Inside the KelpDAO Bridge Attack: How a Single Verification Node Unlocked $290m

On April 21, 2026, KelpDAO suffered one of the most devastating DeFi exploits in history when attackers drained approximately $290 million from the protocol’s liquid restaking token, rsETH. With Bitcoin trading at $79,827.91 and Ethereum at $2,346.40, this attack highlights critical vulnerabilities in omnichain bridge security that extend far beyond one protocol.

The Exploit Mechanics

The attack began with a fundamental design flaw in KelpDAO’s LayerZero omnichain fungible token (OFT) bridge configuration. Unlike multi-signature or timelock-protected systems, KelpDAO chose a single-verifier approach, creating a single point of failure that attackers ruthlessly exploited.

LayerZero bridges work by locking tokens on the source chain and minting equivalent tokens on destination chains. The verification process ensures only legitimate transfers occur. By compromising this single verification mechanism, attackers essentially tricked the entire system into believing fraudulent transfers were legitimate.

The preliminary investigation conducted by Galaxy Research identified the attackers as North Korea’s Lazarus Group, suggesting this was a state-sponsored operation rather than individual hackers. The sophistication of the attack patterns aligns with previous Lazarus operations targeting DeFi protocols.

Affected Systems

The immediate damage was staggering: attackers withdrew 116,500 rsETH from the Ethereum mainnet escrow — tokens that should never have been released. These stolen tokens were immediately deposited as collateral on major lending platforms primarily on Ethereum and Arbitrum blockchains.

Using the stolen rsETH as collateral, the attackers borrowed an estimated $236 million in wrapped Ethereum tokens (WETH and wstETH). This created massive exposure across the DeFi ecosystem, particularly on Aave where the protocol froze all rsETH, wrsETH, and WETH markets.

The fallout extended far beyond KelpDAO. With 112,204 rsETH (roughly 15% of post-exploit supply) becoming unbacked on the bridge adapter, and only 40,373 rsETH remaining as confirmed backing for the 152,577 rsETH outstanding on Layer 2 networks, systemic risk became apparent. Aave froze all rsETH-related markets across all deployments, and primary stablecoin markets reached 100% utilization, leaving zero liquidity for withdrawals.

The Mitigation Strategy

On Monday evening, the Arbitrum Security Council took emergency action to freeze 30,766 ETH held on Arbitrum and transfer it to an intermediary frozen wallet. This marked one of the few cases where a blockchain security council actively intervened to recover stolen funds, setting a significant precedent for future incidents.

Arbitrum’s intervention involved upgrading a bridge contract to enable fund recovery — a controversial move that demonstrated both the potential and risks of centralized security councils in decentralized systems. The decision prioritized victim recovery over strict adherence to immutable transaction principles.

Aave faced a difficult choice regarding its estimated $123.7 million in bad debt. The protocol could either implement uniform socialization of losses or isolate losses to L2 rsETH holders, each approach with different implications for protocol users and stakeholders. This represented one of the most significant governance challenges in DeFi history.

Lessons Learned

This exploit reveals several hard lessons about DeFi security architecture. The single-verifier configuration that enabled this attack demonstrates the dangers of over-optimizing for efficiency at the expense of security. LayerZero bridges, while innovative, require robust multi-signature implementations with timelocks.

The incident highlights the growing sophistication of state-sponsored attackers in the DeFi space. As protocols handle billions in assets, they must assume sophisticated adversaries rather than opportunistic hackers. Security needs to evolve from perimeter-based thinking to defense-in-depth strategies.

Perhaps most importantly, the $15 billion drop in total value locked across DeFi following the attack shows that systemic risk in one protocol can cascade through the entire ecosystem. This demands better coordination between protocols, clearer communication during crises, and potentially industry-wide insurance mechanisms.

User Action Required

If you held rsETH or interacted with KelpDAO before April 21, 2026, immediate action is essential. First, check your wallet for any unexplained rsETH transfers or unexpected collateral liquidations. Second, review your positions on Aave and other platforms affected by the protocol freezes. Third, monitor governance proposals regarding bad debt resolution and socialization mechanisms.

For protocols considering bridge implementations, this incident should serve as a red flag. Multi-signature verification, timelock mechanisms, and emergency shutdown capabilities are no longer optional features — they are necessities for any protocol handling significant user funds.

The KelpDAO exploit represents not just a technical failure, but a systemic warning about the evolving threat landscape in decentralized finance. As DeFi protocols mature, security must mature with them, moving beyond code audits to include real-world threat modeling and penetration testing by specialized ethical hacking groups.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.