KernelDAO (Kelp Gain)
Score Breakdown
Overview
hgETH (High Growth ETH) is a liquid, reward-bearing ERC-4626 vault token issued by the High Growth Vault, a product of Kelp Gain (part of the KernelDAO ecosystem). The vault is built on Upshift Finance infrastructure and curated by UltraYield (a spin-off of Edge Capital).
Users deposit ETH, LSTs (stETH, ETHx), or rsETH into the vault. All deposits are converted to rsETH (Kelp's liquid restaked ETH token) via an adapter contract, then allocated across 12+ DeFi protocols by professional fund managers. hgETH appreciates in value as yield accrues from these strategies.
Yield strategies include:
- Leverage farming on Aave
- Deposits on Usual, Pendle, and Elixir
- Lending on Morpho, Euler, and Compound
- Dynamic allocation across best-performing DeFi protocols
Multi-layered risk architecture:
- Layer 1: ETH → rsETH (Kelp restaking via EigenLayer)
- Layer 2: rsETH → Gain vault (active strategy deployment across 12+ protocols)
- Layer 3: Gain vault → hgETH (ERC-4626 receipt token)
Each layer introduces additional smart contract risk, oracle risk, and counterparty risk.
Key metrics (onchain verified, June 29, 2026):
- hgETH total supply: 11,343.37 hgETH (
totalSupply()onchain) — down ~23% from 14,752.14 in April (net redemptions after unpause) - hgETH total assets: 11,275.93 rsETH (
totalAssets()onchain) — down ~26% from 15,294.54 in April - hgETH exchange rate: 1 hgETH = 0.9941 rsETH (
convertToAssets(1e18)= 994,054,642,151,219,421) — decreased from 1.0368 in April (~4.1% loss in share value, onchain verified) - Vault buffer (rsETH held directly by hgETH): 0.745 rsETH (~0.007% of total assets) — down from 117.13 rsETH (0.77%) in April; effectively zero
- Active loans/strategy positions: 172 (was 169 in April)
- Vault deposits and withdrawals UNPAUSED —
depositsPaused()= false,withdrawalsPaused()= false (verified onchain) - Underlying asset: rsETH (
0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7) - rsETHPrice (Kelp LRT oracle): 1.0748 ETH per rsETH (slightly up from 1.0696 in April)
- hgETH market cap: ~$19.0M (using ETH/USD ≈ $1,576 and onchain hgETH/ETH rate from Morpho oracle ≈ 1.0685; April was ~$37M)
- Kelp protocol TVL: ~$870M (DeFiLlama, June 29, 2026), down from ~$1.54B in April; continues to decline
- Gain protocol TVL: ~$33.6M (DeFiLlama, June 29, 2026), near all-time low
Yearn use case per issue #65:
- Accept hgETH as collateral, or use in a strategy
- Morpho market: hgETH/WETH at 91.5% LLTV
Links:
Risk Summary
Key Strengths
- Experienced team: Founders built Stader Labs ($680M+ TVL, operating since 2021). Strong institutional credibility
- Significant funding: $19M+ raised from reputable investors (Binance Labs, SCB Limited, Laser Digital, Hypersphere Ventures)
- Quick incident response (April 2026): Kelp's operations multisig paused rsETH contracts and bridge routes within ~46 minutes of the LayerZero exploit. hgETH vault was paused the same day. Arbitrum Security Council froze ~30,766 ETH of attacker funds within days
- Multiple audit layers: Extensive auditing across the stack — Sigma Prime, Code4rena, MixBytes across rsETH; ChainSecurity, Hacken, Sigma Prime, Zellic across Upshift and Kernel. Only 1 public audit for hgETH/Gain vault (Sigma Prime, Nov 2024)
- hgETH/Gain contracts not directly compromised: The April 18, 2026 exploit was on the LayerZero OFT bridge layer (escrow on Ethereum, forged DVN attestation). The hgETH vault contract, the Gain accounting, and the rsETH balances held by the vault on Ethereum were not the source of the bug
- Non-custodial vault architecture: Upshift's design prevents curators from withdrawing funds to external EOAs; policy-constrained execution via August subaccounts
- Nexus Mutual embedded cover: Integrated insurance covering $30M+ of vault positions against smart contract exploits, oracle failures, and liquidation mechanism failures. Does not cover strategy losses from looping/leverage liquidations, market movements, or — based on the public cover terms — bridge / cross-chain messaging failures of the kind seen in April 2026 (this would need to be confirmed with Nexus on the actual hgETH cover policy)
- Chainlink PoR: rsETH integrated Chainlink Proof of Reserve Secure Mint (added after the April 2025 fee-minting bug)
- rsETH governance: 6-of-8 multisig with 10-day timelock for the underlying rsETH layer
Key Risks
- Exchange rate decreased (realized loss): The hgETH exchange rate has decreased from 1.0368 rsETH/hgETH (April 27) to 0.9941 rsETH/hgETH (June 29) — a ~4.1% loss in share value. An ERC-4626 vault should not decrease in share value unless a loss event occurred or was socialized. The cause is not publicly documented
- Near-zero vault buffer: Only 0.745 rsETH (~0.007% of assets) is held as buffer, down from 117.13 rsETH in April. Any withdrawal >0.745 rsETH requires recalling funds from deployed strategies (3-4 day processing). Even a single medium-size redemption cannot be serviced instantly
- Underlying rsETH peg still uncertain: ~116,500 rsETH (~18% of supply) was released from the LayerZero OFT escrow on April 18, 2026. Wrapped rsETH on bridged chains remains structurally under-collateralized. Kelp TVL has continued to decline (from $1.54B to $870M), suggesting ongoing stress. The rsETH LRT oracle price (1.0748 ETH/rsETH) has not been adjusted to reflect the loss; recovery/DeFi United AIP status is unclear
- hgETH/USD oracle feed degraded: The
