← All Reports

KernelDAO (Kelp Gain)

3.8
hgETH (High Growth ETH) / Ethereum / June 29, 2026 (reassessment; vault unpaused since last assessment)

Score Breakdown

Overview

hgETH (High Growth ETH) is a liquid, reward-bearing ERC-4626 vault token issued by the High Growth Vault, a product of Kelp Gain (part of the KernelDAO ecosystem). The vault is built on Upshift Finance infrastructure and curated by UltraYield (a spin-off of Edge Capital).

Users deposit ETH, LSTs (stETH, ETHx), or rsETH into the vault. All deposits are converted to rsETH (Kelp's liquid restaked ETH token) via an adapter contract, then allocated across 12+ DeFi protocols by professional fund managers. hgETH appreciates in value as yield accrues from these strategies.

Yield strategies include:

  • Leverage farming on Aave
  • Deposits on Usual, Pendle, and Elixir
  • Lending on Morpho, Euler, and Compound
  • Dynamic allocation across best-performing DeFi protocols

Multi-layered risk architecture:

  • Layer 1: ETH → rsETH (Kelp restaking via EigenLayer)
  • Layer 2: rsETH → Gain vault (active strategy deployment across 12+ protocols)
  • Layer 3: Gain vault → hgETH (ERC-4626 receipt token)

Each layer introduces additional smart contract risk, oracle risk, and counterparty risk.

Key metrics (onchain verified, June 29, 2026):

  • hgETH total supply: 11,343.37 hgETH (totalSupply() onchain) — down ~23% from 14,752.14 in April (net redemptions after unpause)
  • hgETH total assets: 11,275.93 rsETH (totalAssets() onchain) — down ~26% from 15,294.54 in April
  • hgETH exchange rate: 1 hgETH = 0.9941 rsETH (convertToAssets(1e18) = 994,054,642,151,219,421) — decreased from 1.0368 in April (~4.1% loss in share value, onchain verified)
  • Vault buffer (rsETH held directly by hgETH): 0.745 rsETH (~0.007% of total assets) — down from 117.13 rsETH (0.77%) in April; effectively zero
  • Active loans/strategy positions: 172 (was 169 in April)
  • Vault deposits and withdrawals UNPAUSEDdepositsPaused() = false, withdrawalsPaused() = false (verified onchain)
  • Underlying asset: rsETH (0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7)
  • rsETHPrice (Kelp LRT oracle): 1.0748 ETH per rsETH (slightly up from 1.0696 in April)
  • hgETH market cap: ~$19.0M (using ETH/USD ≈ $1,576 and onchain hgETH/ETH rate from Morpho oracle ≈ 1.0685; April was ~$37M)
  • Kelp protocol TVL: ~$870M (DeFiLlama, June 29, 2026), down from ~$1.54B in April; continues to decline
  • Gain protocol TVL: ~$33.6M (DeFiLlama, June 29, 2026), near all-time low

Yearn use case per issue #65:

  • Accept hgETH as collateral, or use in a strategy
  • Morpho market: hgETH/WETH at 91.5% LLTV

Links:

Risk Summary

Key Strengths

  • Experienced team: Founders built Stader Labs ($680M+ TVL, operating since 2021). Strong institutional credibility
  • Significant funding: $19M+ raised from reputable investors (Binance Labs, SCB Limited, Laser Digital, Hypersphere Ventures)
  • Quick incident response (April 2026): Kelp's operations multisig paused rsETH contracts and bridge routes within ~46 minutes of the LayerZero exploit. hgETH vault was paused the same day. Arbitrum Security Council froze ~30,766 ETH of attacker funds within days
  • Multiple audit layers: Extensive auditing across the stack — Sigma Prime, Code4rena, MixBytes across rsETH; ChainSecurity, Hacken, Sigma Prime, Zellic across Upshift and Kernel. Only 1 public audit for hgETH/Gain vault (Sigma Prime, Nov 2024)
  • hgETH/Gain contracts not directly compromised: The April 18, 2026 exploit was on the LayerZero OFT bridge layer (escrow on Ethereum, forged DVN attestation). The hgETH vault contract, the Gain accounting, and the rsETH balances held by the vault on Ethereum were not the source of the bug
  • Non-custodial vault architecture: Upshift's design prevents curators from withdrawing funds to external EOAs; policy-constrained execution via August subaccounts
  • Nexus Mutual embedded cover: Integrated insurance covering $30M+ of vault positions against smart contract exploits, oracle failures, and liquidation mechanism failures. Does not cover strategy losses from looping/leverage liquidations, market movements, or — based on the public cover terms — bridge / cross-chain messaging failures of the kind seen in April 2026 (this would need to be confirmed with Nexus on the actual hgETH cover policy)
  • Chainlink PoR: rsETH integrated Chainlink Proof of Reserve Secure Mint (added after the April 2025 fee-minting bug)
  • rsETH governance: 6-of-8 multisig with 10-day timelock for the underlying rsETH layer

