Ether.fi Hardens weETH Bridge Security Across 20 Chains After $292M rsETH Exploit

TLDR:

• A forged cross-chain message released $292M in unbacked rsETH due to a single-DVN bridge misconfiguration.
• Ether.fi pinned message libraries and raised DVN verification to a unanimous 4/4 threshold on all chains.
• weETH bridging will be deprecated on Scroll, Swell, Bera, zkSync, Mode, Blast, Morph, and Sonic by June.
• Ether.fi joins DeFi United and contributes 5,000 ETH to support coordinated cross-chain security response.

Ether.fi has disclosed its full response to the April 18 rsETH exploit that affected Kelp DAO. A forged cross-chain message released approximately $292 million in unbacked rsETH during the incident.

No systems on the platform were directly compromised. The EtherFi Liquid vaults also had no direct exposure to rsETH.

The event exposed a critical vulnerability in DeFi cross-chain messaging infrastructure. This led the protocol to execute a protocol-wide security hardening across all 20 chains where weETH is deployed.

Three-Layer Security Hardening Deployed Across weETH Pathways

The root cause of the exploit was a single-DVN configuration lacking redundancy. Ether.fi’s bridge had previously enforced two or more DVNs on all pathways. Still, the incident triggered a full review and three concrete hardening measures.

The first fix involved message library pinning on every weETH pathway. Ether.fi pinned the SendUln302 and ReceiveUln302 addresses into weETH’s OApp-specific configuration slot.

This blocked LayerZero’s multisig from swapping in a library that bypasses DVN verification. The fallback path has been fully closed across all chains.

The protocol then pinned its four-DVN set and raised the verification threshold to 4/4. Every inbound weETH message now requires attestation from all four DVNs.

A single malicious or unavailable DVN halts the message rather than being bypassed. LayerZero independently reviewed and confirmed the updated configuration.

Furthermore, the platform tightened per-route rate limits across all bridge contracts it controls. Each source and destination pathway now enforces a conservative inbound and outbound weETH cap.

These limits sit on contracts fully controlled by the protocol. They remain effective regardless of upstream bridge provider behavior.

Chain Deprecations and the Formation of DeFi United

Beyond the immediate fixes, the protocol is evaluating a second independent bridge provider to reduce systemic risk. Chainlink CCIP and Wormhole are currently under consideration alongside LayerZero.

Cross-chain weETH messages would then require attestation from a quorum of providers. This move eliminates single-provider dependency entirely.

Following a systematic L2 risk assessment, ether.fi is deprecating weETH bridging on eight networks. Scroll, Swell, Bera, zkSync, Mode, Blast, Morph, and Sonic will be deprecated effective end of June. 

To close the coordination gap in DeFi, ether.fi is joining the DeFi United collective. The coalition brings together Aave, Kelp DAO, LayerZero, and ether.fi.

Shared security standards and coordinated incident responses are its core focus. This approach ensures no protocol faces a cross-chain failure alone.

The EtherFi Foundation is contributing 5,000 ETH to a dedicated DeFi United relief vehicle. Other partners in the collective are also contributing alongside ether.fi. When future failures occur, the coalition aims for the ecosystem to respond as one.

The post Ether.fi Hardens weETH Bridge Security Across 20 Chains After $292M rsETH Exploit appeared first on Blockonomi.