Kelp DAO $290M Exploit
- Attackers stole funds from Kelp DAO after compromising oracle verifier nodes and disrupting remaining infrastructure. - Roughly $290–$292 million was taken after two RPC nodes were compromised and others were DDoS'd. - LayerZero blamed Kelp's single-verifier deployment and attributed the attack to North Korea's Lazarus Group. (coindesk.com)
Kelp DAO lost about $290 million on April 18 after attackers forged cross-chain messages and drained rsETH from its bridge. (layerzero.network) LayerZero said the attackers poisoned remote procedure call, or RPC, nodes used by its verifier network and then disrupted other nodes, letting a fake message pass in Kelp’s rsETH setup. Kelp’s bridge released about 116,500 rsETH, which CoinDesk valued at roughly $292 million. (layerzero.network) (coindesk.com) An oracle verifier in this system acts like a notary for messages moving between blockchains. LayerZero said Kelp had configured rsETH with a 1-of-1 Decentralized Verifier Network, meaning one verifier could approve a transfer by itself. (layerzero.network) LayerZero said it had urged integrators to use multiple independent verifiers, so one compromised signer could not approve a forged message alone. In its April 19 statement, the company said the exploit was isolated to Kelp DAO’s rsETH configuration and did not spread to other LayerZero-connected assets. (layerzero.network) Kelp DAO disputed that framing on April 20. The protocol told CoinDesk the compromised verifier was LayerZero’s own infrastructure and said the single-verifier setup was LayerZero’s default onboarding configuration for rsETH. (coindesk.com) The exploit hit a token that had become widely used as collateral across decentralized finance lending markets. CoinDesk reported that at least 20 chains were affected by stranded wrapped ether positions after the drain. (coindesk.com) The fallout quickly moved from Kelp to other protocols holding or accepting rsETH. CoinDesk reported that Arbitrum’s Security Council froze 30,765.6675 ETH, about $71 million, tied to the exploiter on Arbitrum One on April 21. (coindesk.com) (forum.arbitrum.foundation) LayerZero said preliminary indicators point to North Korea’s Lazarus Group, specifically the TraderTraitor cluster, but described that as an attribution assessment rather than a final public finding. Kelp has not accepted LayerZero’s account of responsibility, and the dispute now centers on whether the weak point was Kelp’s configuration or LayerZero’s default verifier design. (layerzero.network) (coindesk.com) The immediate question is how much of the stolen ether can still be frozen or recovered through governance actions and chain-level controls. The larger record already shows one fact: a bridge that depended on one verifier failed when that verifier’s infrastructure was compromised. (forum.arbitrum.foundation) (layerzero.network)
