Researcher
Related Projects
1. The Incident
The KelpDAO incident began at 17:35 UTC on April 18. An attacker forged a LayerZero cross-chain message and bridged 116,500 rsETH to Ethereum mainnet without any backing funds on the source chain. The amount was worth around $292M at the time, or about 18% of circulating rsETH. The funds moved straight into lending markets, where the attacker posted them as collateral on Aave, Compound, and Euler to borrow WETH and wstETH for sale. Most of the stolen value was eventually recovered through Arbitrum's freeze and clawback action and a cross-industry recovery vehicle called DeFi United.
EarnETH, the ETH vault inside Lido Earn (Lido's DeFi yield product line), was running a leveraged rsETH/ETH position on Aave. The exposure sat at around 9% of the vault's TVL, or about $21.6M. The recovery package moved quickly to fill the rsETH collateral gap, and as a result the residual loss inside EarnETH was reduced mainly to interest costs accrued while unwinding the leveraged positions. The remaining loss is estimated at 400 to 600 ETH, and Lido Earn's first-loss protection mechanism will absorb it in full when it activates for the first time.
The original first-loss design has a 1% trigger, so a loss below 1% would not activate it automatically. The Lido DAO passed a one-time threshold adjustment through governance specifically for this incident, and activation is scheduled for May 15, 2026 at 17:30 CET.
2. The First-Loss Mechanism
The Lido DAO deposited $5M from its treasury directly into the EarnETH and EarnUSD vaults. If a loss occurs and first-loss is triggered, the DAO's vault shares are burned first. This is not insurance. The protocol's treasury capital sits inside the vault under the same yield terms as any other depositor, but it absorbs losses first when they occur.
The trigger condition is a suspected mark-to-market loss of 1% or more inside a specific vault. The moment a curator (Veda or Mellow) flags the loss with supporting evidence, the Growth Committee (GC) automatically halts any further DAO allocation into that vault. Once the affected curators confirm the loss through mutual verification, the Lido Earn team decides how many DAO-held shares to burn, and the GC calls the onchain burn function to execute it. Each step has a separate actor, so authority does not concentrate in any single party.
There have been cases before where protocols covered user losses inside a vault. What sets first-loss apart is that the mechanism is built into governance. The triggering conditions and the execution path are defined in the proposal upfront, not improvised after a loss like the discretionary ex-post compensation more typical of past incidents. Even when an exception is needed, as in this case, the exception itself goes through a separate DAO governance vote. And the whole process runs as a state change inside the vault's smart contract, not as an insurance claim filed against an external party.
3. A New Trust Standard for DeFi Vaults
Both demand for and supply of DeFi vaults are growing fast. Categories keep expanding too, from restaking and cross-chain strategies to meta-vaults and leveraged yield products. But as structures get more complex, the risk surface widens with them. Smart contracts, bridges, oracles, lending markets, curation decisions, governance attacks: each is a potential path to loss. No matter how well a vault's own security is built, something can still break inside an external protocol it depends on. The KelpDAO incident showed clearly what happens when one of those external pieces fails.
The problem is that a large share of current DeFi vaults depend on token inflation, one-off incentives, or outside liquidity subsidies rather than on durable operating revenue. Structures like this can advertise high APYs for a while, but they hold very little capital that can absorb user losses when something goes wrong. In most cases, the loss flows entirely back to the depositor.
This is where a protocol like Lido, with a strong existing revenue source, stands apart. stETH is one of the largest liquid staking products in DeFi, and the protocol fee on staking rewards continuously feeds into the DAO treasury. The treasury is not just capital saved up in the past. It is a pool that keeps refilling from operating revenue. A protocol with this kind of growing treasury can deploy real capital during a crisis and put it in front of user losses.
Not every protocol can run this kind of protection. A vault's loss-absorption capacity comes down to capital, and capital comes from a sustainable revenue model. A vault without operating revenue has to fall back on outside investors, fresh token issuance, or some kind of ex-post governance bailout when something goes wrong. None of those scales as a repeatable response. A protocol with real revenue, on the other hand, can convert its treasury into protection capital and design that conversion as a repeatable risk-management mechanism, not a one-off rescue.
Lido Earn's first-loss is a clean example of this in practice. The more complex DeFi products get, the less users can rely on what a whitepaper or an X(Twitter) post claims. What matters is the protocol's actual capital allocation, verifiable onchain. The standard for a good vault is shifting from headline APY toward whether real capital and a real system stand ready to absorb the first loss when something inevitably goes wrong. In DeFi, losses can come through any path. When picking a vault, the question to ask is not what the APY is. The two questions to ask are these,
"Is this protocol's treasury reinforced by operating revenue?"
"And is that treasury structured to absorb losses before user capital does?"
The author of this report may have personal holdings or financial interests in assets or tokens discussed herein. However, the author affirms that no transactions have conducted using material non-public information obtained in the course of research or drafting. This report is intended solely for general information purposes and does not constitute legal, business, investment, or tax advice. It should not be used as a basis for making any investment decisions or as guidance for accounting, legal, or tax matters. Any references to specific assets or securities are made for informational purposes only and should not be construed as an offer, solicitation, or recommendation to invest. The opinions expressed herein are those of the author and may not reflect the views of any affiliated institutions, organizations, or individuals. The opinions and analyses expressed herein are subject to change without prior notice. In addition, beyond the individual disclosures included in each report, Four Pillars, may hold existing or prospective investments in some of the assets or protocols discussed herein. Furthermore, FP Validated, a division of Four Pillars, may already be operating as a node in certain networks or protocols discussed herein or may do so in the future. Please see below links in the footer for FP Validated's participating network disclosures and for broader disclosure details.
