KelpDAO Bridge Exploit (April 2026)

2026-04-18

Attack executed at approximately 17:35 UTC. Attackers compromise KelpDAO's LayerZero bridge via poisoned RPC nodes, draining 116,500 rsETH (approximately $292 million). The DDoS against external nodes ran between approximately 10:20–11:40 a.m. Pacific Time to force failover to the attacker-controlled infrastructure.

2026-04-18

Attacker deposits 89,567 stolen rsETH into Aave as collateral and borrows approximately $190.86 million in wrapped ETH before the asset is frozen.

2026-04-18

KelpDAO's emergency pauser multisig freezes core contracts at 18:21 UTC, approximately 46 minutes after the exploit. Two follow-up drain attempts by the attacker at 18:26 and 18:28 UTC are blocked. Aave Guardian freezes rsETH markets at approximately 18:52 UTC.

2026-04-18

KelpDAO publicly acknowledges the incident at approximately 20:10 UTC, roughly 3 hours after the initial drain.

2026-04-20

Arbitrum Security Council freezes 30,766 ETH (approximately $71 million) attributable to the attacker on the Arbitrum network.

2026-04-20

LayerZero releases a statement attributing the exploit to KelpDAO's 1-of-1 DVN configuration and linking the attack with preliminary confidence to North Korea's Lazarus Group / TraderTraitor subunit. KelpDAO disputes LayerZero's characterization and alleges LayerZero's default settings were responsible.

2026-04-21

Chainalysis publishes on-chain analysis of the KelpDAO bridge exploit, consistent with TraderTraitor/Lazarus Group attribution.

2026-04-23

Aave begins rallying DeFi ecosystem partners to contain fallout; DeFi United coalition begins forming.

2026-04-30

U.S. District Court for the Southern District of New York issues a restraining order barring Arbitrum DAO from moving the 30,766 ETH frozen by the Arbitrum Security Council, following a claim filed by terrorism-judgment creditors of North Korea.

2026-05-05

KelpDAO claims LayerZero had approved the single-DVN configuration it subsequently blamed for the exploit, escalating the public responsibility dispute.

2026-05-10

LayerZero publishes detailed incident report and announces security changes, including a policy to refuse signing messages on any 1-of-1 DVN configuration and a full rebuild of the compromised cloud infrastructure.

2026-05-20

LayerZero publishes additional technical detail on the single-verifier architectural flaw at the root of the exploit.

2026-05-26

Aave and KelpDAO announce restoration of rsETH operations following the DeFi United recovery effort. KelpDAO confirms the final tranche of 20,373.72 rsETH has been delivered to the rsETH OFT adapter, completing the operational recovery phase.

2026-06-02

On-chain data cited by Arkham Intelligence indicates the attacker has laundered approximately $220 million of unfrozen stolen funds through THORChain, Wasabi, Tornado Cash, and Umbra, with only approximately $1.7 million remaining in the main attacker wallet.