latestAnswer()function on the hgETH/USD EOMultiFeedAdapter now reverts.latestRoundData()returns data but with anomalous zero-filled fields (roundId=0, startedAt=0). The feed appears partially deprecated or broken - Multi-layered complexity produced a real failure: The April 2026 LayerZero bridge exploit materialized the "tail event in a layered dependency chain" warned about in prior assessments
- Actively managed vault: Unlike passive vaults, the curator (UltraYield) makes allocation decisions. The exchange-rate decrease and fee-elimination suggest some form of restructuring occurred during the pause period — details are not public
- hgETH governance weaker than rsETH: 3-of-5 multisig with mostly anonymous signers and no verified onchain timelock, while rsETH has a 6-of-8 multisig with 10-day timelock
- Withdrawal delay + zero DEX liquidity: 3-4 days to exit hgETH to rsETH, and negligible DEX liquidity for hgETH. The Morpho market is now essentially empty, so it is not a viable exit path either
- Confirmed no onchain timelock: Despite Upshift documentation claiming "24-hour timelocks," no timelock exists on the hgETH ProxyAdmin upgrade path (onchain verified)
- Bug bounty scope still excludes hgETH/Gain (unchanged): Immunefi Kelp DAO bounty covers rsETH core contracts only; the hgETH and Gain vault contracts remain out of scope
Critical Risks
- Realized share-value loss of unknown cause (~$763K): The hgETH exchange rate decreased ~4.1% between April and June 2026 — from 1.0368 to 0.9941 rsETH/hgETH (onchain verified). Applied to the remaining 11,343 hgETH supply at ~$1,576/ETH, this represents a ~$763K loss to remaining holders. An ERC-4626 vault should never decrease in share value — shares should only appreciate as yield accrues. The cause (strategy losses, restructuring write-down, fee charge before fee elimination, or other) is not publicly documented. If the loss was a one-time event, forward risk is contained; if underlying strategies continue to underperform, further losses may follow
- Underlying asset value uncertainty (~$292M ecosystem loss unresolved): The onchain hgETH accounting (0.9941 rsETH per hgETH) is verifiable, but rsETH's market value in ETH may differ from the LRT oracle price (1.0748 ETH/rsETH). The April 18, 2026 LayerZero bridge exploit released ~116,500 rsETH (~$292M, ~18% of rsETH supply) from the OFT escrow to an attacker. Wrapped rsETH on bridged chains remains structurally under-collateralized. Recovery via the "DeFi United" Constitutional AIP is unresolved. The ultimate economic backing of hgETH depends on remediation outcomes
- No buffer = no instant exits: With 0.745 rsETH in buffer (~0.007% of assets), even small withdrawals force strategy recall with 3-4 day delays. Any liquidity crunch (many simultaneous withdrawals) would create significant processing delays
- Concentrated multisig with no timelock: The same 3-of-5 Safe controls pause/unpause, fee parameters, and proxy upgrades on hgETH. Despite the vault now being unpaused, the multisig retains unilateral control with no onchain delay
Full Report
Contract Addresses
Core Contracts (Ethereum)
| Contract | Address | Type |
|---|---|---|
| hgETH (High Growth Vault) | 0xc824A08dB624942c5E5F330d56530cD1598859fD |
TransparentUpgradeableProxy → GainLendingPool |
| rsETH (underlying asset) | 0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7 |
Kelp liquid restaked ETH |
| KERNEL (governance token) | 0x3f80b1c54ae920be41a77f8b902259d48cf24ccf |
KernelDAO governance token |
Proxy Infrastructure
| Contract | ProxyAdmin | ProxyAdmin Owner |
|---|---|---|
| hgETH | 0xd355daae366220a0282cd5d2687fbc395395fc40 |
3-of-5 Multisig (0xFD96F6854bc73aeBc6dc6E61A372926186010a91) |
Governance
| Contract | Address | Configuration |
|---|---|---|
| Vault Owner Multisig | 0x66Bee721697BF17D9Eea28c51C828a43ba597B0b |
3-of-5 Gnosis Safe (onchain verified via getThreshold() and getOwners()) |
| ProxyAdmin Owner Multisig | 0xFD96F6854bc73aeBc6dc6E61A372926186010a91 |
3-of-5 Gnosis Safe — same 5 signers as vault owner (onchain verified) |
On-Chain Verification (Etherscan + cast, April 27, 2026)
| Contract | Name | Verified | Proxy | Implementation |
|---|---|---|---|---|
| hgETH | TransparentUpgradeableProxy → GainLendingPool | Yes | Yes | 0x4FFe25598489C7259DC9686a2Cba0507177bcf7F (unchanged from March) |
| BASE_FEED_1 | TransparentUpgradeableProxy → EOMultiFeedAdapter | Yes | Yes | 0x8a1bae36ee0e7b7d6ced3ffea250914bfca09292 (unchanged from March) |
| Vault Owner | SafeProxy (Gnosis Safe) | Yes | Yes | — |
| ProxyAdmin | ProxyAdmin | Yes | No | — |
Onchain ownership verification (via cast, April 27, 2026):
- hgETH
owner()→0x66Bee721697BF17D9Eea28c51C828a43ba597B0b(3-of-5 multisig, unchanged signers) - hgETH ProxyAdmin
owner()→0xFD96F6854bc73aeBc6dc6E61A372926186010a91(3-of-5 multisig, same 5 signers as vault owner, unchanged) - Vault multisig
getThreshold()→ 3,getOwners()→ 5 signers (unchanged) - ProxyAdmin multisig
getThreshold()→ 3,getOwners()→ 5 signers (same set, unchanged) - No proxy upgrade since deployment (implementation slot still points to
0x4FFe25598489C7259DC9686a2Cba0507177bcf7F) depositsPaused()→ false,withdrawalsPaused()→ false (vault UNPAUSED as of June 29, 2026; originally paused on April 18, 2026 via tx0xec9de389a42cc3213fd1d95243a1caa3812574acb0a8012407a57411aa48fcef)
Audits and Due Diligence Disclosures
Audit History
hgETH involves multiple protocol layers, each with its own audit history.
