The KelpDAO Exploit: An Institutional Walkthrough of the $294M DeFi Breach

On April 18, 2026, KelpDAO lost approximately $294 million through a bridge hack.

A bridge is essentially a secure tunnel between two different blockchains. When you move tokens from one chain (for example, Unichain) to another (Ethereum), the bridge should lock or burn the tokens on the source chain and release an equivalent amount on the destination chain. In this attack, the tunnel was tricked into releasing real tokens on Ethereum without anything ever being locked or burned on the source chain.

This was not a smart-contract bug. No private keys were stolen in the usual sense. The attacker never touched the code itself.

What the Attack Was and Was Not

The attack was carried out via RPC poisoning, a novel vector that targeted the off-chain servers feeding data into LayerZero’s cross-chain messaging system.

LayerZero is a major cross-chain messaging protocol used by dozens of DeFi projects. It relies on independent verifiers called Decentralized Verifier Networks (DVNs). Think of these DVNs as multiple independent security guards that must all agree before a message is trusted. KelpDAO had configured its rsETH bridge with only a single verifier, exactly the risky setup that LayerZero’s own documentation had long warned against.

The Attack: A Visual Walkthrough

The Attack Walkthrough

The numbered bubbles (① through ⑩) below correspond to the labels in the Phase 1 and Phase 2 diagrams above.

① DDoS + Binary Replace

RPC nodes are the “data pipes” that every blockchain participant (including LayerZero’s verification network) relies on to know what actually happened on another chain. They are not part of the blockchain itself; they are ordinary off-chain servers that simply answer the question: “Did this transaction really occur?”.

The attacker compromised two of the RPC nodes that LayerZero’s verifier software depended on and replaced the legitimate software with malicious versions. These poisoned nodes fed false transaction data specifically to the verifier while still serving accurate data to everyone else.

To make sure the verifier had no choice but to trust the bad data, the attacker also launched a DDoS attack that knocked the healthy RPC nodes offline.

② Forged Msg from Unichain

With the verifier reading only poisoned data, the attacker submitted a forged message to LayerZero’s DVN, claiming that 116,500 rsETH had been burned on Unichain and instructing the OFT bridge on Ethereum to release the equivalent tokens from its escrow.

③–⑤ Request → Fake Tx Data → LZ Signed Forged Packet

The verifier asked for proof. The poisoned RPC nodes supplied completely fabricated transaction data. The verifier processed it, and on that basis, generated a cryptographically valid signed confirmation, and passed it to the KelpDAO bridge.

The bridge did exactly what it was programmed to do in response to this signed message.

⑥–⑦ Release & Drain

At 17:35 UTC, the bridge released 116,500 rsETH (≈ $290M at the time) to attacker-controlled wallets. There was never any corresponding deposit or burn on Unichain - as the message that tricked the verifier whilst legitimate was based on fake data.

⑧ Depositing Unbacked Collateral on Aave

The attacker deposited 89,567 of the newly minted (and completely unbacked) rsETH tokens into Aave V3 as collateral.

Aave had introduced an rsETH “E-Mode” that allowed borrowers to draw up to 93% loan-to-value. The attacker borrowed roughly $190M in WETH and wstETH.

What is E-Mode? Introduced in Aave V3, Efficiency Mode (E-Mode) groups price-correlated assets, such as ETH, stETH, wstETH, and rsETH, into shared categories. When a borrower enables E-Mode, the protocol recognizes that their collateral and borrowed asset carry essentially the same price risk, and raises the maximum LTV accordingly. For the ETH-correlated category, Aave set the E-Mode LTV at 93%, unusually aggressive for DeFi lending, where standard LTVs typically cap out at 50–75%.

A quick note on oracles: Price oracles told Aave what rsETH was worth at that moment. What was missing was a Proof of Reserve oracle, an independent check that continuously verifies whether the total supply of a bridged token actually matches the real assets backing it on the source chain. Had this been in place, the sudden 15%+ inflation in rsETH supply would have been caught automatically, or circuit breakers could have been triggered to freeze or delay protocol deposits/withdrawals.