Key Risks

  • Exchange rate decreased (realized loss): The hgETH exchange rate has decreased from 1.0368 rsETH/hgETH (April 27) to 0.9941 rsETH/hgETH (June 29) — a ~4.1% loss in share value. An ERC-4626 vault should not decrease in share value unless a loss event occurred or was socialized. The cause is not publicly documented
  • Near-zero vault buffer: Only 0.745 rsETH (~0.007% of assets) is held as buffer, down from 117.13 rsETH in April. Any withdrawal >0.745 rsETH requires recalling funds from deployed strategies (3-4 day processing). Even a single medium-size redemption cannot be serviced instantly
  • Underlying rsETH peg still uncertain: ~116,500 rsETH (~18% of supply) was released from the LayerZero OFT escrow on April 18, 2026. Wrapped rsETH on bridged chains remains structurally under-collateralized. Kelp TVL has continued to decline (from $1.54B to $870M), suggesting ongoing stress. The rsETH LRT oracle price (1.0748 ETH/rsETH) has not been adjusted to reflect the loss; recovery/DeFi United AIP status is unclear
  • hgETH/USD oracle feed degraded: The latestAnswer() function on the hgETH/USD EOMultiFeedAdapter now reverts. latestRoundData() returns data but with anomalous zero-filled fields (roundId=0, startedAt=0). The feed appears partially deprecated or broken
  • Multi-layered complexity produced a real failure: The April 2026 LayerZero bridge exploit materialized the "tail event in a layered dependency chain" warned about in prior assessments
  • Actively managed vault: Unlike passive vaults, the curator (UltraYield) makes allocation decisions. The exchange-rate decrease and fee-elimination suggest some form of restructuring occurred during the pause period — details are not public
  • hgETH governance weaker than rsETH: 3-of-5 multisig with mostly anonymous signers and no verified onchain timelock, while rsETH has a 6-of-8 multisig with 10-day timelock
  • Withdrawal delay + zero DEX liquidity: 3-4 days to exit hgETH to rsETH, and negligible DEX liquidity for hgETH. The Morpho market is now essentially empty, so it is not a viable exit path either
  • Confirmed no onchain timelock: Despite Upshift documentation claiming "24-hour timelocks," no timelock exists on the hgETH ProxyAdmin upgrade path (onchain verified)
  • Bug bounty scope still excludes hgETH/Gain (unchanged): Immunefi Kelp DAO bounty covers rsETH core contracts only; the hgETH and Gain vault contracts remain out of scope

Critical Risks

  • Realized share-value loss of unknown cause (~$763K): The hgETH exchange rate decreased ~4.1% between April and June 2026 — from 1.0368 to 0.9941 rsETH/hgETH (onchain verified). Applied to the remaining 11,343 hgETH supply at ~$1,576/ETH, this represents a ~$763K loss to remaining holders. An ERC-4626 vault should never decrease in share value — shares should only appreciate as yield accrues. The cause (strategy losses, restructuring write-down, fee charge before fee elimination, or other) is not publicly documented. If the loss was a one-time event, forward risk is contained; if underlying strategies continue to underperform, further losses may follow
  • Underlying asset value uncertainty (~$292M ecosystem loss unresolved): The onchain hgETH accounting (0.9941 rsETH per hgETH) is verifiable, but rsETH's market value in ETH may differ from the LRT oracle price (1.0748 ETH/rsETH). The April 18, 2026 LayerZero bridge exploit released ~116,500 rsETH (~$292M, ~18% of rsETH supply) from the OFT escrow to an attacker. Wrapped rsETH on bridged chains remains structurally under-collateralized. Recovery via the "DeFi United" Constitutional AIP is unresolved. The ultimate economic backing of hgETH depends on remediation outcomes
  • No buffer = no instant exits: With 0.745 rsETH in buffer (~0.007% of assets), even small withdrawals force strategy recall with 3-4 day delays. Any liquidity crunch (many simultaneous withdrawals) would create significant processing delays
  • Concentrated multisig with no timelock: The same 3-of-5 Safe controls pause/unpause, fee parameters, and proxy upgrades on hgETH. Despite the vault now being unpaused, the multisig retains unilateral control with no onchain delay

Full Report

Contract Addresses

Core Contracts (Ethereum)

Contract Address Type
hgETH (High Growth Vault) 0xc824A08dB624942c5E5F330d56530cD1598859fD TransparentUpgradeableProxy → GainLendingPool
rsETH (underlying asset) 0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7 Kelp liquid restaked ETH
KERNEL (governance token) 0x3f80b1c54ae920be41a77f8b902259d48cf24ccf KernelDAO governance token

Proxy Infrastructure

Contract ProxyAdmin ProxyAdmin Owner
hgETH 0xd355daae366220a0282cd5d2687fbc395395fc40 3-of-5 Multisig (0xFD96F6854bc73aeBc6dc6E61A372926186010a91)

Governance

Contract Address Configuration
Vault Owner Multisig 0x66Bee721697BF17D9Eea28c51C828a43ba597B0b 3-of-5 Gnosis Safe (onchain verified via getThreshold() and getOwners())
ProxyAdmin Owner Multisig 0xFD96F6854bc73aeBc6dc6E61A372926186010a91 3-of-5 Gnosis Safe — same 5 signers as vault owner (onchain verified)

