#KelpDAOBridgeHacked

The decentralized finance ecosystem has been hit by one of its most severe security breaches to date, as Kelp DAO suffered a massive exploit resulting in approximately $292 million in losses. The attack, which unfolded on April 18, targeted Kelp DAO’s LayerZero-powered cross-chain bridge and led to the theft of 116,500 rsETH tokens, sending shockwaves across multiple DeFi protocols.

What makes this incident particularly alarming is not just the scale of the loss, but the cascading impact it has triggered across the broader ecosystem, including lending giant Aave, and the growing dispute between infrastructure providers over who is responsible.

How the Attack Happened
Investigators report that the attacker funded their wallet using Tornado Cash roughly 10 hours before launching the exploit, a common method used to obscure transaction origins. Early analysis, including insights shared by blockchain investigator ZachXBT, suggests possible involvement of the Lazarus Group, a North Korea-linked hacking collective known for sophisticated DeFi exploits.

The technical root of the attack appears to be a compromise of RPC nodes used within LayerZero’s Decentralized Verified Network (DVN). The attacker allegedly poisoned two validator nodes while simultaneously launching a DDoS attack against the rest. This disruption allowed a fraudulent cross-chain message to be validated.

As a result, Kelp DAO’s bridge contract was tricked into releasing 116,500 rsETH on Ethereum mainnet, even though the assets were never legitimately unlocked.
Growing Conflict: Who Is Responsible?
Following the exploit, a heated blame game erupted between Kelp DAO and LayerZero.

LayerZero argues that Kelp DAO used a “1-of-1 DVN configuration”, which created a single point of failure. According to LayerZero, industry best practices recommend multiple independent validators to prevent exactly this type of attack. They claim Kelp DAO ignored diversification guidance.

Kelp DAO, however, strongly rejects this claim. The team insists that the 1-of-1 setup was the default configuration provided in LayerZero documentation for early OFT deployments. They also argue that LayerZero representatives had previously approved the architecture, meaning responsibility cannot be shifted retroactively.

Contagion Spreads to Aave
The consequences quickly spread beyond Kelp DAO. The attacker deposited 89,567 rsETH into Aave as collateral and borrowed approximately $190 million in WETH and wstETH, exposing Aave to significant bad debt risk.

Aave Labs estimates potential losses between $124 million and $230 million, depending on whether losses are socialized across holders or isolated to specific networks.

In response, Aave immediately froze rsETH markets across multiple versions, reduced collateral parameters to zero, and triggered emergency risk controls. The protocol’s governance token AAVE dropped 10%, while more than $10 billion in TVL reportedly exited the platform amid panic withdrawals.

Emergency Governance Actions
On Arbitrum, validators took rapid action by freezing approximately $71.1 million worth of ETH linked to the exploit. The funds were moved to a secure wallet pending governance decisions, with possible user reimbursement on the table.
Authorities and security researchers are also reportedly involved in tracing the attacker’s identity and movement of funds.

What Happens Next?
Kelp DAO has paused all rsETH contracts across multiple chains, but the core problem remains unresolved: the protocol likely lacks sufficient treasury reserves to cover the $292 million loss.
Possible rescue scenarios include LayerZero stepping in to protect its ecosystem reputation, Aave DAO using treasury funds to cover bad debt, or a broader socialized loss across rsETH holders. However, none of these solutions have been confirmed.

For now, the incident stands as one of the most damaging DeFi exploits of 2026, exposing critical weaknesses in cross-chain infrastructure and reigniting debates around decentralization vs. security in modern crypto systems.
📌 Detail:
https://www.gate.com/announcements/article/50593
‍#GateSquare #CreatorCarnival #ContentMining #Gate13周年