DeFi Protocol Hacks Case Study: When “Sufficiently Decentralized” Argument Is Not Enough

In April 2026, North Korean state-sponsored attackers drained $285 million from Drift Protocol and $292 million from Kelp DAO in two structurally different attacks just 18 days apart. Together, these exploits represent the most damaging month for Decentralized Finance (“DeFi”) since the Ronin bridge hack of 2022. This article examines what happened, what legal theories are available to affected users, and what the two exploits reveal about the state of DeFi accountability.

I. The Exploits

A. Drift Protocol ($285 Million, April 1)

On April 1, 2026, attackers drained approximately $285 million from Drift Protocol, the largest decentralized perpetual futures exchange on Solana. The attack did not exploit a smart contract vulnerability. Instead, the attackers spent six months building trust with Drift’s contributors under the guise of a quantitative trading firm, compromised multisig signers through social engineering and malicious software, manufactured a fictitious collateral token (CarbonVote Token, or “CVT”), and drained the protocol’s vaults in under a minute. Drift’s total value locked (“TVL”) collapsed from approximately $550 million to under $250 million. The DRIFT token fell over 40%.

The attack was attributed with medium-high confidence to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. The critical vulnerabilities were in the governance architecture: a 2-of-5 multisig with no timelock on Security Council migrations, and reliance on a small number of human signers whose devices could be socially engineered. The compromise came through a malicious VSCode/Cursor exploit and a fraudulent TestFlight application. Most stolen funds were bridged to Ethereum via Circle’s Cross-Chain Transfer Protocol (“CCTP”) within hours. On-chain investigator ZachXBT criticized Circle for failing to freeze approximately $232 million in USDC that moved from Solana to Ethereum over a period of approximately six hours before any action was taken.

Drift’s smart contracts had been audited by Trail of Bits (2022) and ClawSecure (February 2026). Both gave the protocol passing grades. The CVT market introduction and the recent governance changes slipped through the cracks.

B. Kelp DAO ($292 Million, April 18)

n April 18, 2026, attackers drained 116,500 rsETH (approximately $292 million, representing roughly 18% of rsETH’s circulating supply) from Kelp DAO’s LayerZero-powered cross-chain bridge. Kelp DAO is a liquid restaking protocol that takes user-deposited ETH, routes it through EigenLayer to earn additional yield, and issues rsETH as a tradeable receipt. LayerZero is the cross-chain messaging infrastructure that moves rsETH between blockchains using entities called Decentralized Verifier Networks (“DVNs”).

The attacker exploited a fundamental architectural weakness: Kelp’s bridge operated a 1-of-1 DVN configuration, meaning LayerZero Labs was the sole entity verifying cross-chain messages. The attackers compromised two RPC nodes and used a DDoS attack to force failover to compromised infrastructure, tricking the single verifier into approving a fraudulent cross-chain message purporting to originate from Unichain. Kelp’s bridge released 116,500 rsETH to an attacker-controlled address. Kelp’s emergency pauser multisig froze the protocol’s contracts 46 minutes after the drain, blocking two follow-up attempts that would have released an additional approximately $200 million.

The attack was preliminarily attributed to North Korea’s Lazarus Group – the same unit responsible for the Drift exploit. The finger-pointing between Kelp and LayerZero began immediately. LayerZero blamed Kelp’s decision to use a single-verifier configuration despite prior warnings. Kelp disputed this account, claiming the 1-of-1 setup was LayerZero’s own default configuration used by 40% of protocols on the platform, and that LayerZero’s quickstart guide and default GitHub configuration point to a 1/1 DVN setup.

C. The Kelp Cascade: Aave, Bad Debt, and Systemic Contagion

The Kelp exploit did not end with the bridge drain. The attacker deposited the stolen rsETH as collateral in Aave V3, Compound V3, and Euler, and borrowed approximately $236 million in WETH/ETH. When rsETH subsequently lost its peg (because the bridge reserve backing it had been drained), the collateral became effectively worthless. Aave was left with bad debt estimated at between $123 million and $230 million, depending on how Kelp allocates the shortfall. Aave’s E-Mode did not allow normal liquidation because the system still treated the depegged rsETH as valid collateral.