⑨ The Race Against the Pause

Once the initial 116,500 rsETH was in hand, the attacker launched two more drain attempts, each targeting ~40,000 additional rsETH, at approximately 18:26 and 18:28 UTC. KelpDAO’s emergency multisig had already paused the bridge at ~18:21 UTC, forty-six minutes after the first exploit. Both follow-up attempts were blocked by the pause. The window was long enough to allow the initial $190M extraction and just short enough to stop the secondary attempts to generate additional unbacked rsETH.

⑩ Fund Movement and Attribution

LayerZero attributed the attack to Lazarus Group, North Korea’s state-sponsored advanced persistent threat (APT). Within days, the attacker had moved approximately 75,701 ETH (~$175M) into freshly created wallets, routing portions through THORChain, Umbra, Chainflip, and BitTorrent, all protocols with no KYC, no central intermediary, and no protocol-level freeze mechanism on Bitcoin rails. The laundering pattern matched the group’s known playbook: during the $1.4B Bybit hack in 2025, Lazarus converted roughly 83% of stolen ETH into bitcoin through THORChain, and the KelpDAO operation followed the same path. To finish the job, the compromised RPC nodes were engineered to self-destruct post-attack, with the malicious binaries deleting themselves along with logs and configurations, stripping forensic evidence from the infrastructure layer before anyone could inspect them.

Three days after the exploit, Arbitrum’s Security Council executed an unprecedented recovery. It temporarily upgraded the protocol and moved ~$71M of stolen ETH to a DAO wallet, the first time an Ethereum Layer 2 had unilaterally reversed a fraudulent transaction.

The Laundering Path: Why Aave Was Part of the Plan

Depositing fraudulent rsETH into Aave and borrowing at 93% LTV was not incidental; it was structural to the laundering plan. Raw stolen tokens are traceable. Borrowed WETH from a major lending protocol is not. The attacker turned an obviously tainted asset into clean, spendable capital that looked like any other legitimate loan. Aave is the largest lending protocol, but the attacker did try to withdraw against other protocols. Other protocols, such as Compound and Euler, froze accepting rsETH loan collateral quickly after becoming aware of the attack.

The Cascading Effect on KelpDAO and LayerZero

The direct loss was $294M. The systemic damage was broader.

• KelpDAO: 112,204 rsETH (≈15% of total supply) became unbacked. Every rsETH holder was diluted.
• LayerZero: The protocol worked as designed, but its single-verifier configuration proved to be a fatal single point of failure. LayerZero has since announced it will no longer support single-DVN setups.
• Aave: ≈$195M in bad debt remains on the books. DeFi United, a coordinated cross-protocol relief fund launched by Aave service providers on April 23, has raised approximately 100,000 ETH, meeting its target, with contributions from a wide variety of DeFi participants and others. Aave’s Umbrella backstop (a self-insurance fund), DAO treasury, and the DeFi United fund will likely cover most of the losses. However, Aave needs to determine exactly how this will be accommodated over the next several weeks.

A Layer 2 First: Arbitrum Security Council Freezes Attacker Funds

Three days after the exploit, Arbitrum’s Security Council did something that had never been done before on a major Layer 2: it unilaterally froze and recovered stolen funds.

On April 21 at 03:26 AM UTC, the 9-of-12 Arbitrum Security Council multisig executed an emergency upgrade to the Delayed Inbox contract on Ethereum mainnet. The technical sequence was precise: upgrade the inbox, add a function capable of impersonating any L1 address, use it to transfer the attacker’s 30,765.67 ETH (~$71M) to a governance-controlled address (0xdead), then revert the inbox back to its original implementation. The funds now sit in a wallet that can only be accessed through a future Arbitrum governance vote.

The mechanism was atomic and surgical. No other Arbitrum users or applications were affected. The council said it acted on input from law enforcement regarding the attacker’s identity.

