Kelp DAO Hack 2026 — $292M Exploit Analysis

Kelp DAO's LayerZero bridge was exploited via compromised RPC nodes, allowing forged cross-chain messages that drained $292M.

Details

Full Description

On April 19, 2026, Kelp DAO experienced a catastrophic exploit of its LayerZero cross-chain bridge. Attackers compromised multiple RPC nodes used by the bridge's validation layer, enabling them to forge cross-chain messages that appeared legitimate. These forged messages authorized the minting and withdrawal of unbacked assets on Ethereum, resulting in approximately $292 million in losses. The exploit highlighted critical vulnerabilities in bridge reliance on third-party RPC infrastructure. Kelp DAO halted all bridge operations and is undergoing a full security overhaul.

Laundering Analysis

The $292M in stolen assets was primarily swapped for ETH and stablecoins on Ethereum DEXs. The attackers used multiple layers of obfuscation, including Tornado Cash mixing and bridging to Bitcoin via THORChain and renBTC wrappers. A portion was deposited into decentralized exchanges and lending protocols to generate yield while laundering. Major CEXes including Binance, OKX, and Bybit have been alerted, but given the scale and speed, minimal freezing has occurred. Kelp DAO is offering a bounty for information leading to recovery.

Sources

Related Hacks

Back to Browse