On-Chain Verification (Etherscan + cast, April 27, 2026)

Contract Name Verified Proxy Implementation
hgETH TransparentUpgradeableProxy → GainLendingPool Yes Yes 0x4FFe25598489C7259DC9686a2Cba0507177bcf7F (unchanged from March)
BASE_FEED_1 TransparentUpgradeableProxy → EOMultiFeedAdapter Yes Yes 0x8a1bae36ee0e7b7d6ced3ffea250914bfca09292 (unchanged from March)
Vault Owner SafeProxy (Gnosis Safe) Yes Yes
ProxyAdmin ProxyAdmin Yes No

Onchain ownership verification (via cast, April 27, 2026):

  • hgETH owner()0x66Bee721697BF17D9Eea28c51C828a43ba597B0b (3-of-5 multisig, unchanged signers)
  • hgETH ProxyAdmin owner()0xFD96F6854bc73aeBc6dc6E61A372926186010a91 (3-of-5 multisig, same 5 signers as vault owner, unchanged)
  • Vault multisig getThreshold() → 3, getOwners() → 5 signers (unchanged)
  • ProxyAdmin multisig getThreshold() → 3, getOwners() → 5 signers (same set, unchanged)
  • No proxy upgrade since deployment (implementation slot still points to 0x4FFe25598489C7259DC9686a2Cba0507177bcf7F)
  • depositsPaused() → false, withdrawalsPaused() → false (vault UNPAUSED as of June 29, 2026; originally paused on April 18, 2026 via tx 0xec9de389a42cc3213fd1d95243a1caa3812574acb0a8012407a57411aa48fcef)

Audits and Due Diligence Disclosures

Audit History

hgETH involves multiple protocol layers, each with its own audit history.

hgETH / Gain Vault Audits

# Firm Date Scope Report
1 Sigma Prime Nov 2024 GainAdapter contract (rsETH adapter for hgETH) PDF

Key findings from Sigma Prime hgETH audit:

  • Assets held by the adapter are not included in share calculations, causing users to receive more shares per asset than they should upon deposits
  • A portion of rsETH tokens will not be accounted for by any vault and become stuck in the contract
  • Team acknowledged these as "design choices for protocol stability"

On-Chain Complexity

The architecture is highly complex with multiple layers:

  • ERC-4626 vault: hgETH wraps rsETH via the GainLendingPool implementation
  • Upgradeable proxy: TransparentUpgradeableProxy controlled by 3-of-5 multisig
  • Multi-protocol strategy: Funds deployed across 12+ DeFi protocols simultaneously
  • August subaccounts: Smart contract wallets used for strategy segregation on Upshift
  • Policy-constrained execution: Curators can only execute whitelisted strategies
  • rsETH layer: Additional complexity from the underlying liquid restaking protocol (EigenLayer integration)

Bug Bounty

Active Immunefi bug bounty program for Kelp DAO:

Note: The bug bounty covers rsETH core contracts only. hgETH/Gain vault contracts are NOT in scope — verified on Immunefi Kelp DAO scope. The 10 in-scope contracts are: LRT Config, rsETH, LRT Deposit Pool, LRT Oracle, EthXPriceOracle, FeeReceiver, LRTConverter, LRTWithdrawalManager, LRTUnstakingVault, and NodeDelegator. The hgETH contract (0xc824A08dB624942c5E5F330d56530cD1598859fD) and Upshift infrastructure are not covered. There is also no separate KernelDAO bug bounty program on Immunefi.

Insurance

Nexus Mutual embedded cover — confirmed partnership between Nexus Mutual, Edge Capital (UltraYield), and Kelp for the High Growth Vault (announcement). Described as a "world-first DeFi vault with embedded cover":

  • Cover protects across $30M+ of the vault's core positions
  • Cover is integrated directly into the vault — users receive protection as part of the product, not purchased separately
  • Nexus Mutual track record: $5.5B in crypto safeguarded since 2019, $17M+ in claims paid

What IS covered (Nexus Mutual cover terms):

  • Smart contract exploits/hacks (e.g., a bug in Aave, Euler, or the vault contract itself)
  • Oracle manipulation or oracle failure
  • Liquidation failure (when a protocol's liquidation mechanism malfunctions and bad debt accrues)
  • Governance takeovers (malicious upgrade forced through)

What is NOT covered:

  • Strategy losses from looping/leverage are NOT covered — if hgETH's leveraged looping strategy on Aave gets liquidated because ETH price drops and the health factor falls below 1, that is the protocol working as intended → not a covered event
  • Market price movements of assets (except oracle manipulation)
  • Depegs of assets that the covered protocol generates
  • Rug pulls / owner confiscation within existing permissions
  • Bridge failures
  • User errors (phishing, private key compromise, malware)
  • Pre-existing issues or previously disclosed bugs

Key distinction for Yearn: The Nexus Mutual cover protects against protocol failures (smart contract bugs, oracle malfunctions, broken liquidation mechanisms), but does not protect against strategy underperformance or losses from legitimate DeFi protocol behavior. Since hgETH's primary yield strategy involves leverage farming on Aave and looping, a normal liquidation from adverse market conditions would result in a loss to hgETH holders that insurance would not cover.