The precedent is significant. Before April 21, the orthodox view in DeFi was that Layer 2 networks, designed to be more censorship-resistant and decentralized than their L1 parent, could not reverse transactions. Arbitrum just demonstrated that the Security Council can, in fact, upgrade core L1/L2 infrastructure contracts, to allow the impersonation any address interacting with that infrastructure, and redirect funds. Whether that is a feature or a bug depends entirely on who controls the council and for whose benefit it is exercised. After the confiscation the Security Council downgraded the code to facilitate normal operations.

The Arbitrum forum post raised the right questions: what prevents that “impersonate any address” function from being re-added later for different purposes? Is there a formal scope framework defining when this power is appropriate? There is currently no public framework; only the council’s word that it acted proportionally and with law enforcement input.

Regardless of the governance concerns, through this action, the outcome for KelpDAO and Aave is tangible: approximately 25% of the stolen funds have been recovered. Combined with offsetting losses with the DeFi United funds, this coordinated response across on-chain governance, decentralized recovery funds, and law enforcement represents potentially a new playbook for how DeFi handles large-scale exploits in the future.

How This Hack Could Have Been Prevented

DeFi protocols assume the full stack of risk for any collateral they onboard. This is not always made explicit, but it is the operational reality: a lending protocol accepting a token as collateral assumes not just the smart contract risk of that token, but the operational risk of every infrastructure dependency that token relies on. A protocol will only be as strong as the weakest link in its dependency chain.

Prior to onboarding any collateral, a comprehensive risk assessment is not optional; it is a structural necessity. Based on firsthand experience building these frameworks at MakerDAO’s Collateral Onboarding Core Unit, a thorough assessment must cover:

• Smart contract review: Does the token follow applicable standards? Are the contract logic and permissioning sound?
• Governance risk: What powers does the token’s governance have? Can it upgrade contracts, mint new tokens, change supply mechanics, or alter oracle dependencies without notice? Governance risk is often underestimated and has been the root cause of multiple major DeFi losses.
• Bridge and cross-chain dependency analysis: What infrastructure does the token depend on to maintain its peg and supply integrity? A single-verifier bridge configuration should disqualify a restaked or bridged token from high-LTV collateral onboarding until redundancy is added.
• Oracle risk: The distinction between a price oracle and a supply oracle is critical. A price oracle tells you what a token is worth. A Proof of Reserve oracle tells you whether the token’s reported supply is actually backed. Without the latter, an attacker can inflate supply and borrow against phantom collateral indefinitely.

Ideally this assessment needs to be shared widely and generated collaboratively with security and other technical specialists. In MakerDAO every assessment was published and DAO members were encouraged to provide input. Whilst this may lead to slower onboarding, a transparent and open process for risk assessment resulted, I believe, in better quality assets being onboarded and the avoidance and minimization of catastrophic losses.

Beyond collateral onboarding standards, the KelpDAO exploit also reveals a more fundamental vulnerability: the infrastructure layer that DeFi protocols depend on for data integrity is far less hardened than the on-chain logic itself.

Securing the Data Layer

The attack vector was a RPC node compromise. The lesson is that RPC infrastructure is not a commodity pipe; it is a security-critical component that must be treated as such.

Several safeguards reduce the probability and impact of RPC-based attacks:

• Run your own full nodes: A self-operated full node, synced against the honest chain, serves as a reference point for verifying state. Even as a secondary check rather than the primary RPC provider, it can detect divergences that poisoned third-party nodes would not expose.
• Multi-provider state root verification: Compare state root responses across at least three independent RPC providers using different client implementations (e.g., Geth, Nethermind, Reth). Divergence in account balances or state commitments at the same block height is an immediate alert. Research has demonstrated that even minor inconsistencies between client implementations can be exploited.
• Binary integrity verification: Where possible, require that node infrastructure operators publish cryptographically verifiable provenance for their builds using frameworks like SLSA (Supply-chain Levels for Software Artifacts). At minimum, verify checksums against official releases before deploying any node software.
• Multi-DVN configuration: LayerZero’s own documentation warned against single-verifier setups. Protocols relying on cross-chain messaging must enforce multi-DVN configurations as a minimum standard, not an optional feature.

