Kelp DAO Hack 2026 — $292M Exploit Analysis

Attackers forged LayerZero cross-chain messages by compromising RPC infrastructure, releasing 116,500 rsETH ($292M) from Kelp DAO's Ethereum contract.

Details

Full Description

On April 18 2026, Kelp DAO suffered a $292M exploit targeting its LayerZero-based cross-chain bridge between Ethereum and Unichain. Attackers compromised Kelp's internal RPC nodes and simultaneously DDoS'd external nodes to control the data fed to LayerZero's 1-of-1 DVN (Decentralized Verification Network) verification setup. By controlling the verification node, they forged a cross-chain message claiming that 116,500 rsETH had been burned on Unichain — no actual burn occurred. The Ethereum-side bridge contract, trusting the forged verification, released 116,500 rsETH valued at approximately $292M to the attacker. A follow-up attempt to drain an additional 40,000 rsETH ($95M) was blocked after Kelp's team paused contracts. Attribution to Lazarus Group / DPRK was confirmed by Chainalysis on April 23 2026.

Laundering Analysis

Attackers used the stolen rsETH as collateral on Aave (both Ethereum and Arbitrum instances) to borrow over $236M in ETH/WETH. On April 20 2026, the Arbitrum Security Council froze 30,766 ETH following coordination with law enforcement. The remaining funds were moved through various DeFi protocols. The Chainalysis April 23 report confirmed DPRK attribution based on on-chain behavioral fingerprints and wallet clustering.

Sources

Related Hacks

Back to Browse