hgETH / Gain Vault Audits
| # | Firm | Date | Scope | Report |
|---|---|---|---|---|
| 1 | Sigma Prime | Nov 2024 | GainAdapter contract (rsETH adapter for hgETH) |
Key findings from Sigma Prime hgETH audit:
- Assets held by the adapter are not included in share calculations, causing users to receive more shares per asset than they should upon deposits
- A portion of rsETH tokens will not be accounted for by any vault and become stuck in the contract
- Team acknowledged these as "design choices for protocol stability"
On-Chain Complexity
The architecture is highly complex with multiple layers:
- ERC-4626 vault: hgETH wraps rsETH via the GainLendingPool implementation
- Upgradeable proxy: TransparentUpgradeableProxy controlled by 3-of-5 multisig
- Multi-protocol strategy: Funds deployed across 12+ DeFi protocols simultaneously
- August subaccounts: Smart contract wallets used for strategy segregation on Upshift
- Policy-constrained execution: Curators can only execute whitelisted strategies
- rsETH layer: Additional complexity from the underlying liquid restaking protocol (EigenLayer integration)
Bug Bounty
Active Immunefi bug bounty program for Kelp DAO:
- Critical smart contract bugs: $100,000 - $250,000 (10% of funds at risk)
- Immunefi - Kelp DAO
Note: The bug bounty covers rsETH core contracts only. hgETH/Gain vault contracts are NOT in scope — verified on Immunefi Kelp DAO scope. The 10 in-scope contracts are: LRT Config, rsETH, LRT Deposit Pool, LRT Oracle, EthXPriceOracle, FeeReceiver, LRTConverter, LRTWithdrawalManager, LRTUnstakingVault, and NodeDelegator. The hgETH contract (0xc824A08dB624942c5E5F330d56530cD1598859fD) and Upshift infrastructure are not covered. There is also no separate KernelDAO bug bounty program on Immunefi.
Insurance
Nexus Mutual embedded cover — confirmed partnership between Nexus Mutual, Edge Capital (UltraYield), and Kelp for the High Growth Vault (announcement). Described as a "world-first DeFi vault with embedded cover":
- Cover protects across $30M+ of the vault's core positions
- Cover is integrated directly into the vault — users receive protection as part of the product, not purchased separately
- Nexus Mutual track record: $5.5B in crypto safeguarded since 2019, $17M+ in claims paid
What IS covered (Nexus Mutual cover terms):
- Smart contract exploits/hacks (e.g., a bug in Aave, Euler, or the vault contract itself)
- Oracle manipulation or oracle failure
- Liquidation failure (when a protocol's liquidation mechanism malfunctions and bad debt accrues)
- Governance takeovers (malicious upgrade forced through)
What is NOT covered:
- Strategy losses from looping/leverage are NOT covered — if hgETH's leveraged looping strategy on Aave gets liquidated because ETH price drops and the health factor falls below 1, that is the protocol working as intended → not a covered event
- Market price movements of assets (except oracle manipulation)
- Depegs of assets that the covered protocol generates
- Rug pulls / owner confiscation within existing permissions
- Bridge failures
- User errors (phishing, private key compromise, malware)
- Pre-existing issues or previously disclosed bugs
Key distinction for Yearn: The Nexus Mutual cover protects against protocol failures (smart contract bugs, oracle malfunctions, broken liquidation mechanisms), but does not protect against strategy underperformance or losses from legitimate DeFi protocol behavior. Since hgETH's primary yield strategy involves leverage farming on Aave and looping, a normal liquidation from adverse market conditions would result in a loss to hgETH holders that insurance would not cover.