Historical Track Record

Incidents

Date Incident Impact Resolution
Apr 18, 2026 KelpDAO LayerZero V2 OFT bridge exploit — attacker forged a cross-chain message via a misconfigured 1-of-1 DVN setup on the Unichain→Ethereum rsETH route, causing the OFT escrow on Ethereum to release ~116,500 rsETH (~$292M, ~18% of supply) to an attacker address. Attacker used the rsETH as collateral to borrow ~$200–236M across lending venues. Aave's Guardian froze rsETH/wrsETH markets across 10+ deployments on the same day. rsETH on Ethereum supply unchanged onchain (escrow drain, not new mint). Wrapped rsETH on bridged chains is now ~18% under-collateralized. rsETH market peg broke versus ETH. Kelp/Upshift paused hgETH and other Gain vaults the same day as a precaution. The vault was unpaused sometime between late April and late June 2026. Arbitrum Security Council froze ~30,766 ETH (~$71M) of attacker funds on April 21. Kelp, Aave Labs, LayerZero, EtherFi, Compound jointly filed a Constitutional AIP seeking to release frozen funds into a "DeFi United" recovery vehicle. Investigation and remediation still ongoing as of June 2026.
Apr 30, 2025 rsETH fee minting bug — code used 1e36 instead of 1e18 base, minting an astronomical excess of rsETH to the fee address Deposits/withdrawals paused. rsETH frozen on Aave as precaution. No user funds lost. Bug resolved May 1, 2025. Kelp integrated Chainlink Proof of Reserve (PoR) Secure Mint
Apr 2024 rsETH depeg — -1.5% deviation from theoretical exchange rate Brief depeg, quickly corrected. Protocol monitoring paused operations when exchange rates deviated >1% ETH withdrawal feature improvements subsequently reduced depeg risk
Jul 22, 2024 DNS hijacking — attacker convinced GoDaddy to bypass 2FA and redirect domain to malicious UI A small number of users lost funds via phishing UI. No smart contract exploit. Domain ownership recovered, registrar transferred, security alerts improved

Direct hgETH/Gain vault contract impact: None of the incidents above are bugs in the hgETH or Gain vault smart contracts themselves. The April 2026 exploit was on the LayerZero OFT bridge layer; hgETH vault holds canonical rsETH on Ethereum and was paused as a precaution. The vault has since been unpaused (June 2026), but the rsETH peg break and the continued ecosystem stress materially increase redemption / liquidity risk for hgETH holders.

Funds Management

Deposit/Withdrawal Flow

Depositing: Users deposit ETH, LSTs (stETH, ETHx), or rsETH into the High Growth Vault via the Kelp Gain dApp. An adapter contract converts all deposits to rsETH before depositing into the vault. hgETH shares are minted proportional to the current exchange rate (ERC-4626 standard).

Strategy deployment: The vault curator (UltraYield by Edge Capital) allocates rsETH across ~12 DeFi protocols:

  • Leverage farming (Aave)
  • Stablecoin strategies (Usual, Elixir)
  • Fixed-yield instruments (Pendle)
  • Lending markets (Morpho, Euler, Compound)
  • Strategies execute within Upshift's August subaccount infrastructure — curators operate within policy-constrained smart contract wallets

Withdrawals (hgETH → ETH full flow, onchain verified):

hgETH → rsETH → ETH
 3-4 days    instant (DEX) or 2+ days (Kelp unstake)

Step 1: hgETH → rsETH (3-4 days)

  1. User calls requestRedeem(shares, receiver, holder) on the hgETH vault — emits WithdrawalRequested with a scheduled claim date (year/month/day)
  2. Withdrawal epoch processes daily (getWithdrawalEpoch() = 2026/3/1 on March 1, 2026)
  3. Operator recalls assets from deployed strategy positions (162 active loans, 98.4% of assets deployed)
  4. Operator calls processWithdrawal(account, shares) or processAllClaimsByDate(year, month, day, maxLimit) to settle
  5. User calls claim(year, month, day, receiver) to receive rsETH
  6. maxRedeem() = 0 (direct ERC-4626 redemption disabled — must use requestRedeem() flow)
  7. maxWithdrawalAmount() = 100,000 rsETH per request (onchain verified)

Step 2: rsETH → ETH (two options)

  • Option A — DEX swap (instant): Sell rsETH on Curve/Balancer (~$79M liquidity). Instant with slippage on large amounts
  • Option B — Kelp unstaking (2+ days): Submit withdrawal via LRTWithdrawalManager (0x62De59c08eB5dAE4b7E6F7a8cAd3006d6965ec16) → wait for processing → claim ETH

Total time: 3-4 days (vault + DEX) or 5-6+ days (vault + Kelp unstake). Note: near-zero buffer (0.745 rsETH) means even small withdrawals require strategy recall.

