KelpDAO Hack Forces DeFi to Face Bridge Risk

KelpDAO hack fallout is forcing DeFi to confront a risk it kept packaging as infrastructure: cross-chain verification. Attackers stole roughly $292 million in rsETH on April 18 by tricking KelpDAO’s LayerZero bridge into releasing tokens against a burn that never happened, turning a bridge configuration issue into a lending-market crisis.

KelpDAO hack timeline shows how fast bridge risk becomes systemic

The KelpDAO hack began on April 18, 2026, when attackers released 116,500 rsETH from KelpDAO’s Ethereum-side LayerZero bridge adapter. Chainalysis said the stolen amount was worth roughly $292 million and linked the attackers to North Korea’s Lazarus Group. The firm stressed that this was not a normal smart contract exploit. The on-chain transaction looked valid because the message format, verifier signature and release call all appeared correct.

The failure sat below the visible contract call. KelpDAO’s rsETH bridge used LayerZero infrastructure and relied on a 1-of-1 Decentralized Verifier Network setup. That meant one verifier could approve the cross-chain message. Chainalysis said attackers compromised internal RPC nodes, hit external nodes with a denial-of-service attack and fed false source-chain data to the verifier. The Ethereum contract then released rsETH as if a matching burn had happened on Unichain. It had not. KelpDAO paused relevant contracts after detecting the anomaly, blacklisted attacker addresses and blocked a second forged packet that could have drained another 40,000 rsETH, worth about $95 million.

How the attack worked without breaking KelpDAO’s contracts

The exploit’s most damaging feature is that it did not need to break KelpDAO’s contracts directly. It attacked the data path that told the verifier what had happened on another chain. Galaxy Research wrote that KelpDAO’s LayerZero Omnichain Fungible Token adapter operated on a lock-and-mint model, where rsETH bridged away from Ethereum is locked in escrow and messages later authorize releases. That model requires the destination contract to trust verified messages. In KelpDAO’s case, the bridge depended on a single LayerZero Labs DVN. Galaxy said the attacker delivered a forged LayerZero packet at 17:35 UTC, claiming to originate from Unichain. The adapter released 116,500 rsETH to the attacker’s address on Ethereum in one transaction. KelpDAO paused the contracts 46 minutes later, blocking two follow-on attempts. This is the technical lesson. Smart contract audits can confirm that a release function behaves correctly, but they cannot prove that off-chain RPC nodes and verification paths are honest. The contract did what it was instructed to do. The system-state input was false.

On-chain evidence shows the money trail hit lending markets

The attacker did not need to dump all rsETH into thin secondary markets. Galaxy said the stolen rsETH was deposited as collateral into Aave, Compound and Euler, mainly on Ethereum and Arbitrum, and

used to borrow an estimated $236 million in WETH and wstETH. That converted a bridge exploit into a lending-liquidity problem. The contagion hit Aave fastest. Galaxy said Aave froze rsETH, wrsETH and WETH markets across deployments after the attack, while some stablecoin markets reached 100% utilization, leaving no liquidity for withdrawals. The research firm modeled Aave bad debt at $123.7 million if losses were socialized across rsETH holders, or $230.1 million if losses were isolated to L2 rsETH. That is why this belongs in Web3 Fraud Files . The attack was not only theft. It exposed how a bridge token can enter lending markets, become collateral, support leverage and then transmit failure when backing assumptions break. DeFi did not lose money because one lending contract mispriced a token. It lost money because collateral carried hidden verification assumptions.

Arbitrum’s freeze exposed DeFi’s recovery trade-off

Recovery moved faster than in many earlier bridge exploits, but it also exposed DeFi’s governance tension. Chainalysis said the Arbitrum Security Council froze 30,766 ETH tied to the attacker’s downstream funds after coordination with law enforcement. The funds were moved to an intermediary frozen wallet and can only move again through Arbitrum governance. That intervention reduced the attacker’s realized proceeds. It also proved that some supposedly neutral systems retain emergency powers that can move fast when losses are large enough. Galaxy framed the issue sharply: when nine-figure losses occur, market participants often prefer the centralizing authority that can act fastest, whether that means a security council, blacklist function, exchange freeze or law-enforcement request.

The trade-off is not simple. A freeze can preserve victim recovery and slow laundering. It can also remind institutions that governance keys, emergency councils and upgrade powers are part of the risk stack. Cryptic Daily’s coverage of the Drift Protocol exploit showed the same pattern: the technical cause may differ, but recovery often depends on human coordination, privileged authority and fast decision-making outside the idealized DeFi model.

Project response now centers on LayerZero and Chainlink

The post-exploit dispute quickly shifted toward responsibility for the bridge setup. Gadgets360 reported that KelpDAO planned to migrate rsETH to Chainlink after the hack and continued to blame LayerZero infrastructure. The report said LayerZero argued the incident stemmed from an inadequate Kelp configuration tied to a single DVN path, rather than multiple independent checks. KelpDAO has said it operated on LayerZero infrastructure since January 2024 and maintained communication with LayerZero about DVN configuration. LayerZero has argued that single-DVN setups increase security risk. That disagreement matters because it is not just public relations. It shapes how other protocols will assess vendor defaults, signed deployment settings, bridge documentation and responsibility when a configuration becomes a loss event. KelpDAO’s own site describes Kelp as a liquid restaking protocol with rsETH deployed across more than 10 chains and supported by audits and a bug bounty. Those claims now face a harder test. Audits and bug bounties are valuable, but the exploit showed that a protocol’s effective security perimeter includes infrastructure partners, verifier quorums, RPC dependencies and downstream lending integrations.

The KelpDAO exploit reveals DeFi’s new security baseline

The KelpDAO exploit sets a new baseline for risk reviews. Protocols can no longer treat “bridged collateral” as a single asset line. Risk teams need to map the custody path, message-verification quorum, DVN configuration, RPC provider dependencies, pause authority, oracle design, market depth and lending exposure. A token can be liquid, audited and widely integrated while still carrying a hidden one-verifier failure mode.

Chainalysis said spotting this type of exploit requires cross-chain invariant monitoring: continuously checking that tokens released on one chain mathematically match burns or locks on another. That is a different monitoring model from watching single transactions for suspicious calldata. In KelpDAO’s case, every visible transaction could look legitimate while the state relationship across chains was broken. The broader impact is already visible. Galaxy said major DeFi projects paused LayerZero OFT bridges after the exploit and that DeFi total value locked fell by about $15 billion after the incident. The exact recovery path remains unsettled, but the direction is clear. Bridge design, verifier independence and emergency authority are now front-office risk topics, not backend engineering details. The next milestone is KelpDAO’s formal recovery plan and rsETH migration path. If Kelp, LayerZero, Aave and Arbitrum can settle the loss allocation without widening user haircuts, DeFi may keep this as a contained bridge failure. If not, the KelpDAO hack becomes the case study every lender uses before accepting cross-chain restaking collateral again. This article is for informational purposes only and does not constitute financial or investment advice.