to verify tend to see price discovery delayed until the uncertainty clears.

4. Implications: How Accumulated Trust Contributes to an Asset's Resilience

The resilience that stETH showed in this incident ultimately comes down to the trust as a base asset that Lido has built up over a long period, and to the distributed structure that supports it.

KelpDAO's structure concentrated trust at a single point. That point was the one validator verifying messages and the few nodes it relied on. This approach was widely adopted because it was efficient and low-cost, but in exchange for that efficiency it carried a single point of failure within it, and when that point was compromised, the assets built on top of it were affected across the board.

Lido's design shows the opposite approach. It distributes validators across multiple modules and operators, limits emergency tools to halting functions that cannot move funds, guarantees stakers' exit rights at the governance level, and makes the protocol's state observable by publishing it. The direct foundation on which stETH absorbed the shock and recovered relatively quickly in this episode was the secondary market depth and observability that had already accumulated. Behind the long-term formation of that depth and trust, one can read the workings of this kind of distributed design. Rather than meaning that the asset is inherently safe, this resilience can be seen as the cumulative result of a series of design choices aimed at not concentrating trust at a single point.

Of course, no design can be entirely free of risk. What matters is not claiming that risk is absent but maintaining a design that continuously spreads risk so that it does not concentrate at a single point. The stress test on stETH brought about by this incident will be recorded as a notable case, in that it revealed within a single event both how a structure that concentrates trust at a single point collapses when targeted, and how a structure that distributes trust withstands the transmission of that shock.