Vault buffer (onchain verified, June 29, 2026):

Metric Value
Total assets 11,275.93 rsETH
Deployed in strategies (globalLoansAmount) 11,273.42 rsETH (~99.99%)
Vault buffer (rsETH balance held by hgETH) 0.745 rsETH (~0.007%)
Active loan/strategy positions (getTotalLoansDeployed) 172 (was 169 in April)
Settlement account (settlementAccount) 0x66Bee721697BF17D9Eea28c51C828a43ba597B0b (vault owner multisig)
Loans operator (loansOperator) 0x416e26e331Fc0b77386e9dDB5Ed9AdE73F1241F4
Loans deployer (loansDeployerAddress) 0x9E053AAA3C435e94C1663a428cdC4ea91F23C556
Scheduled caller (scheduledCallerAddress) 0x06eada250B02A3614AFce04B8cd7025093312159
GainAdapter (gainAdapter) 0xB185D98056419029daE7120EcBeFa0DbC12c283A
Max supply cap (maxSupply) 100,000 hgETH (unchanged)
Max deposit cap (maxDepositAmount) 100,000 rsETH (unchanged)

Only ~0.007% of assets are available as buffer (0.745 rsETH, down from 117.13 rsETH / 0.77% in April). The remaining ~99.99% is deployed across 172 strategy positions. Withdrawals are now unpaused, but the near-zero buffer means even small redemptions require recalling assets from strategies (3-4 day processing).

Accessibility

  • Deposits: Unpaused — open to anyone; deposit ETH/LSTs/rsETH, receive hgETH. Management fee is 0%
  • Withdrawals: Unpaused — 3-4 day processing period via requestRedeem()claim() flow (not instant). Assets recalled from 172 deployed strategy positions; only 0.745 rsETH (~0.007%) buffer available — any withdrawal >0.745 rsETH requires strategy recall
  • Composability: hgETH can be used across DeFi (Morpho, Euler, Pendle) for additional yield, but secondary markets are extremely thin and the underlying rsETH peg is currently stressed

Fees (onchain verified, June 29, 2026)

Fee Value Mechanism
Management fee 0% (managementFeePercent() = 0, changed from 150/1.5% in April) Management fee was cut to zero by vault governance. managementFeeLastKnownTimestamp = 1774371695 (March 24, 2026 17:01:35 UTC) — fee has not been charged since. No ongoing dilution
Withdrawal fee 0% (withdrawalFee() = 0, unchanged)
Performance fee 20% (per Edge Capital proposal: "Fee Structure (management/performance): 1.5/20%") Applied to profits above baseline; not independently verified onchain
Fee collector (feesCollector) 0x2151A97C7819782fD99efF020CdfE0aE838Ad378 Receives minted hgETH shares
Daily fee accrual 0 rsETH/day Management fee set to 0% as of June 2026
Annual fee 0 rsETH Management fee eliminated
totalCollectableFees 0 No fees accruing

Collateralization

  • Underlying asset: rsETH (Kelp liquid restaked ETH)
  • rsETH backing: ETH (~59.5%), ETHx from Stader (~32.5%), wstETH from Lido (~8%) — restaked on EigenLayer
  • hgETH backing: 1 hgETH = 1.035 rsETH (onchain, March 1, 2026). rsETH is deployed across 12+ DeFi protocols
  • Non-custodial vault: Per Upshift documentation, neither Upshift nor the Curator can withdraw user funds to an external EOA. Funds only move between whitelisted strategy contracts and the vault
  • Withdrawal Liquidity Buffer: Configurable percentage of assets held in buffer for immediate redemptions (per Upshift docs)
  • No over-collateralization: hgETH is a 1:1 receipt token for vault shares, not an over-collateralized position

Provability

  • hgETH exchange rate: Fully onchain via ERC-4626 convertToAssets() — programmatic, trustless
  • rsETH exchange rate: Onchain via Kelp's LRT oracle
  • Strategy positions: Deployed across DeFi protocols — visible onchain via August subaccounts
  • rsETH reserves: Chainlink Proof of Reserve (PoR) integration (added May 2025 after fee minting incident)
  • Risk management: Upshift enforces NAV Volatility Protection (max percentage change constraint on share-to-asset ratio per update cycle)

Liquidity Risk

Primary Exit Mechanisms

  1. Withdrawal from vault: Unpaused as of June 2026 (withdrawalsPaused() = false). Request hgETH → rsETH redemption via Kelp Gain dApp; 3-4 day processing period as assets are recalled from strategies. However, vault buffer is nearly zero (0.745 rsETH), so even small withdrawals require strategy recall
  2. DEX swap: hgETH composability on Balancer, Pendle; rsETH has diminished DEX liquidity post-exploit (was ~$79M pre-exploit across Curve/Balancer; current depth unverified but likely still thin)
  3. Morpho/Euler: hgETH can be used as collateral on Morpho and Euler Frontier vaults, but the hgETH/WETH Morpho market is now essentially empty (see below)

