tradingkey.logo
tradingkey.logo
Search

Ripple CTO Emeritus Warns RLUSD Review Exposed A DeFi Security Red Flag

BitcoinistApr 20, 2026 7:30 AM
facebooktwitterlinkedin
View all comments0

Ripple CTO Emeritus David Schwartz, said his review of DeFi bridge designs for Ripple’s RLUSD surfaced a recurring problem that may now be at the center of the KelpDAO/rsETH incident: critical security controls exist, but teams are often nudged toward lighter configurations because they are easier to operate and faster to scale.

In a series of posts on X, Schwartz said he evaluated “a lot of DeFi bridging systems” for potential RLUSD use and focused “almost exclusively” on security and risk. What stood out, he wrote, was not a lack of tooling. In his telling, many systems already offered strong protections against the kind of failure now being discussed around KelpDAO. The problem was that those protections often came with friction.

Ex-Ripple CTO Warns Bridge Failures Could Repeat

“One thing I noticed is that most schemes were very well designed and had really strong mechanisms available to protect against exactly the type of attack the the KelpDAO/rsETH situation seems to have been caused by,” Schwartz wrote. “However, one thing I noticed was that they generally in effect recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs.”

The former Ripple-CTO is not saying bridge teams lack security features on paper. He is saying some business models are built around making those features optional, even when the assets secured can eventually grow large enough to make the tradeoff untenable.

“Their sales pitch was that they have the best security features but they’re easy to use and scale assuming you don’t use the security features,” he wrote. “I have a funny feeling part of the problem is going to be something like KelpDAO choosing not to use key LayerZero security features out of convenience. I hope I’m wrong.”

The broader concern, in Schwartz’s framing, is incentive design. If applications are allowed to choose their own trust assumptions, competition can drift toward lower-friction setups rather than higher-assurance ones. That point was raised explicitly by XRP community figure Vet, who argued that letting applications define their own security inevitably “races to the bottom.”

Schwartz partly pushed back, saying simpler setups can make sense when value is still small, or where assets are already backed by a trusted issuer and can be frozen. But he also suggested that in open crypto markets, temporary shortcuts have a way of becoming permanent.

“That gets insanely complicated. I’d say probably not,” the former Ripple CTO wrote when asked whether projects could face liability for losses. “But the whole DeFi bridging industry is infected with people using moderate security because ‘we just need to get it working, we’ll improve it later’ that grows to protecting huge amounts of money and the later improvements never come.”

He was similarly blunt on the industry’s habit of relearning the same lesson after each blowup. “We could wait until we have a perfect solution, but that’s not the choice everyone has made,” Schwartz said. “So every once in a while, we’re going to have a big failure and then everyone will be careful for a month or two and the cycle will repeat.”

Overall, Schwartz frames the issue as structural: DeFi keeps trying to scale cross-chain liquidity before it has solved how to govern bridge risk at the level other people’s money demands. Even Schwartz, while defending some narrower uses of simpler bridge setups, conceded that decentralized governance remains ill-suited to hard security decisions around custodial risk.

The backdrop is the April 18 rsETH incident involving KelpDAO. An attacker exploited KelpDAO’s LayerZero-powered rsETH bridge and drained 116,500 rsETH, valued at roughly $290 million. Aave’s Guardian then froze rsETH and wrsETH markets across the deployments where the asset was listed, stressing that Aave itself had not been hacked and that the issue was scoped to the asset rather than the lending protocol.

Aave later said all pools remained operational, but the freeze halted new deposits and new borrows against rsETH collateral while the situation was assessed. The episode quickly turned into a broader DeFi risk event because rsETH had been integrated into lending markets, raising fresh questions about collateral standards, bridge configuration choices and whether convenience-first interoperability is still being underpriced across the stack.

At press time, XRP traded at $1.40.

XRP price chart
Disclaimer: The information provided on this website is for educational and informational purposes only and should not be considered financial or investment advice.

Comments (0)

Click the $ button, enter the symbol, and select to link a stock, ETF, or other ticker.

0/500
Commenting Guidelines
Loading...

Recommended Articles

tradingkey.logo
* References, analysis, and trading strategies are provided by the third-party provider, Trading Central, and the point of view is based on the independent assessment and judgement of the analyst, without considering the investment objectives and financial situation of the investors.
Risk Warning: Our Website and Mobile App provides only general information on certain investment products. Finsights does not provide, and the provision of such information must not be construed as Finsights providing, financial advice or recommendation for any investment product.
Investment products are subject to significant investment risks, including the possible loss of the principal amount invested and may not be suitable for everyone. Past performance of investment products is not indicative of their future performance.
Finsights may allow third party advertisers or affiliates to place or deliver advertisements on our Website or Mobile App or any part thereof and may be compensated by them based on your interaction with the advertisements.
© Copyright: FINSIGHTS MEDIA PTE. LTD. All Rights Reserved.