The result was a classic bank run. Users withdrew $5.4 billion from Aave in ETH within hours. The utilization rate of Aave’s ETH lending pool hit 100% – all available liquidity had been withdrawn or borrowed. The AAVE token fell 10-14%. Wrapped rsETH deployed across more than 20 Layer 2 networks (Base, Arbitrum, Linea, Blast, Mantle) was left without backing. Total DeFi TVL dropped by more than $13 billion in two days.

The Kelp exploit illustrates a systemic risk that the Drift exploit did not: shared-pool contagion. In Aave V3’s architecture, if one collateral asset suffers a catastrophic loss, the impact propagates to every user in the shared pool – not just those holding the affected asset. Users who deposited ETH or USDC with no exposure to rsETH were unable to withdraw because the pool’s liquidity had been drained by the bank run.

II. Potential Grounds for Liability

Neither Drift nor Kelp DAO has been sued for the exploits themselves as of the date of this publication (though Circle has been, as discussed below). However, the facts raise several distinct legal theories that affected users could pursue.

A. The Securities Law Angle: “Sufficient Decentralization”

Under the SEC v. W.J. Howey Co., 328 U.S. 293 (1946) (“Howey test”), a token constitutes a security if it represents an investment of money in a common enterprise with an expectation of profits derived from the efforts of others. The concept of “sufficient decentralization” was first articulated by William Hinman, then Director of the SEC’s Division of Corporation Finance, in his June 2018 speech: when a network becomes sufficiently decentralized, purchasers no longer reasonably expect profits from the managerial efforts of an identifiable group, and the associated token may cease to be a security. Then-SEC Chairman Jay Clayton endorsed this framework in a March 2019 letter to Congressman Ted Budd.

The March 2026 SEC & CFTC Joint Interpretation (Release No. 33-11412) (“SEC & CFTC Release”) provides Commission-level guidance on when a token “separates” from an investment contract: the investment contract terminates when the issuer’s promises are fulfilled and the underlying crypto system is functional. Tokens associated with functional systems are classified as “digital commodities” and are not themselves securities.

We have reviewed the SEC & CFTC Release in great depth in our Practitioner’s Guide to the New Asset Classification Framework

The argument against Drift is straightforward: despite marketing itself as a decentralized exchange, Drift’s operations were effectively controlled by a small team of contributors who held multisig authority, controlled protocol upgrades, managed oracle integrations, and made unilateral governance decisions – including a Security Council migration to a 2-of-5 multisig without a timelock, weeks before the attack. The hack succeeded not because of a code vulnerability but because the attackers infiltrated the contributor team, suggesting that Drift’s security and operations depended on the efforts of an identifiable, centralized group. A similar argument applies to Kelp DAO, whose bridge security depended entirely on a single DVN operated by LayerZero – a centralized point of failure inconsistent with meaningful decentralization.

If a court were to find that either protocol’s token value depended on a centralized team’s managerial efforts, the token could potentially be classified as a security – exposing the operators to liability for the unregistered offer and sale of securities. This is an aggressive theory: neither token has been the subject of SEC enforcement action. But for affected users exploring all available avenues, the argument that these protocols were not “sufficiently decentralized” is at least colorable.

B. DAO General Partnership: Who Can Be Sued?

A separate and more established theory of liability arises from DAO governance law. Under U.S. law, a Decentralized Autonomous Organization (“DAO”) that has not been registered as an LLC or other limited-liability entity defaults to being treated as a general partnership or an unincorporated association. In a general partnership, every member is jointly and severally liable for all obligations of the partnership. Two landmark cases have established this principle in the DeFi context.

In CFTC v. Ooki DAO, No. 3:22-cv-05416 (N.D. Cal. June 8, 2023), the CFTC charged the Ooki DAO – successor to bZeroX, LLC – with illegally offering leveraged retail commodity transactions, operating as an unregistered futures commission merchant, and failing to implement KYC/AML procedures. The Ooki DAO had inherited operations from bZeroX, whose founders had explicitly touted that the DAO structure would insulate the protocol from regulatory enforcement. The court held that the DAO qualified as an “unincorporated association” under both California and federal law, and therefore a “person” subject to the Commodity Exchange Act. When the DAO failed to appear, the court entered a default judgment imposing civil monetary penalties and a permanent injunction.

