Kelp DAO exploited for $292 million

Network News

KELP DAO EXPLOIT: A cross-chain bridge holding nearly a fifth of a restaked ether token’s circulating supply just got drained, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts. An attacker drained 116,500 rsETH (restaked ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC over the weekend, worth roughly $292 million at current prices and representing about 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko. LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradeable receipt. The bridge that was drained held the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address. Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million. — Shaurya Malwa Read more.

NORTH KOREA CRYPTO HEIST PLAYBOOK: Less than three weeks after North Korea-linked hackers used social engineering to hit crypto trading firm Drift, hackers tied to the nation appear to have pulled off another major exploit with Kelp. The attack on Kelp, a restaking protocol tied into LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting the basic assumptions built into decentralized systems. Taken together, the two incidents point to something more organized than a string of one-off hacks, as North Korea continues to escalate its efforts to hijack funds from the crypto sector. “This is not a series of incidents; it is a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You cannot patch your way out of a procurement schedule.” More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks. At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked the way it was designed to. Rather, attackers manipulated the data feeding into the system and forced it to rely on those compromised inputs, causing it to approve transactions that never actually occurred. — Margaux Nijkerk Read more.

AAVE AFFECTED BY KELP DAO HACK: An attacker exploited that setup by forging a transfer message that appeared valid. The system approved the transfer even though the tokens were never taken out of the sending chain, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum-side bridge. Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum, according to the report. This left Aave exposed to collateral whose backing may be significantly impaired. Aave Labs said it moved quickly to contain the risk. Within hours, the protocol froze rsETH markets across its deployments, set loan-to-value ratios to zero, and halted new borrowing against the asset. The outcome now depends largely on how Kelp handles the shortfall. If losses are spread across all rsETH holders, the token would face an estimated 15% depegging (meaning the value of the staked tokens would not match the value of actual ETH), resulting in about $124 million in bad debt for Aave. If losses are instead isolated to Layer 2 networks, the impact would be far more severe, with bad debt rising to roughly $230 million and concentrated on networks such as Arbitrum and Mantle.— Margaux Nijkerk Read more.

COINBASE COMMISSIONS PAPER ON QUANTUM COMPUTING RISKS: A new report commissioned by Coinbase sounds a cautious, but urgent, alarm: Quantum computing won’t break crypto tomorrow, but the industry can’t afford to wait. The 50-page paper, authored by an independent advisory board that includes prominent cryptographers and academics like Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation and Sreeram Kannan of Eigen Labs, concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now. In recent months, concerns around quantum risk have moved further into the mainstream. Google researchers have published estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto ecosystems have already started mapping out their responses. The Ethereum Foundation has proposed new types of digital signatures that are designed to be safe against quantum computers, while Solana and others are experimenting with quantum-resistant wallet designs. The report stresses that current quantum machines are far from powerful enough to crack the cryptography underpinning Bitcoin, Ethereum and other networks. Breaking standard encryption would require vast computational overhead, a milestone still considered a major engineering challenge. — Margaux Nijkerk Read more.

In Other News

• A chunk of the Kelp DAO haul is no longer going anywhere. Arbitrum’s Security Council froze 30,766 ETH worth roughly $71 million on Monday night, moving funds linked to Saturday’s $292 million rsETH exploit into an intermediary wallet that can only be accessed through further Arbitrum governance action. The council said it acted on law enforcement’s input regarding the exploiter’s identity and executed the freeze “without impacting any Arbitrum users or applications.” The transfer completed at 11:26 p.m. ET on April 20, according to Arbitrum’s statement on X. The stolen funds are no longer under the control of the address that originally held them. — Shaurya Malwa Read more.
• A Polymarket contract on whether Kelp DAO will spread the losses from the weekend’s $292 million exploit beyond those directly affected is pointing to a clear answer: probably not. Bettors are giving a 14% chance that Kelp will “socialize the losses,” or implement a mechanism forcing rsETH holders on Ethereum, which wasn’t hit, to share the pain of users on other chains. The attackers drained roughly 116,500 rsETH from a LayerZero-powered bridge that held the reserves backing the token across more than 20 blockchains. That left parts of the system undercollateralized, with some holders effectively owning tokens no longer fully backed by ether (ETH). “Socializing the losses” would mean Kelp redistributes the shortfall across all rsETH holders, including those on the Ethereum mainnet, rather than leaving losses concentrated among users and protocols tied to the compromised bridge. The most widely cited precedent of this approach came in 2016, when Bitfinex imposed losses on all users after a $60 million hack, effectively mutualizing the hit to avoid shutting down. — Sam Reynolds Read more.

Regulatory and Policy

• April appears to be a lost cause for the crypto Clarity Act, but a U.S. Senate committee hearing sometime in May could keep the critical market structure legislation alive, as long as it can reach a final vote of the overall Senate by July, according to lobbyists and a lawmaker aide focusing on the market structure bill’s sluggish progress. The legislative calendar is running out of room for this year, but a Senate aide told CoinDesk that a potential new delay of a couple of weeks — allowing Republican Senator Thom Tillis to finish discussions with bankers over stablecoin-yield concerns — is not yet pushing this work past the point of no return. The aide also said that earlier negotiations over decentralized finance (DeFi) protections are effectively settled, leaving few other impediments in the way of a committee approval.One of the chief problems the crypto industry faces (if it can leap the stubborn hurdle of the banking sector’s objections about stablecoin rewards) is that the Senate Banking Committee hearing that the bill needs to clear would be only a first step of many. — Jesse Hamilton Read more.
• Tron creator Justin Sun sued World Liberty Financial, the stablecoin and crypto firm backed by members of U.S. President Donald Trump’s family, on Tuesday, alleging that the project had unfairly locked up his $WLFI holdings, made fraudulent misrepresentations, and threatened and defamed Sun. The lawsuit filed, which includes a line about Sun’s support for Trump himself, alleged that World Liberty’s leadership had engaged “in an illegal scheme to seize property” in the form of Sun’s tokens, which Sun alleged he had purchased after being solicited by the World Liberty team in 2024. “At that pivotal time for World Liberty, Mr. Sun invested $45 million to purchase $WLFI tokens from World Liberty not only because of the project’s claims that it would promote adoption of decentralized finance — an issue Mr. Sun cares deeply about and to which he has devoted much of his life’s work — but also because of the Trump family’s association with the project,” the suit said.— Nikhilesh De & Sam Reynolds Read more.

Calendar

• May 5-7, 2026: Consensus, Miami
• June 2-3, 2026: Proof of Talk, Paris
• June 8-10, 2026: ETHConf, New York
• Sept. 29-Oct.1, 2026: Korea Blockchain Week, Seoul
• Oct. 7-8, 2026: Token2049, Singapore
• Nov. 3-6, 2026: Devcon, Mumbai
• Nov. 15-17, 2026: Solana Breakpoint, London