Kelp DAO Suffers $292 Million Bridge Exploit Through Off-Chain Infrastructure Attack

The decentralized finance ecosystem faced another devastating blow on February 28, 2025, as Kelp DAO confirmed a massive $292 million exploit targeting its cross-chain bridge. Unlike typical smart contract vulnerabilities that have plagued DeFi protocols in recent years, this attack exposed a critical weakness in off-chain infrastructure — a growing blind spot that the industry can no longer afford to ignore. With Bitcoin trading at approximately $84,373 and Ethereum at $2,238 on the day of the attack, the broader crypto market was already reeling from the aftermath of the $1.5 billion Bybit hack just one week earlier.

The Exploit Mechanics

Blockchain analytics firm Chainalysis conducted a thorough investigation and confirmed that the Kelp DAO exploit was not caused by a smart contract bug. Instead, the attacker manipulated the protocol’s off-chain relay and validation systems to mint rsETH tokens without providing any real collateral. The bridge’s backend infrastructure, which validates cross-chain transactions, was compromised through a sophisticated multi-step process.

According to the Chainalysis report, the attack unfolded in five distinct stages. First, the attacker conducted reconnaissance on the bridge’s off-chain relay system, identifying weaknesses in the validation process. Second, they gained unauthorized access to the off-chain infrastructure, likely by exploiting a vulnerability in a server or API endpoint. Third, they submitted a fabricated proof of asset burn that the off-chain relay accepted without proper verification. Fourth, the bridge minted approximately 10,000 rsETH tokens on the destination chain with zero backing. Finally, the attacker swapped the unbacked rsETH for other assets and routed the funds through mixers and exchanges to obscure the trail.

The total value drained reached approximately $292 million, making it one of the largest DeFi exploits in history. The attacker created rsETH tokens essentially out of thin air by compromising the backend validation layer rather than exploiting any on-chain logic.

Affected Systems

The primary system affected was the Kelp DAO bridge, which facilitates cross-chain transfers of rsETH — a liquid restaking token that represents staked Ethereum positions. The bridge relies on off-chain relays to verify that assets have been locked or burned on the source chain before minting equivalent tokens on the destination chain. This trust assumption proved to be the fatal vulnerability.

The exploit also had cascading effects on the broader liquid restaking ecosystem. RsETH holders faced uncertainty about the token’s backing, and several decentralized exchanges temporarily paused rsETH trading pairs as a precautionary measure. The incident raised concerns about the security of other liquid restaking protocols that employ similar off-chain validation mechanisms, including protocols managing billions in total value locked across Ethereum’s restaking landscape.

The Mitigation Strategy

In the immediate aftermath, Kelp DAO’s team took several steps to contain the damage. The bridge was paused to prevent further unauthorized minting, and on-chain monitoring systems were deployed to track the movement of stolen funds. The protocol team began coordinating with major exchanges and blockchain analytics firms to flag and freeze any stolen assets that reached centralized platforms.

Chainalysis recommended that bridge protocols implement mandatory on-chain verification of burn and lock events, eliminating the single point of failure that off-chain relays represent. Additional mitigation measures include multi-signature requirements for relay operations, real-time anomaly detection systems that flag unusual minting patterns, and regular penetration testing of both on-chain and off-chain components. The firm also emphasized the need for decentralized oracle networks to provide independent verification of cross-chain state changes.

Lessons Learned

The Kelp DAO exploit underscores a fundamental shift in attack vectors within the crypto space. As smart contract auditing has matured and on-chain code has become more battle-tested, attackers are pivoting toward the softer targets of off-chain infrastructure. The smart contract code in Kelp DAO’s bridge had been reviewed by auditors and was functioning as designed — the weakness lay entirely in the systems connecting those smart contracts to the real world.

This incident also highlights the danger of trust assumptions in cross-chain architectures. When a bridge relies on a centralized off-chain component to validate state changes, it introduces a single point of failure that undermines the security guarantees of the underlying blockchain. The crypto community must recognize that a protocol’s security is only as strong as its weakest link, and that link is increasingly found in off-chain infrastructure.

User Action Required

If you hold rsETH or any assets tied to the Kelp DAO ecosystem, monitor official channels for updates on recovery efforts and token revaluation. Consider reducing exposure to cross-chain bridge protocols that have not publicly disclosed their off-chain security measures. When evaluating any DeFi protocol, look beyond smart contract audits and assess the security of off-chain components, oracle dependencies, and administrative key management. Use hardware wallets for large holdings and maintain separate wallets for interacting with experimental or recently launched protocols. The February 2025 security landscape — with both the Bybit and Kelp DAO incidents — serves as a stark reminder that vigilance must extend to every layer of the crypto stack.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.