pull down to refresh

Inside the KelpDAO Bridge Exploitwww.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/
705 sats \ 1 comment \ @0xbitcoiner 16h security

TL;DRTL;DR

  • On April 18, 2026, attackers linked to North Korea’s Lazarus Group stole ~$292 million (116,500 rsETH) from KelpDAO’s LayerZero bridge. Crucially, this was not a smart contract hack, but a sophisticated attack on off-chain infrastructure.
  • The attackers compromised internal RPC nodes and DDoS’d external nodes to feed false data to a single-point-of-failure verification network (a 1-of-1 DVN setup). This tricked the Ethereum contract into releasing funds based on a phantom token “burn” on the source chain.
  • Traditional security tools missed the attack because every on-chain transaction looked completely valid. Spotting this type of exploit requires cross-chain invariant monitoring — continuously verifying that tokens released on a destination chain mathematically match tokens burned on the source chain.
  • Rapid intervention prevented further damage. KelpDAO successfully paused contracts to block a second $95 million theft, and the Arbitrum Security Council, coordinating with law enforcement, froze over 30,000 ETH of the attacker’s downstream funds.


On-chain, the transactions looked clean. Messages were relayed, signatures verified, and 116,500 rsETH — worth roughly $292 million — moved out of a LayerZero-based bridge contract on Ethereum. Nothing about the calldata itself signaled an exploit. Yet, locked rsETH was illegitimately released from KelpDAO’s bridge escrow, and a community of restakers was left holding tokens whose peg assumptions had quietly been broken. Tuesday, three days after the hack, the Arbitrum Security Council moved to freeze a significant portion of the attacker’s downstream funds, an intervention that closed some of the windows these types of exploits usually target.

This was not a smart contract vulnerability. There was no reentrancy bug, no missing access check, no price oracle sleight-of-hand. The KelpDAO incident is something arguably more dangerous: an attack on the off-chain verification layer on which many cross-chain protocols depend.

Chainalysis investigates many of the world’s largest crypto hacks and is proud to have worked closely with partners in law enforcement and industry on Arbitrum’s landmark disruption of criminal activity. Here’s what we know so far, what the on-chain evidence shows, and why this class of exploit requires a different kind of monitoring.

...read more at chainalysis.com
write
compose
related posts
1 sat \ 0 replies \ @nitter 16h
reply