Liquidity Assessment

  • Primary liquidity (restored): Vault withdrawals are unpaused as of June 2026. maxRedeem() = 0 (direct ERC-4626 redemption disabled — must use requestRedeem() flow). maxWithdrawalAmount() = 100,000 rsETH per request. However, vault buffer is 0.745 rsETH (~0.007% of assets), so any withdrawal >0.745 rsETH requires recalling funds from deployed strategy positions (3-4 day processing)
  • rsETH secondary market (post-exploit): Pre-exploit rsETH had ~$79M across major DEX pools and traded above ETH. Post-exploit liquidity is materially diminished. Kelp TVL has continued to decline from ~$1.54B (April) to ~$870M (June 29, 2026), reflecting ongoing ecosystem stress
  • hgETH secondary market (verified): Effectively zero. Only one DEX pool existed previously (Uniswap V4 hgETH/ETH, ~$311K). Current DEX liquidity for hgETH has not been reverified in this reassessment but is presumed negligible given the ~40% decline in Gain protocol TVL
  • rsETH depeg risk (now realized): The April 18, 2026 LayerZero bridge exploit created a structural rsETH depeg. While rsETH's LRT oracle price has increased slightly (1.0748 ETH/rsETH vs 1.0696 in April), the bridge-induced under-collateralization (~18% on wrapped rsETH) remains unresolved and the market price of rsETH likely still trades at a discount to the oracle
  • Morpho hgETH/WETH market (resolved): The Morpho market previously at 99.5% utilization has been almost entirely unwound. Current state (June 29, 2026): ~0.10 WETH supply, ~0.05 WETH borrow, 50.7% utilization. The earlier concern about a liquidation cascade against frozen exit paths no longer applies — there is essentially no position left to unwind

Morpho Market (hgETH/WETH)

Parameter Value (June 29, 2026)
Market ID 0xec97655fab06b53bfad9d8c2358768aed5a1c97b204d3e51e2a7cb0cb786a264
Collateral hgETH (0xc824A08dB624942c5E5F330d56530cD1598859fD)
Loan Token WETH (0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2)
Oracle MorphoChainlinkOracleV2 (0x56dbc0f2784cd959e57fcc9cd83c3b7a24ee678c)
IRM AdaptiveCurveIrm (0x870aC11D48B15DB9a138Cf899d20F13F79Ba00BC)
LLTV 91.5% (immutable per Morpho design)
Total Supply ~0.10 WETH (was ~495.82 WETH in April)
Total Borrow ~0.05 WETH (was ~493.58 WETH in April)
Utilization ~50.7% (was ~99.5% in April — market almost entirely unwound)
Last update block timestamp 1782527399 (June 29, 2026)
Fee 0%

Note: The hgETH/WETH Morpho market has been almost completely exited since April. The market previously held ~495 WETH in supply and ~493 WETH in borrow at 99.5% utilization. Current positions are <0.1 WETH on both sides — effectively dormant. The earlier critical risk of a liquidation cascade against frozen exit paths no longer applies.

Morpho Oracle Analysis (onchain verified, June 29, 2026)

The oracle is a MorphoChainlinkOracleV2 that uses two price feeds (no vault conversion):

Parameter Address Description Current Value
BASE_VAULT 0x0 Not used
BASE_VAULT_CONVERSION_SAMPLE 1
BASE_FEED_1 0x70cf192d6b76d57a46aafc9285ced110034eb013 EOMultiFeedAdapter (hgETH/USD, 18 decimals) — TransparentUpgradeableProxy ~$1,683.68
BASE_FEED_2 0x0 Not set
QUOTE_FEED_1 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 Chainlink ETH/USD (8 decimals) ~$1,575.80
QUOTE_FEED_2 0x0 Not set
SCALE_FACTOR Decimal adjustment 1e26
price() Final oracle price ~1.0685 (hgETH/ETH ratio, was ~1.1089 in April)

Values above are onchain verified at block 25422618 (timestamp 1782727619). The hgETH/USD feed latestAnswer() reverts (possibly decommissioned or deprecated); latestRoundData() continues to return data with roundId=0 and startedAt=0 — the feed appears partially degraded. The ETH/USD Chainlink feed is operating normally.

Oracle architecture:

Oracle concerns:

  • Upgradeable oracle feed (unchanged): The hgETH/USD feed is a TransparentUpgradeableProxy (EOMultiFeedAdapter). The proxy admin multisig (3-of-5) could upgrade the oracle implementation. Implementation at 0x8a1bae36ee0e7b7d6ced3ffea250914bfca09292 is unchanged from April. However, latestAnswer() now reverts (onchain verified, June 29, 2026) — the feed may be partially deprecated. latestRoundData() returns data but with roundId=0 and startedAt=0, suggesting degraded functionality
  • No vault conversion (unchanged): The oracle does NOT use the onchain ERC-4626 exchange rate. The onchain vault exchange rate (0.9941 rsETH/hgETH) is now below 1 — the oracle's hgETH/USD feed still reports ~$1,683.68/hgETH, implying a valuation that may not fully reflect the vault's internal accounting
  • Morpho liquidation cascade risk (no longer applicable): As of June 2026, the Morpho hgETH/WETH market has been almost completely unwound (<0.1 WETH supply, <0.05 WETH borrow). The earlier concern about mass liquidations against frozen exit paths is resolved — there is essentially no position left to liquidate
  • Oracle proxy admin (different multisig, unchanged): ProxyAdmin owner is 0x266f15c63d5D3dE038F2E05D1fA397d92BCB013E (3-of-5 Gnosis Safe with 5 different signers from the vault multisig — onchain verified). Signers unchanged
  • Positive (unchanged): The ETH/USD quote feed is standard Chainlink with normal roundId, timestamps, and heartbeat