The more consequential ruling for affected users came in Sarcuni v. bZx DAO, No. 22-618 (S.D. Cal. Mar. 27, 2023). There, a California federal court ruled that token holders of the bZx DAO could be deemed members of a general partnership and held jointly and severally liable for losses arising from a $55 million phishing attack. The court’s reasoning was straightforward: under California law (Cal. Corp. Code § 16202(a)), a general partnership is formed when two or more persons associate to carry on a business for profit as co-owners. The court rejected the defendants’ argument that token holders’ governance rights were too limited to constitute partnership.

Applied to Drift and Kelp, this theory means that all identifiable participants in governance – founding teams, active governance token voters, and venture capital investors who held governance tokens – could face personal liability for the losses resulting from the exploits. A venture capital fund that holds governance tokens and voted on even a single proposal could, under this theory, be jointly liable for user losses.

It is also worth noting the SEC’s own history with DAO liability. In its July 2017 DAO Report, the Commission concluded that tokens issued by The DAO were investment contracts under the Howey test. More recently, in In the Matter of BarnBridge DAO, Securities Act Rel. No. 11262 (Dec. 22, 2023), the SEC found that the BarnBridge DAO sold unregistered securities, with liability falling on the DAO’s identifiable leaders.

C. Circle’s Potential Exposure

The question of Circle's liability is no longer theoretical. On April 14, 2026, affected Drift Protocol investors filed a class action lawsuit against Circle Internet Group, Inc. in the U.S. District Court for the Southern District of New York (McCollum v. Circle Internet Group, Inc., Case No. 1:26-cv-03280). The complaint alleges that Circle failed to freeze stolen USDC despite having both the technical and legal capability to do so.

The factual basis for the claim is straightforward. On-chain data shows that the attacker transferred approximately $232 million in USDC from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (“CCTP”) over a period of approximately six hours. During that window, Circle took no action to blacklist the attacker's addresses or halt the transfers. The plaintiffs point to Circle's conduct just nine days earlier, when the company froze 16 wallets in an unrelated matter, as evidence that Circle selectively exercises its freeze capability and could have intervened in the Drift case but chose not to.

Circle CEO Jeremy Allaire has publicly stated that the company blocks funds only pursuant to court orders or law enforcement requests and cannot act at its own discretion. The plaintiffs counter that Circle's own terms of service and USDC smart contract architecture grant it unilateral authority to blacklist addresses, and that its past conduct demonstrates a willingness to exercise that authority without a court order in certain circumstances.

The case raises a novel and significant question for DeFi infrastructure: whether a stablecoin issuer that functions as a de facto chokepoint in cross-chain fund flows owes a duty of care to users whose assets pass through its protocol during an exploit. If the court allows the case to proceed, it could establish the first judicial framework for stablecoin issuer liability in hack scenarios – with implications extending well beyond Circle and the Drift exploit.

D. Kelp vs. LayerZero: Infrastructure Provider Liability

The Kelp exploit raises a liability question that has no direct precedent: when a cross-chain bridge fails because of an infrastructure provider’s default configuration, who bears the loss? LayerZero has argued that Kelp chose a 1-of-1 DVN setup against its recommendations. Kelp has responded that the 1-of-1 configuration was LayerZero’s own default, promoted in its documentation and used by 40% of its integrators.

This dispute has the hallmarks of future litigation. If affected users or Kelp itself pursue claims against LayerZero, the central question will be whether an infrastructure provider that supplies default configurations known to be insecure bears responsibility when those defaults are exploited. The analogy to product liability law is imperfect but suggestive: a manufacturer that ships a product with a known defective default setting may face liability even if the user manual recommends a safer alternative. Whether courts will extend this reasoning to cross-chain messaging protocols remains an open question.

III. Two Exploits, Three Attack Vectors

The Drift and Kelp exploits, together with the $50 million Radiant Capital hack in October 2024 (attributed to the same North Korean group) and the $326 million Wormhole bridge exploit of February 2022, illustrate three distinct attack vectors that DeFi protocols now face.

Social engineering of governance signers (Drift, Radiant Capital): the attackers compromise the humans holding multisig keys through months-long trust-building operations, malicious software, or phishing. The smart contracts work as designed; the failure is in the humans who control them.

Infrastructure poisoning (Kelp): the attackers target the cross-chain verification layer itself, compromising RPC nodes and exploiting single points of failure in the DVN configuration. No human signer is deceived; the infrastructure that validates cross-chain messages is corrupted.