Historical Track Record
- KelpDAO launch: December 2023 — ~28 months in operation
- rsETH deployment: December 2023 — ~28 months onchain
- hgETH deployment: November 19, 2024 — block 21223734, tx
0xfe6428fc9e5f89fd48ddb02953f1e2f3edf3a2e276524232e61788b5e2b853df— ~17 months onchain - GitHub: Source code not publicly available for hgETH/Gain vaults; rsETH contracts verified on Etherscan
- Kelp TVL: ~$870M on Ethereum (DeFiLlama, June 29, 2026) — down from ~$1.54B in April and ~$2B pre-exploit. Gain protocol TVL ~$33.6M (DeFiLlama, June 29, 2026), near all-time low
Incidents
| Date | Incident | Impact | Resolution |
|---|---|---|---|
| Apr 18, 2026 | KelpDAO LayerZero V2 OFT bridge exploit — attacker forged a cross-chain message via a misconfigured 1-of-1 DVN setup on the Unichain→Ethereum rsETH route, causing the OFT escrow on Ethereum to release ~116,500 rsETH (~$292M, ~18% of supply) to an attacker address. Attacker used the rsETH as collateral to borrow ~$200–236M across lending venues. Aave's Guardian froze rsETH/wrsETH markets across 10+ deployments on the same day. | rsETH on Ethereum supply unchanged onchain (escrow drain, not new mint). Wrapped rsETH on bridged chains is now ~18% under-collateralized. rsETH market peg broke versus ETH. Kelp/Upshift paused hgETH and other Gain vaults the same day as a precaution. The vault was unpaused sometime between late April and late June 2026. Arbitrum Security Council froze ~30,766 ETH (~$71M) of attacker funds on April 21. Kelp, Aave Labs, LayerZero, EtherFi, Compound jointly filed a Constitutional AIP seeking to release frozen funds into a "DeFi United" recovery vehicle. Investigation and remediation still ongoing as of June 2026. | |
| Apr 30, 2025 | rsETH fee minting bug — code used 1e36 instead of 1e18 base, minting an astronomical excess of rsETH to the fee address |
Deposits/withdrawals paused. rsETH frozen on Aave as precaution. No user funds lost. | Bug resolved May 1, 2025. Kelp integrated Chainlink Proof of Reserve (PoR) Secure Mint |
| Apr 2024 | rsETH depeg — -1.5% deviation from theoretical exchange rate | Brief depeg, quickly corrected. Protocol monitoring paused operations when exchange rates deviated >1% | ETH withdrawal feature improvements subsequently reduced depeg risk |
| Jul 22, 2024 | DNS hijacking — attacker convinced GoDaddy to bypass 2FA and redirect domain to malicious UI | A small number of users lost funds via phishing UI. No smart contract exploit. | Domain ownership recovered, registrar transferred, security alerts improved |
Direct hgETH/Gain vault contract impact: None of the incidents above are bugs in the hgETH or Gain vault smart contracts themselves. The April 2026 exploit was on the LayerZero OFT bridge layer; hgETH vault holds canonical rsETH on Ethereum and was paused as a precaution. The vault has since been unpaused (June 2026), but the rsETH peg break and the continued ecosystem stress materially increase redemption / liquidity risk for hgETH holders.
Funds Management
Deposit/Withdrawal Flow
Depositing: Users deposit ETH, LSTs (stETH, ETHx), or rsETH into the High Growth Vault via the Kelp Gain dApp. An adapter contract converts all deposits to rsETH before depositing into the vault. hgETH shares are minted proportional to the current exchange rate (ERC-4626 standard).
Strategy deployment: The vault curator (UltraYield by Edge Capital) allocates rsETH across ~12 DeFi protocols:
- Leverage farming (Aave)
- Stablecoin strategies (Usual, Elixir)
- Fixed-yield instruments (Pendle)
- Lending markets (Morpho, Euler, Compound)
- Strategies execute within Upshift's August subaccount infrastructure — curators operate within policy-constrained smart contract wallets
Withdrawals (hgETH → ETH full flow, onchain verified):
hgETH → rsETH → ETH
3-4 days instant (DEX) or 2+ days (Kelp unstake)
Step 1: hgETH → rsETH (3-4 days)
- User calls
requestRedeem(shares, receiver, holder)on the hgETH vault — emitsWithdrawalRequestedwith a scheduled claim date (year/month/day) - Withdrawal epoch processes daily (
getWithdrawalEpoch()= 2026/3/1 on March 1, 2026) - Operator recalls assets from deployed strategy positions (162 active loans, 98.4% of assets deployed)
- Operator calls
processWithdrawal(account, shares)orprocessAllClaimsByDate(year, month, day, maxLimit)to settle - User calls
claim(year, month, day, receiver)to receive rsETH maxRedeem()= 0 (direct ERC-4626 redemption disabled — must userequestRedeem()flow)maxWithdrawalAmount()= 100,000 rsETH per request (onchain verified)
Step 2: rsETH → ETH (two options)
- Option A — DEX swap (instant): Sell rsETH on Curve/Balancer (~$79M liquidity). Instant with slippage on large amounts
- Option B — Kelp unstaking (2+ days): Submit withdrawal via LRTWithdrawalManager (
0x62De59c08eB5dAE4b7E6F7a8cAd3006d6965ec16) → wait for processing → claim ETH
Total time: 3-4 days (vault + DEX) or 5-6+ days (vault + Kelp unstake). Note: near-zero buffer (0.745 rsETH) means even small withdrawals require strategy recall.
Vault buffer (onchain verified, June 29, 2026):
| Metric | Value |
|---|---|
| Total assets | 11,275.93 rsETH |
Deployed in strategies (globalLoansAmount) |
11,273.42 rsETH (~99.99%) |
| Vault buffer (rsETH balance held by hgETH) | 0.745 rsETH (~0.007%) |
Active loan/strategy positions (getTotalLoansDeployed) |
172 (was 169 in April) |
Settlement account (settlementAccount) |
0x66Bee721697BF17D9Eea28c51C828a43ba597B0b (vault owner multisig) |
Loans operator (loansOperator) |
0x416e26e331Fc0b77386e9dDB5Ed9AdE73F1241F4 |
Loans deployer (loansDeployerAddress) |
0x9E053AAA3C435e94C1663a428cdC4ea91F23C556 |
Scheduled caller (scheduledCallerAddress) |
0x06eada250B02A3614AFce04B8cd7025093312159 |
GainAdapter (gainAdapter) |
0xB185D98056419029daE7120EcBeFa0DbC12c283A |
Max supply cap (maxSupply) |
100,000 hgETH (unchanged) |
Max deposit cap (maxDepositAmount) |
100,000 rsETH (unchanged) |
Only ~0.007% of assets are available as buffer (0.745 rsETH, down from 117.13 rsETH / 0.77% in April). The remaining ~99.99% is deployed across 172 strategy positions. Withdrawals are now unpaused, but the near-zero buffer means even small redemptions require recalling assets from strategies (3-4 day processing).