Centralization & Control Risks

Governance

The hgETH vault is controlled by a 3-of-5 Gnosis Safe multisig. Both the vault owner() and the ProxyAdmin are controlled by the same 5 signers:

Role Controlled By Description
hgETH owner() 3-of-5 Multisig Vault administrative operations
hgETH ProxyAdmin Owner 3-of-5 Multisig (same signers) Can upgrade hgETH implementation

Governance concerns:

  • No timelock on proxy upgrades (onchain verified): The ProxyAdmin (0xd355daae366220a0282cd5d2687fbc395395fc40) is owned directly by the 3-of-5 Safe — no TimelockController or delay contract in between. The ProxyAdmin has no getMinDelay() or delay() functions. Neither Safe has modules (getModulesPaginated() returns empty). The vault's lagDuration() = 0. Upshift documentation claims "24-hour timelocks on critical modifications" — this is not enforced onchain for proxy upgrades. The updateTimelockDuration function exists in the vault ABI but controls vault operational parameters, not proxy upgrades
  • One known signer: Only 1 of 5 signers is identifiable (Kelp DAO Deployer address). The other 4 are anonymous EOAs
  • Same signers for both owner and ProxyAdmin: No separation of concerns between operational control and upgrade authority

rsETH governance (underlying layer):

  • External Admin: 6-of-8 multisig with 10-day timelock for contract upgrades (via Timelock contract at 0x49bD9989E31aD35B0A62c20BE86335196A3135B1)
  • Manager: 2-of-5 multisig for operational tasks (deposits, limits, pausing)
  • 8 known signers on External Admin including venture partners and protocol founders (per LlamaRisk)

The rsETH layer has notably better governance than the hgETH vault layer (higher threshold, timelock, more known signers).

KERNEL token governance:

  • $KERNEL is the unified governance token (1B total supply)
  • Token distribution: 55% community rewards/airdrops, 20% private sale (18-month vesting after 12-month lock), 20% team/advisors (36-month vesting after 12-month lock), 5% ecosystem partners
  • Governance token launched April 2025; DAO structure is relatively new

Programmability

  • hgETH exchange rate: Onchain via ERC-4626 convertToAssets(). Programmatic
  • Strategy execution: Curators execute strategies within Upshift's August subaccount infrastructure. Strategies are policy-constrained (whitelisted protocols and contract calls only). Curator-managed, not fully programmatic
  • Withdrawal: 3-4 days, requires assets to be recalled from deployed strategies. Not instant, involves operational steps
  • NAV updates: Upshift enforces Max Percentage Change constraint per update cycle. Bounds checking exists
  • Emergency functions: Multi-sig controlled pause for deposits/withdrawals; can instantly return all strategy funds to vault

External Dependencies

Dependency Type Criticality Impact of Failure
rsETH (Kelp) Underlying asset Critical hgETH value directly tied to rsETH; rsETH depeg or exploit would impact hgETH
EigenLayer Restaking infrastructure Critical rsETH depends on EigenLayer; slashing or EigenLayer failure would impact rsETH
Upshift Finance Vault infrastructure Critical hgETH vault built on Upshift; Upshift vulnerability would impact all vault operations
UltraYield / Edge Capital Vault curator High Strategy execution and allocation decisions; poor decisions could lead to losses
August Subaccount infrastructure High Smart contract wallets for strategy segregation
EOMultiFeedAdapter Oracle (Morpho market) High Oracle failure could cause incorrect liquidations on Morpho
Chainlink Oracle (ETH/USD) Medium Standard Chainlink feed; well-established
Nexus Mutual Insurance Medium Loss of embedded vault cover
12+ DeFi protocols Strategy destinations Medium Exploit in any destination protocol could cause partial loss

Key dependency risk: hgETH has a deeply layered dependency chain. ETH → rsETH (Kelp + EigenLayer) → Gain vault (Upshift + August + UltraYield) → 12+ DeFi protocols. Each layer multiplies smart contract risk. The Upshift non-custodial architecture and policy constraints mitigate some curator risk, but the overall complexity is high.

Operational Risk

  • Team: Well-known founders — Dheeraj Borra and Amitej Gajjala, both previously co-founded Stader Labs ($680M+ TVL). Dheeraj: LinkedIn, Blend Labs, PayPal, IIT Kharagpur, UT Austin. Amitej: A.T. Kearney, Swiggy, IIT Madras, IIM Calcutta
  • Funding: $19M+ raised — $9M Kelp private sale (May 2024, SCB Limited, Laser Digital), $10M KernelDAO round (Nov 2024, Binance Labs, Laser Digital, Hypersphere Ventures). $40M strategic ecosystem fund
  • Legal structure: Evercrest Technologies Inc. (Andorra/India per various sources). Limited regulatory oversight
  • Documentation: Good quality — comprehensive docs across Kelp GitBook, Upshift docs, KernelDAO blog
  • Source code: rsETH contracts verified on Etherscan. hgETH implementation (GainLendingPool) verified on Etherscan. Not open source on GitHub
  • Incident response: DNS hijack resolved within hours (Jul 2024). Fee minting bug resolved within 24 hours (Apr 2025). Both incidents handled competently with no user fund loss
  • Track record: Stader Labs (predecessor project) has been running since April 2021 with $680M+ TVL. KelpDAO operational since December 2023

