Key Insights
- Loss in USD: 116,500 rsETH (worth $292 million) was stolen on April 18, 2026.
- Method Used: Hackers attacked the infrastructure – Remote Procedure Call (RPC) nodes.
- Who is Responsible? The forensic findings indicate that the Lazarus Group from North Korea committed the hack.
- How did it Happen? The hackers breached the RPC nodes inside the network and carried out a DDoS attack to cause the system to switch to a bad environment.
- Spread: Money taken was used for collateral in Aave, causing close to $200 million in debts without collateral.
- Response: The Arbitrum Security Council and SEAL 911 were able to freeze more than 30,000 ETH.
The Phantom Burn: $292M Gone in Minutes
On April 18, 2026, the world of decentralized finance experienced its biggest hack of the year. The attack on Kelp DAO, a top liquid restaking platform, was a poisoning attack that circumvented smart contract security. Rather than exploiting a vulnerability in software that would normally be targeted by a hacker, this attack targeted the “data plumbing” of cross-chain bridges that are used to synchronize blockchain states.
- The Phantom Burn: $292M Gone in Minutes
- The 1-of-1 Verifier is not infallible
- Breaking it down: RPC Spinning and DDoS Timing
- Phase 1: Node Compromise
- Phase 2: DDoS and Failover
- The Ripple Effect: Aave’s Debt Problem
- Context: Evolution of Infrastructure Exploits
- Recovery and Future Outlook
- Frequently Asked Questions
It exploited the Kelp DAO bridge adapter that uses LayerZero messages. An attacker’s address on Ethereum was paid 116,500 rsETH at 17:35 UTC. The release was in response to a message stating tokens had been burned on the source chain, Unichain. No such burn occurred. The bridge contract did what it was meant to do; it received a verified message and paid out money. The problem was that the verification was not done properly.
The 1-of-1 Verifier is not infallible
The issue is with Kelp DAO’s “1-of-1” Decentralized Verifier Network (DVN). This means that only LayerZero Labs was signing instructions. LayerZero allows for a multi-verifier model, but Kelp DAO chose a single verifier. According to security experts, this presented a single point of failure. By directing attention to the data sources used by that verifier, hackers thus produced an echo chamber of misinformation that a multi-DVN system would have likely filtered out.
Breaking it down: RPC Spinning and DDoS Timing
The attack suggests a well-organised threat actor. The hackers didn’t steal keys or look for vulnerabilities in smart contracts. Rather, they conducted a multi-step attack on the data feed of LayerZero’s DVN.
Phase 1: Node Compromise
The attackers accessed the RPC nodes used by the DVN to validate state on the source chain. They took control of two separate internal nodes and replaced the software with spoofing variants. These nodes provided legitimate data for all queries but spoofed burn events for the attacker’s transactions.
Phase 2: DDoS and Failover
Anticipating the DVN would cross-check data with healthy nodes, the hackers initiated a large-scale Distributed Denial of Service (DDoS) attack on external nodes. The DVN’s failover mechanisms kicked in to read from the only two remaining sources: the two corrupted nodes. With the DVN reading only from a poisoned environment, it accepted the false burn and signed the message. This enabled the Ethereum bridge to unlock the $292 million in rsETH.
The Ripple Effect: Aave’s Debt Problem
The effects were not limited to rsETH. Being a liquid restaking token, rsETH is widely used as collateral. The hackers immediately began to milk additional value. The attackers staked the unbacked rsETH (the staked token) into Aave V3 shortly after the tokens were released. The market believed rsETH to be a 1:1 staked Ethereum (ETH) token at the time, and the attacker borrowed about $195 million of Wrapped Ether (WETH) and stablecoins.
This turned tokens that didn’t exist into assets with high liquidity. Aave’s liquidity pools were left with an enormous hole when the contracts were paused. Analysts in the industry estimate that Aave will be left with more than $170 million in bad debt, depending on the price of the remaining rsETH.
Context: Evolution of Infrastructure Exploits
Kelp DAO comes hot on the heels of a $285 million Drift Protocol exploit earlier this month. Cybersecurity companies report changes in Lazarus Group operations. As smart contract audits get better, hackers exploit the infrastructure and RPC providers trusted by protocols.
A “he said, she said” dispute has played out between Kelp DAO and LayerZero. LayerZero claims they recommended a multi-DVN setup. Kelp DAO has claimed they implemented the default quickstart guides in LayerZero’s documentation.
Recovery and Future Outlook
By late April, the Arbitrum Security Council has locked up $75 million in related accounts. SEAL 911 has helped facilitate pauses in ten L2 chains to prevent a further $95 million loss. But monitoring of the blockchain indicates 75,000 ETH has been withdrawn via THORChain, making it unrecoverable.
The attack highlights that DeFi can only be as secure as its most centralised data source. The hack will mean the industry should move away from 1-of-1 verifier systems and towards multi-provider consensus.
Frequently Asked Questions
What happened in the $292 million Kelp DAO bridge exploit?
Attackers reportedly exploited vulnerabilities in the Kelp DAO bridge system, leading to losses worth around $292 million.
How was the Kelp DAO bridge exploit possible?
The breach was allegedly caused by smart contract or bridge security weaknesses that hackers were able to manipulate.
Disclaimer: BFM Times acts as a source of information for knowledge purposes and does not claim to be a financial advisor. Kindly consult your financial advisor before investing.