Accessibility
- Deposits: Unpaused — open to anyone; deposit ETH/LSTs/rsETH, receive hgETH. Management fee is 0%
- Withdrawals: Unpaused — 3-4 day processing period via
requestRedeem()→claim()flow (not instant). Assets recalled from 172 deployed strategy positions; only 0.745 rsETH (~0.007%) buffer available — any withdrawal >0.745 rsETH requires strategy recall - Composability: hgETH can be used across DeFi (Morpho, Euler, Pendle) for additional yield, but secondary markets are extremely thin and the underlying rsETH peg is currently stressed
Fees (onchain verified, June 29, 2026)
| Fee | Value | Mechanism |
|---|---|---|
| Management fee | 0% (managementFeePercent() = 0, changed from 150/1.5% in April) |
Management fee was cut to zero by vault governance. managementFeeLastKnownTimestamp = 1774371695 (March 24, 2026 17:01:35 UTC) — fee has not been charged since. No ongoing dilution |
| Withdrawal fee | 0% (withdrawalFee() = 0, unchanged) |
— |
| Performance fee | 20% (per Edge Capital proposal: "Fee Structure (management/performance): 1.5/20%") | Applied to profits above baseline; not independently verified onchain |
Fee collector (feesCollector) |
0x2151A97C7819782fD99efF020CdfE0aE838Ad378 |
Receives minted hgETH shares |
| Daily fee accrual | 0 rsETH/day | Management fee set to 0% as of June 2026 |
| Annual fee | 0 rsETH | Management fee eliminated |
totalCollectableFees |
0 | No fees accruing |
Collateralization
- Underlying asset: rsETH (Kelp liquid restaked ETH)
- rsETH backing: ETH (~59.5%), ETHx from Stader (~32.5%), wstETH from Lido (~8%) — restaked on EigenLayer
- hgETH backing: 1 hgETH = 1.035 rsETH (onchain, March 1, 2026). rsETH is deployed across 12+ DeFi protocols
- Non-custodial vault: Per Upshift documentation, neither Upshift nor the Curator can withdraw user funds to an external EOA. Funds only move between whitelisted strategy contracts and the vault
- Withdrawal Liquidity Buffer: Configurable percentage of assets held in buffer for immediate redemptions (per Upshift docs)
- No over-collateralization: hgETH is a 1:1 receipt token for vault shares, not an over-collateralized position
Provability
- hgETH exchange rate: Fully onchain via ERC-4626
convertToAssets()— programmatic, trustless - rsETH exchange rate: Onchain via Kelp's LRT oracle
- Strategy positions: Deployed across DeFi protocols — visible onchain via August subaccounts
- rsETH reserves: Chainlink Proof of Reserve (PoR) integration (added May 2025 after fee minting incident)
- Risk management: Upshift enforces NAV Volatility Protection (max percentage change constraint on share-to-asset ratio per update cycle)
Liquidity Risk
Primary Exit Mechanisms
- Withdrawal from vault: Unpaused as of June 2026 (
withdrawalsPaused()= false). Request hgETH → rsETH redemption via Kelp Gain dApp; 3-4 day processing period as assets are recalled from strategies. However, vault buffer is nearly zero (0.745 rsETH), so even small withdrawals require strategy recall - DEX swap: hgETH composability on Balancer, Pendle; rsETH has diminished DEX liquidity post-exploit (was ~$79M pre-exploit across Curve/Balancer; current depth unverified but likely still thin)
- Morpho/Euler: hgETH can be used as collateral on Morpho and Euler Frontier vaults, but the hgETH/WETH Morpho market is now essentially empty (see below)
Liquidity Assessment
- Primary liquidity (restored): Vault withdrawals are unpaused as of June 2026.
maxRedeem()= 0 (direct ERC-4626 redemption disabled — must userequestRedeem()flow).maxWithdrawalAmount()= 100,000 rsETH per request. However, vault buffer is 0.745 rsETH (~0.007% of assets), so any withdrawal >0.745 rsETH requires recalling funds from deployed strategy positions (3-4 day processing) - rsETH secondary market (post-exploit): Pre-exploit rsETH had ~$79M across major DEX pools and traded above ETH. Post-exploit liquidity is materially diminished. Kelp TVL has continued to decline from ~$1.54B (April) to ~$870M (June 29, 2026), reflecting ongoing ecosystem stress
- hgETH secondary market (verified): Effectively zero. Only one DEX pool existed previously (Uniswap V4 hgETH/ETH, ~$311K). Current DEX liquidity for hgETH has not been reverified in this reassessment but is presumed negligible given the ~40% decline in Gain protocol TVL
- rsETH depeg risk (now realized): The April 18, 2026 LayerZero bridge exploit created a structural rsETH depeg. While rsETH's LRT oracle price has increased slightly (1.0748 ETH/rsETH vs 1.0696 in April), the bridge-induced under-collateralization (~18% on wrapped rsETH) remains unresolved and the market price of rsETH likely still trades at a discount to the oracle
- Morpho hgETH/WETH market (resolved): The Morpho market previously at 99.5% utilization has been almost entirely unwound. Current state (June 29, 2026): ~0.10 WETH supply, ~0.05 WETH borrow, 50.7% utilization. The earlier concern about a liquidation cascade against frozen exit paths no longer applies — there is essentially no position left to unwind
Morpho Market (hgETH/WETH)
| Parameter | Value (June 29, 2026) |
|---|---|
| Market ID | 0xec97655fab06b53bfad9d8c2358768aed5a1c97b204d3e51e2a7cb0cb786a264 |
| Collateral | hgETH (0xc824A08dB624942c5E5F330d56530cD1598859fD) |
| Loan Token | WETH (0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) |
| Oracle | MorphoChainlinkOracleV2 (0x56dbc0f2784cd959e57fcc9cd83c3b7a24ee678c) |
| IRM | AdaptiveCurveIrm (0x870aC11D48B15DB9a138Cf899d20F13F79Ba00BC) |
| LLTV | 91.5% (immutable per Morpho design) |
| Total Supply | ~0.10 WETH (was ~495.82 WETH in April) |
| Total Borrow | ~0.05 WETH (was ~493.58 WETH in April) |
| Utilization | ~50.7% (was ~99.5% in April — market almost entirely unwound) |
| Last update | block timestamp 1782527399 (June 29, 2026) |
| Fee | 0% |
Note: The hgETH/WETH Morpho market has been almost completely exited since April. The market previously held ~495 WETH in supply and ~493 WETH in borrow at 99.5% utilization. Current positions are <0.1 WETH on both sides — effectively dormant. The earlier critical risk of a liquidation cascade against frozen exit paths no longer applies.