Lending Protocol Resilience

No risk assessment is complete. Even with rigorous collateral onboarding, sophisticated attacks will occasionally succeed. The question then becomes: can the protocol limit damage?

• Deposit caps and time locks: Restrict the amount of any single collateral that can be deposited within a given time window. This caps the maximum extractable value even if unbacked collateral enters the system.
• Oracle-triggered circuit breakers: Automated pauses triggered by anomalous conditions: a sudden supply inflation above a defined threshold, a divergence between price oracle and Proof of Reserve oracle readings, or a cross-chain messaging failure. These buy time for human review before losses accumulate.
• Proof of Reserve feeds: For any bridged or restaked asset, require continuous on-chain verification that reported supply matches actual backing. Chainlink PoR or equivalent should be treated as mandatory for any LTV above 50% on non-native collateral.
• Sub-15-minute pause capability: KelpDAO’s pause came 46 minutes after the exploit began. Protocols holding material TVL should have emergency multisig controls that can pause within minutes, not hours.

The goal is not to eliminate all risk; it is to ensure that a single point of failure in any critical dependency cannot create catastrophic and cascading losses.

Risk Management in DeFi: The Institutional Imperative

Previously as a core contributor to MakerDAO’s Collateral Onboarding Core Unit, I was responsible for assessing the technical, economic, and protocol-level risks of new collateral. During a time where cross-chain bridges were less prevalent, when restaking did not exist, and when the DeFi attack surface was considerably narrower, this attack hits differently. The DeFi threat landscape has expanded faster than most risk frameworks have kept pace with. Bridges, restaked assets, and multi-chain composability have introduced infrastructure dependencies that the early DeFi collateral onboarding models simply didn’t account for. Staying ahead of these evolving risks requires not just technical expertise in smart contracts and cryptography, but a continuous operational security posture that anticipates what might come down the pipeline next.

DeFi composability is a two-way risk channel. When you deposit into a lending protocol, you inherit the security posture of every bridge, oracle, and data pipe it depends on. Aave’s contracts were flawless. KelpDAO’s bridge failure is what created Aave’s bad debt.

If a single compromised data pipe can create $230M of unbacked collateral in a major lending protocol and a severe loss in customer credibility, what other invisible dependencies are sitting in your portfolio right now?

The KelpDAO exploit does not mean DeFi is unsafe for institutions. It means the bar for safe institutional participation just got raised, permanently. The standards that were acceptable in 2024 are no longer acceptable in 2026. This attack drew the line in the sand.

Current Status (as of April 26, 2026)

Recovery efforts are underway via Aave DAO treasury ($181M), Umbrella backstop ($54M), and remaining rsETH at the adapter. Legal proceedings and fund tracking continue. With the DeFi United funding all losses should be covered. However, notwithstanding that immediate losses have been covered, AAVE and other similar protocols saw a large exit of TVL from their protocols due to cascading risk concerns, and many now recognize the importance of a comprehensive risk management approach to the DeFi “stack” if they are to attract institutional and new investors to DeFi.

---

References

• Unchained — LayerZero Links $292M KelpDAO Exploit to Lazarus Group: unchainedcrypto.com
• CoinDesk — Aave Faces Up to $230M Losses from KelpDAO Exploit: coindesk.com
• Forbes — Withdraw Now: Inside Aave’s Sudden $200M Bad Debt Crisis: forbes.com
• Galaxy Research — KelpDAO/LayerZero Exploit: $290M DeFi Hack Exposes DeFi’s Hidden Risks: galaxy.com
• Chainalysis — Inside the KelpDAO Bridge Exploit: chainalysis.com
• OpenZeppelin — $292M Lost, Zero Bugs Found: x.com/openzeppelin
• Hugh Karp — DeFi Safety & Risk Reflections: x.com/hughkarp