#KelpDAOBridgeHacked

The decentralized finance ecosystem witnessed one of its most severe security failures to date. Kelp DAO, a prominent liquidity restaking protocol, suffered a devastating exploit targeting its rsETH cross-chain bridge. Within minutes, approximately 116,500 rsETH—valued between $292 million and $293 million—was drained, accounting for nearly 18% of the token’s total circulating supply. This incident now stands as the largest DeFi hack recorded in 2026.

The breach originated within Kelp DAO’s bridge infrastructure, which relied on LayerZero’s cross-chain messaging system. Specifically, the attacker exploited the lzReceive function in the EndpointV2 contract. By crafting and injecting a fraudulent cross-chain message, the attacker bypassed verification checks. The system was deceived into recognizing the message as legitimate, triggering the unauthorized release of funds to an attacker-controlled wallet.
What makes the attack particularly concerning is how it leveraged standard protocol behavior rather than a complex vulnerability. Analysts believe that over-reliance on default configurations and insufficient validation layers within the messaging system played a critical role. The attacker’s preparation was also deliberate—the wallet used in the exploit had been funded through Tornado Cash roughly 10 hours prior, a tactic commonly used to obscure transactional origins and hinder traceability.

The cross-chain nature of the bridge amplified the damage. With rsETH deployed across Ethereum mainnet and multiple Layer-2 networks such as Arbitrum, the exploit quickly propagated across ecosystems. This multi-chain exposure significantly increased both the speed and scale of the loss.
Kelp DAO responded swiftly after detecting abnormal activity. The team immediately paused rsETH contracts across mainnet and several Layer-2 environments, effectively preventing further losses that were estimated to exceed $100 million. In their initial statement, they confirmed active collaboration with infrastructure partners, auditors, and security experts to conduct a comprehensive investigation.

Despite the rapid response, the consequences were severe. The exploit triggered widespread panic across DeFi markets, leading to a liquidity crisis. Users rushed to withdraw funds, creating a cascading “bank run” effect. Major lending platforms, including Aave, implemented emergency measures such as market freezes. Approximately $9 billion—around one-third of Aave’s total value locked—was withdrawn in a short span, resulting in an estimated $196 million to $236 million in bad debt.

Other protocols, including SparkLend, Fluid, Upshift, and Morpho, also experienced significant stress. Across the broader ecosystem, total value locked dropped by an estimated $8 billion to $13 billion within 48 hours. The shockwaves extended beyond Ethereum, affecting liquidity pools on other chains, including Solana.
Speculation has emerged regarding potential involvement of the Lazarus Group, a North Korea-linked cybercrime organization known for targeting crypto platforms. While some on-chain indicators suggest possible connections, no official confirmation has been made.

Meanwhile, the attacker has already begun moving funds, swapping portions into ETH across different networks to complicate tracking efforts.
This incident reinforces a long-standing concern within DeFi: cross-chain bridges remain one of the most vulnerable components of blockchain infrastructure. While they enable seamless interoperability, they also introduce critical attack surfaces—particularly when message validation mechanisms are not sufficiently robust.

The Kelp DAO exploit serves as a stark warning. It highlights the urgent need for improved security frameworks, including multi-layer verification systems, stricter validation logic, and better risk management practices. As the investigation continues, the industry now awaits Kelp DAO’s full post-mortem report, which is expected to provide deeper insights into the failure and outline steps to prevent similar incidents in the future.
📌 Detail:
https://www.gate.com/announcements/article/50593
‍#GateSquare #CreatorCarnival #ContentMining #Gate13周年