Morpho Oracle Analysis (onchain verified, June 29, 2026)
The oracle is a MorphoChainlinkOracleV2 that uses two price feeds (no vault conversion):
| Parameter | Address | Description | Current Value |
|---|---|---|---|
| BASE_VAULT | 0x0 |
Not used | — |
| BASE_VAULT_CONVERSION_SAMPLE | — | — | 1 |
| BASE_FEED_1 | 0x70cf192d6b76d57a46aafc9285ced110034eb013 |
EOMultiFeedAdapter (hgETH/USD, 18 decimals) — TransparentUpgradeableProxy | ~$1,683.68 |
| BASE_FEED_2 | 0x0 |
Not set | — |
| QUOTE_FEED_1 | 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 |
Chainlink ETH/USD (8 decimals) | ~$1,575.80 |
| QUOTE_FEED_2 | 0x0 |
Not set | — |
| SCALE_FACTOR | — | Decimal adjustment | 1e26 |
| price() | — | Final oracle price | ~1.0685 (hgETH/ETH ratio, was ~1.1089 in April) |
Values above are onchain verified at block 25422618 (timestamp 1782727619). The hgETH/USD feed latestAnswer() reverts (possibly decommissioned or deprecated); latestRoundData() continues to return data with roundId=0 and startedAt=0 — the feed appears partially degraded. The ETH/USD Chainlink feed is operating normally.
Oracle architecture:
price = baseFeed1 * SCALE_FACTOR / quoteFeed1→ hgETH/USD ÷ ETH/USD = hgETH/ETH- The hgETH/USD feed is an EOMultiFeedAdapter behind a TransparentUpgradeableProxy (implementation unchanged at
0x8a1bae36ee0e7b7d6ced3ffea250914bfca09292) - Proxy admin:
0x9b61cf07caa513430a21d4f1cb6b93d90a6bbfb8(ProxyAdmin) - ProxyAdmin owner:
0x266f15c63d5D3dE038F2E05D1fA397d92BCB013E(3-of-5 Gnosis Safe — different signers from vault multisig, onchain verified)
Oracle concerns:
- Upgradeable oracle feed (unchanged): The hgETH/USD feed is a TransparentUpgradeableProxy (EOMultiFeedAdapter). The proxy admin multisig (3-of-5) could upgrade the oracle implementation. Implementation at
0x8a1bae36ee0e7b7d6ced3ffea250914bfca09292is unchanged from April. However,latestAnswer()now reverts (onchain verified, June 29, 2026) — the feed may be partially deprecated.latestRoundData()returns data but with roundId=0 and startedAt=0, suggesting degraded functionality - No vault conversion (unchanged): The oracle does NOT use the onchain ERC-4626 exchange rate. The onchain vault exchange rate (0.9941 rsETH/hgETH) is now below 1 — the oracle's hgETH/USD feed still reports ~$1,683.68/hgETH, implying a valuation that may not fully reflect the vault's internal accounting
- Morpho liquidation cascade risk (no longer applicable): As of June 2026, the Morpho hgETH/WETH market has been almost completely unwound (<0.1 WETH supply, <0.05 WETH borrow). The earlier concern about mass liquidations against frozen exit paths is resolved — there is essentially no position left to liquidate
- Oracle proxy admin (different multisig, unchanged): ProxyAdmin owner is
0x266f15c63d5D3dE038F2E05D1fA397d92BCB013E(3-of-5 Gnosis Safe with 5 different signers from the vault multisig — onchain verified). Signers unchanged - Positive (unchanged): The ETH/USD quote feed is standard Chainlink with normal roundId, timestamps, and heartbeat
Centralization & Control Risks
Governance
The hgETH vault is controlled by a 3-of-5 Gnosis Safe multisig. Both the vault owner() and the ProxyAdmin are controlled by the same 5 signers:
| Role | Controlled By | Description |
|---|---|---|
hgETH owner() |
3-of-5 Multisig | Vault administrative operations |
| hgETH ProxyAdmin Owner | 3-of-5 Multisig (same signers) | Can upgrade hgETH implementation |
Governance concerns:
- No timelock on proxy upgrades (onchain verified): The ProxyAdmin (
0xd355daae366220a0282cd5d2687fbc395395fc40) is owned directly by the 3-of-5 Safe — no TimelockController or delay contract in between. The ProxyAdmin has nogetMinDelay()ordelay()functions. Neither Safe has modules (getModulesPaginated()returns empty). The vault'slagDuration()= 0. Upshift documentation claims "24-hour timelocks on critical modifications" — this is not enforced onchain for proxy upgrades. TheupdateTimelockDurationfunction exists in the vault ABI but controls vault operational parameters, not proxy upgrades - One known signer: Only 1 of 5 signers is identifiable (Kelp DAO Deployer address). The other 4 are anonymous EOAs
- Same signers for both owner and ProxyAdmin: No separation of concerns between operational control and upgrade authority
rsETH governance (underlying layer):
- External Admin: 6-of-8 multisig with 10-day timelock for contract upgrades (via Timelock contract at
0x49bD9989E31aD35B0A62c20BE86335196A3135B1) - Manager: 2-of-5 multisig for operational tasks (deposits, limits, pausing)
- 8 known signers on External Admin including venture partners and protocol founders (per LlamaRisk)
The rsETH layer has notably better governance than the hgETH vault layer (higher threshold, timelock, more known signers).