Smart contract bugs (Wormhole): the attackers find and exploit a vulnerability in the protocol’s code. No social engineering or infrastructure compromise is required.

From a legal perspective, the critical distinction is foreseeability. A novel smart contract bug may be difficult to characterize as foreseeable. Social engineering attacks and infrastructure single points of failure are far harder to defend as unforeseeable – particularly when the same attack vector (Radiant Capital, October 2024) had been publicly documented months before the Drift exploit, and when the 1-of-1 DVN configuration that enabled the Kelp exploit was a known and documented risk.

IV. The Regulatory Backdrop

The regulatory environment for DeFi enforcement has shifted significantly since the cases discussed above were decided. In September 2023, the CFTC simultaneously filed and settled enforcement actions against three DeFi protocol operators – Opyn, Inc., Deridex, Inc., and ZeroEx, Inc. for offering leveraged or margined retail commodity transactions outside of a registered exchange, imposing civil monetary penalties and cease-and-desist orders.

However, the current administration has taken a markedly different approach. In April 2025, CFTC Acting Chair Caroline Pham directed staff to adhere to the Department of Justice’s “Ending Regulation by Prosecution” memorandum (issued by Deputy Attorney General Todd Blanche on April 7, 2025) and to de-prioritize enforcement actions based on registration violations in digital asset cases. The SEC, under Chair Paul Atkins, has similarly narrowed its enforcement focus to fraud cases and systematically dismissed ongoing non-fraud enforcement matters, including the civil action against Coinbase.

This shift does not mean that DeFi protocols are free from legal risk. Civil litigation by affected users remains fully available regardless of the government’s enforcement posture. If anything, the retreat of federal regulators from DeFi enforcement may increase the incentive for private plaintiffs and class action attorneys to fill the vacuum – using the very precedents (Ooki, Sarcuni, the 2023 CFTC sweep) that were established during the prior enforcement cycle. The McCollum v. Circle class action is the first example of this dynamic.

V. Practical Takeaways for DeFi Founders

The Drift and Kelp exploits and the case law discussed above carry several practical lessons for founders building DeFi protocols and structuring DAO governance.

Adopt a legal wrapper. After Ooki and Sarcuni, operating a DAO without a formal legal entity is a risk. Whether it is a DAO-specific LLCs allowed by such jurisdictions as Wyoming, Utah, Marshall Islands, or a conventional foundation, LLC, or a corporation, it is advisable to create a limited liability structure compatible with decentralized governance. The choice of wrapper does not contradict the idea of a DAO – it protects participants from unlimited personal liability.

Implement timelocks and robust multisig configurations. The Drift exploit succeeded because governance changes were executed without a timelock. Every DeFi protocol holding user funds should implement timelocks on all governance actions that affect user assets – including multisig migrations, collateral parameter changes, oracle updates, and protocol upgrades. Multisig configurations should use signing thresholds of at least 3-of-5, with signers distributed across multiple organizations, jurisdictions, and security environments.

Eliminate single points of failure in cross-chain infrastructure. The Kelp exploit succeeded because a 1-of-1 DVN configuration meant that compromising a single verifier was sufficient to forge a valid cross-chain message. Protocols that rely on cross-chain bridges should require a minimum 2-of-3 DVN configuration (or equivalent multi-verifier redundancy) and audit the infrastructure layer with the same rigor applied to smart contracts. A single-verifier configuration for an asset with hundreds of millions in TVL is an architectural failure.

Establish contributor security standards. The Drift attack vector, compromising contributors’ devices through social engineering, is replicable against any protocol whose security depends on a small number of human signers. Protocols should establish mandatory security standards for anyone with multisig authority: hardware wallets for signing, air-gapped devices for key management, mandatory security training, and policies prohibiting the installation of unvetted software.

Conduct a regulatory analysis before launch. The CFTC’s 2023 enforcement actions against Opyn, Deridex, and ZeroEx demonstrate that offering regulated financial products through smart contracts does not exempt a protocol from registration requirements. Founders should engage counsel to assess whether the protocol’s products constitute swaps, futures, securities, or money transmission under applicable federal and state law.

* * *

If you were affected by the Drift Protocol or Kelp DAO exploits, are building a DeFi protocol, or need help with regulatory analysis, token classification, or governance structuring, our Fintech & Crypto team is available to discuss your specific situation. Reach us at crypto@buzko.legal.