Monitoring

hgETH Vault Monitoring

  • hgETH contract: 0xc824A08dB624942c5E5F330d56530cD1598859fD
    • Monitor convertToAssets(1e18) for exchange rate changes (should only increase)
    • Alert: If exchange rate decreases — indicates potential loss event in underlying strategies
    • Monitor totalAssets() for large changes relative to totalSupply()
    • Monitor Deposit, Withdraw events for large movements
    • Alert: Single deposits/withdrawals >$2M (given ~$48M market cap)

rsETH Monitoring

  • rsETH contract: 0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7
    • Monitor rsETH/ETH exchange rate for depeg events
    • Alert: If rsETH depegs >1% from theoretical exchange rate
    • Monitor Chainlink PoR feed for reserve discrepancies

Governance Monitoring

Oracle Monitoring

Monitoring Frequency

Category Frequency Priority
hgETH proxy upgrade events Real-time Critical
Multisig signer/threshold changes Real-time Critical
hgETH exchange rate decrease Every 6 hours Critical
rsETH depeg (>1%) Every 6 hours Critical
Oracle feed proxy upgrades Real-time Critical
Oracle price staleness Every 6 hours High
hgETH total assets changes Daily High
rsETH timelock transactions Real-time High
Large deposit/withdrawal events Real-time Medium
Protocol TVL changes Daily Medium

Reassessment Triggers

  • Time-based: Reassess every 90 days while rsETH bridge remediation is unresolved; thereafter every 6 months
  • Pause-state: Reassess immediately if depositsPaused() or withdrawalsPaused() flips to true again
  • Exchange-rate: Reassess immediately if hgETH convertToAssets(1e18) decreases further (currently 0.9941), or if it recovers above 1.0
  • rsETH bridge remediation: Reassess on (a) Kelp publishing a final post-mortem with concrete numbers, (b) any movement on the Constitutional AIP / "DeFi United" recovery vehicle, (c) socialization or recovery transactions executed onchain
  • rsETH peg: Reassess if rsETH/ETH market price returns within 1% of Kelp's rsETHPrice() for 30 consecutive days, OR if Kelp's LRT oracle updates to reflect a new lower peg
  • Vault buffer: Reassess if vault buffer (rsETH balance of hgETH) exceeds 5% of total assets
  • Governance-based: Reassess if an onchain timelock is verified/added for hgETH vault upgrades (would improve Centralization score)
  • Oracle-based: Reassess immediately if the hgETH/USD oracle feed proxy is upgraded or if the feed is restored to full functionality
  • Management fee: Reassess if management fee is reinstated (currently 0%)
  • Audit-based: Reassess if additional hgETH/Gain or rsETH bridge-layer audits by tier-1 firms are completed
  • Bug bounty scope: Reassess if hgETH/Gain vault contracts are explicitly added to the Immunefi program scope, and if cross-chain messaging configuration is brought into auditable scope

Appendix A — Related Protocol Audits

Upshift Finance (vault infrastructure) Audits

# Firm Date Scope Report
1 ChainSecurity Jan 2025 Core Vault Available
2 Hacken Sep 2025 Unknown scope Available
3 Hacken Dec 2025 Unknown scope Available
4 Hacken Jan 2026 AllocationWhitelist Available
5 Sigma Prime Aug 2024 Unknown scope Available
6 Zellic Apr 2023 Fractal Protocol (predecessor) Available

rsETH (Kelp) Audits

# Firm Date Scope Findings Report
1 Sigma Prime Dec 2023 rsETH smart contracts 2M, 3L, 5I PDF
2 Code4rena Nov 2023 rsETH system (competitive, $28K pool) 3H, 2M Report
3 MixBytes Mar 2024 rsETH + withdrawal mechanism 4H PDF
4 Sigma Prime 2024 rsETH with withdrawals Unknown PDF
5 Sigma Prime 2024 rsETH with withdrawals Unknown PDF

Notable Code4rena findings (Nov 2023):

  • H-01: Possible arbitrage from Chainlink price discrepancy (disputed by Kelp)
  • H-02: Protocol mints less rsETH on deposit than intended (fixed)
  • H-03: rsETH price manipulable by first staker via donation attack (disputed but upheld as HIGH)

Notable MixBytes findings (Mar 2024):

  • 4 HIGH severity including EigenPod initialization problem and race condition in node delegator management

Kernel (BNB Chain) Audits

# Firm Date Scope Report
1 ChainSecurity Dec 2024 Kernel smart contracts PDF
2 Bailsec Unknown Kernel platform Not publicly available
3 Sherlock Jul 2025 Slashing/restaking logic Private engagement