KERNEL token governance:
- $KERNEL is the unified governance token (1B total supply)
- Token distribution: 55% community rewards/airdrops, 20% private sale (18-month vesting after 12-month lock), 20% team/advisors (36-month vesting after 12-month lock), 5% ecosystem partners
- Governance token launched April 2025; DAO structure is relatively new
Programmability
- hgETH exchange rate: Onchain via ERC-4626
convertToAssets(). Programmatic - Strategy execution: Curators execute strategies within Upshift's August subaccount infrastructure. Strategies are policy-constrained (whitelisted protocols and contract calls only). Curator-managed, not fully programmatic
- Withdrawal: 3-4 days, requires assets to be recalled from deployed strategies. Not instant, involves operational steps
- NAV updates: Upshift enforces Max Percentage Change constraint per update cycle. Bounds checking exists
- Emergency functions: Multi-sig controlled pause for deposits/withdrawals; can instantly return all strategy funds to vault
External Dependencies
| Dependency | Type | Criticality | Impact of Failure |
|---|---|---|---|
| rsETH (Kelp) | Underlying asset | Critical | hgETH value directly tied to rsETH; rsETH depeg or exploit would impact hgETH |
| EigenLayer | Restaking infrastructure | Critical | rsETH depends on EigenLayer; slashing or EigenLayer failure would impact rsETH |
| Upshift Finance | Vault infrastructure | Critical | hgETH vault built on Upshift; Upshift vulnerability would impact all vault operations |
| UltraYield / Edge Capital | Vault curator | High | Strategy execution and allocation decisions; poor decisions could lead to losses |
| August | Subaccount infrastructure | High | Smart contract wallets for strategy segregation |
| EOMultiFeedAdapter | Oracle (Morpho market) | High | Oracle failure could cause incorrect liquidations on Morpho |
| Chainlink | Oracle (ETH/USD) | Medium | Standard Chainlink feed; well-established |
| Nexus Mutual | Insurance | Medium | Loss of embedded vault cover |
| 12+ DeFi protocols | Strategy destinations | Medium | Exploit in any destination protocol could cause partial loss |
Key dependency risk: hgETH has a deeply layered dependency chain. ETH → rsETH (Kelp + EigenLayer) → Gain vault (Upshift + August + UltraYield) → 12+ DeFi protocols. Each layer multiplies smart contract risk. The Upshift non-custodial architecture and policy constraints mitigate some curator risk, but the overall complexity is high.
Operational Risk
- Team: Well-known founders — Dheeraj Borra and Amitej Gajjala, both previously co-founded Stader Labs ($680M+ TVL). Dheeraj: LinkedIn, Blend Labs, PayPal, IIT Kharagpur, UT Austin. Amitej: A.T. Kearney, Swiggy, IIT Madras, IIM Calcutta
- Funding: $19M+ raised — $9M Kelp private sale (May 2024, SCB Limited, Laser Digital), $10M KernelDAO round (Nov 2024, Binance Labs, Laser Digital, Hypersphere Ventures). $40M strategic ecosystem fund
- Legal structure: Evercrest Technologies Inc. (Andorra/India per various sources). Limited regulatory oversight
- Documentation: Good quality — comprehensive docs across Kelp GitBook, Upshift docs, KernelDAO blog
- Source code: rsETH contracts verified on Etherscan. hgETH implementation (GainLendingPool) verified on Etherscan. Not open source on GitHub
- Incident response: DNS hijack resolved within hours (Jul 2024). Fee minting bug resolved within 24 hours (Apr 2025). Both incidents handled competently with no user fund loss
- Track record: Stader Labs (predecessor project) has been running since April 2021 with $680M+ TVL. KelpDAO operational since December 2023
Monitoring
hgETH Vault Monitoring
- hgETH contract:
0xc824A08dB624942c5E5F330d56530cD1598859fD- Monitor
convertToAssets(1e18)for exchange rate changes (should only increase) - Alert: If exchange rate decreases — indicates potential loss event in underlying strategies
- Monitor
totalAssets()for large changes relative tototalSupply() - Monitor
Deposit,Withdrawevents for large movements - Alert: Single deposits/withdrawals >$2M (given ~$48M market cap)
- Monitor
rsETH Monitoring
- rsETH contract:
0xA1290d69c65A6Fe4DF752f95823fae25cB99e5A7- Monitor rsETH/ETH exchange rate for depeg events
- Alert: If rsETH depegs >1% from theoretical exchange rate
- Monitor Chainlink PoR feed for reserve discrepancies
Governance Monitoring
- Vault multisig:
0x66Bee721697BF17D9Eea28c51C828a43ba597B0b- Monitor for owner/signer changes and threshold modifications
- Alert: Immediately on any signer replacement or threshold change
- ProxyAdmin:
