KelpDAO drained ~$300M
- KelpDAO was exploited in a cross‑chain attack that drained roughly $300 million from the protocol. - Social posts put the loss at about $300M and flagged bridging and oracle weaknesses as attack vectors. - The incident highlights continuing systemic risk in multi‑chain liquidity designs and cross‑chain tooling. ( )
KelpDAO lost about $290 million on April 18 after an attacker forged cross-chain messages and drained its rsETH token system. (layerzero.network) LayerZero said the exploit was isolated to KelpDAO’s rsETH setup and traced the loss to a “single-DVN” configuration, with one verifier checking messages instead of several. KelpDAO had paused rsETH contracts across Ethereum mainnet and multiple layer-2 networks as investigators worked through the breach. (layerzero.network) (cryptopotato.com) The amount stolen was widely pegged near 116,500 rsETH, worth roughly $292 million at the time, and on-chain trackers said the attacker used the unbacked tokens as collateral to borrow large amounts of Ether. Coindesk reported the damage spread across roughly 20 chains where wrapped versions of the asset were in use. (coindesk.com) (ambcrypto.com) Cross-chain systems are the plumbing that let one blockchain send assets or messages to another. LayerZero’s own documentation says applications choose their security settings, including how many Decentralized Verifier Networks, or DVNs, must approve a message before it goes through. (docs.layerzero.network) (layerzero.network) In this case, LayerZero said KelpDAO used a 1-of-1 verifier setup, creating a single point of failure. The company said its recommended practice was a multi-DVN design with redundancy, so one compromised verifier could not approve a forged transfer by itself. (layerzero.network) The fallout quickly reached Aave, where rsETH had already been a monitored asset after an April 30, 2025 over-minting bug triggered a precautionary freeze across several Aave markets. Aave’s governance forum now shows active incident threads dated April 20 and April 21, 2026, as users and delegates debate losses and recovery steps. (governance.aave.com 1) (governance.aave.com 2) LayerZero said preliminary indicators pointed to a “highly-sophisticated state actor,” likely North Korea’s Lazarus Group, though that attribution remains the company’s assessment, not a public law-enforcement finding. Other crypto outlets have reported the same suspected link while the forensic review continues. (layerzero.network) (beincrypto.com) The immediate question is not whether bridges can move assets across chains; they already do. The question after April 18 is how many projects are still relying on one verifier, one oracle path, or one off-chain service to protect hundreds of millions of dollars. (layerzero.network) (docs.layerzero.network)