0xd355daae366220a0282cd5d2687fbc395395fc40- Monitor for proxy upgrade transactions
- Alert: Immediately on any implementation upgrade
- rsETH Timelock:
0x49bD9989E31aD35B0A62c20BE86335196A3135B1- Monitor for queued and executed transactions
Oracle Monitoring
- Morpho Oracle:
0x56dbc0f2784cd959e57fcc9cd83c3b7a24ee678c- Monitor
price()for staleness or deviation from expected hgETH/ETH ratio
- Monitor
- hgETH/USD feed:
0x70cf192d6b76d57a46aafc9285ced110034eb013- Monitor for price staleness (check
updatedAtfromlatestRoundData()) - Alert: If
updatedAtis more than 24 hours stale - Alert: Immediately on any proxy upgrade of the oracle feed
- Monitor for price staleness (check
- Oracle proxy admin:
0x9b61cf07caa513430a21d4f1cb6b93d90a6bbfb8- Monitor for implementation changes
- Alert: Immediately on any upgrade
Monitoring Frequency
| Category | Frequency | Priority |
|---|---|---|
| hgETH proxy upgrade events | Real-time | Critical |
| Multisig signer/threshold changes | Real-time | Critical |
| hgETH exchange rate decrease | Every 6 hours | Critical |
| rsETH depeg (>1%) | Every 6 hours | Critical |
| Oracle feed proxy upgrades | Real-time | Critical |
| Oracle price staleness | Every 6 hours | High |
| hgETH total assets changes | Daily | High |
| rsETH timelock transactions | Real-time | High |
| Large deposit/withdrawal events | Real-time | Medium |
| Protocol TVL changes | Daily | Medium |
Reassessment Triggers
- Time-based: Reassess every 90 days while rsETH bridge remediation is unresolved; thereafter every 6 months
- Pause-state: Reassess immediately if
depositsPaused()orwithdrawalsPaused()flips to true again - Exchange-rate: Reassess immediately if hgETH
convertToAssets(1e18)decreases further (currently 0.9941), or if it recovers above 1.0 - rsETH bridge remediation: Reassess on (a) Kelp publishing a final post-mortem with concrete numbers, (b) any movement on the Constitutional AIP / "DeFi United" recovery vehicle, (c) socialization or recovery transactions executed onchain
- rsETH peg: Reassess if rsETH/ETH market price returns within 1% of Kelp's
rsETHPrice()for 30 consecutive days, OR if Kelp's LRT oracle updates to reflect a new lower peg - Vault buffer: Reassess if vault buffer (rsETH balance of hgETH) exceeds 5% of total assets
- Governance-based: Reassess if an onchain timelock is verified/added for hgETH vault upgrades (would improve Centralization score)
- Oracle-based: Reassess immediately if the hgETH/USD oracle feed proxy is upgraded or if the feed is restored to full functionality
- Management fee: Reassess if management fee is reinstated (currently 0%)
- Audit-based: Reassess if additional hgETH/Gain or rsETH bridge-layer audits by tier-1 firms are completed
- Bug bounty scope: Reassess if hgETH/Gain vault contracts are explicitly added to the Immunefi program scope, and if cross-chain messaging configuration is brought into auditable scope
Appendix A — Related Protocol Audits
Upshift Finance (vault infrastructure) Audits
| # | Firm | Date | Scope | Report |
|---|---|---|---|---|
| 1 | ChainSecurity | Jan 2025 | Core Vault | Available |
| 2 | Hacken | Sep 2025 | Unknown scope | Available |
| 3 | Hacken | Dec 2025 | Unknown scope | Available |
| 4 | Hacken | Jan 2026 | AllocationWhitelist | Available |
| 5 | Sigma Prime | Aug 2024 | Unknown scope | Available |
| 6 | Zellic | Apr 2023 | Fractal Protocol (predecessor) | Available |
rsETH (Kelp) Audits
| # | Firm | Date | Scope | Findings | Report |
|---|---|---|---|---|---|
| 1 | Sigma Prime | Dec 2023 | rsETH smart contracts | 2M, 3L, 5I | |
| 2 | Code4rena | Nov 2023 | rsETH system (competitive, $28K pool) | 3H, 2M | Report |
| 3 | MixBytes | Mar 2024 | rsETH + withdrawal mechanism | 4H | |
| 4 | Sigma Prime | 2024 | rsETH with withdrawals | Unknown | |
| 5 | Sigma Prime | 2024 | rsETH with withdrawals | Unknown |
Notable Code4rena findings (Nov 2023):
- H-01: Possible arbitrage from Chainlink price discrepancy (disputed by Kelp)
- H-02: Protocol mints less rsETH on deposit than intended (fixed)
- H-03: rsETH price manipulable by first staker via donation attack (disputed but upheld as HIGH)
Notable MixBytes findings (Mar 2024):
- 4 HIGH severity including EigenPod initialization problem and race condition in node delegator management
Kernel (BNB Chain) Audits
| # | Firm | Date | Scope | Report |
|---|---|---|---|---|
| 1 | ChainSecurity | Dec 2024 | Kernel smart contracts | |
| 2 | Bailsec | Unknown | Kernel platform | Not publicly available |
| 3 | Sherlock | Jul 2025 | Slashing/restaking logic | Private engagement |