Audit log

Every state-changing event for KelpDAO Bridge Exploit (April 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-21 17:06:38Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 427,983,070

   sig

   H72JGFu2MvK5…kfymUPJecopyexplorer ↗

   hash

   J8wnmttB8ey1…zn3zbzCqcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (39837 B) ▸

   {"actor":"system:backfill","investigation_id":"4f465022-8404-4177-bf02-a31c259a5e60","kind":"publish","page_slug":"kelpdao-bridge-exploit-april-2026","published_at":"2026-06-21T17:06:38.728Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"KelpDAO Bridge Exploit (April 2026)","sections":[{"content":"At approximately 17:35 UTC on April 18, 2026, an attacker drained 116,500 rsETH tokens — roughly 18% of rsETH's 630,000-token circulating supply — from KelpDAO's LayerZero-powered bridge adapter on Ethereum. The stolen tokens were valued at approximately $292–294 million at prevailing market rates, making this the largest single DeFi exploit of 2026, surpassing the Drift protocol hack by a few million dollars. The attack did not involve any bug in KelpDAO's smart contract code. Instead, it was an off-chain infrastructure compromise that caused the bridge's single cross-chain verifier to attest to a fabricated message, releasing real funds against a non-existent token burn on the source chain.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":2,"name":"The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/the-biggest-hack-of-2026-what-we-know-about-the-294m-kelpdao-exploit/"},{"credibility":2,"name":"Explained: The Kelp DAO Hack (April 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-kelp-dao-hack-april-2026"}]},{"content":"The attack exploited KelpDAO's decision to use a 1-of-1 DVN (Decentralized Verifier Network) configuration on its LayerZero bridge — meaning a single verifier was responsible for attesting the validity of all cross-chain messages. Attackers compromised two internal RPC nodes that this sole verifier depended upon. They then executed a distributed denial-of-service (DDoS) attack against uncompromised external RPC nodes between approximately 10:20 and 11:40 a.m. Pacific Time on April 18, forcing the verifier's traffic to fail over to the attacker-controlled poisoned nodes. The malicious node software was engineered to selectively report fraudulent data while remaining invisible to LayerZero's monitoring infrastructure, and to self-destruct after the attack, wiping binaries and logs to obstruct forensic investigation. With the verifier now relying exclusively on poisoned data, attackers caused it to attest that a valid cross-chain message had been received — one falsely claiming that 116,500 rsETH had been locked on the source chain. The Ethereum bridge adapter, trusting the verifier's attestation, released 116,500 rsETH to an attacker-controlled address. No vulnerability existed in the rsETH token contract or bridge smart contract logic; the failure was entirely operational and infrastructural. LayerZero's own integration checklists and prior communications had recommended multi-DVN configurations precisely to prevent this class of single-point-of-failure attack.","heading":"Attack Mechanism: RPC Node Compromise and DVN Poisoning","severity":"critical","sources":[{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":2,"name":"$292 Million Lost, Zero Bugs Found: Lessons From the rsETH Bridge Exploit — OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/lessons-from-kelpdao-hack"},{"credibility":1,"name":"LayerZero KelpDAO Incident Statement — LayerZero","type":"official","url":"https://layerzero.network/blog/kelpdao-incident-statement"},{"credibility":1,"name":"LayerZero Labs KelpDAO Incident Report — LayerZero","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"}]},{"content":"LayerZero released a preliminary attribution statement on April 20, 2026, identifying the attacker as a 'highly sophisticated state actor, likely DPRK's Lazarus Group,' specifically naming the TraderTraitor subunit. This marked the second major DeFi exploit allegedly linked to the same subunit within 18 days in 2026, with combined losses exceeding $575 million across structurally different attack vectors. TraderTraitor has been previously attributed to several major crypto thefts including the Axie Infinity Ronin Bridge hack and the WazirX exchange breach. The group is alleged to operate under North Korea's Reconnaissance General Bureau alongside units including AppleJeus, APT38, and DangerousPassword. LayerZero's attribution was characterized as 'preliminary confidence' and Chainalysis subsequently published on-chain analysis consistent with the attribution. Security firm Cyvers noted patterns matching DPRK sophistication but stopped short of confirming wallet clustering definitively tied to the group as of the time of their report. The FBI has publicly stated that DPRK-linked actors were responsible for 'high-profile international cryptocurrency heists.' Lazarus Group is a documented, prolific, state-backed cyber operation responsible for dozens of confirmed major crypto thefts and a verified trail of more than $7.3 billion in stolen assets across prior incidents.","heading":"Attribution: Lazarus Group / TraderTraitor","severity":"critical","sources":[{"credibility":1,"name":"LayerZero Ties KelpDAO Exploit to Lazarus Subgroup TraderTraitor — Yahoo Finance / Decrypt","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-ties-kelpdao-exploit-lazarus-071321486.html"},{"credibility":2,"name":"LayerZero Pins 292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Decrypt","type":"news_article","url":"https://decrypt.co/364872/layerzero-pins-292m-kelpdao-bridge-hack-on-north-koreas-lazarus-group"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"KelpDAO, Bybit, Ronin: Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"},{"credibility":2,"name":"LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO via RPC Node Compromise — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/lazarus-kelpdao-290m-layerzero-rpc-hack-da50p3"}]},{"content":"Following the drain at 17:35 UTC, the attacker deposited 89,567 of the stolen rsETH into Aave as collateral and borrowed approximately $190.86 million in wrapped Ether (wETH) across Aave V3 positions on Ethereum and Arbitrum. Aave's pricing oracle continued to value rsETH at its pre-exploit exchange rate because the oracle tracks market price, not token backing integrity. By the time Aave's Guardian froze rsETH markets at approximately 18:52 UTC — approximately 77 minutes after the exploit began — $190 million in real ETH had left the protocol against collateral that was now unbacked. Risk analysts from LlamaRisk estimated Aave's bad debt exposure at between $123.7 million and $230.1 million depending on whether KelpDAO allocated losses across all rsETH holders (approximately 15% depegging scenario) or isolated them to L2 deployments (Arbitrum and Mantle), which would concentrate losses more severely. Aave V3 Ethereum Core total value locked contracted from $9.77 billion to $5.75 billion within 29 hours, a decline of 41.1%, as users withdrew funds in response to uncertainty. The AAVE governance token fell approximately 10% in the immediate aftermath. Contagion spread across the DeFi ecosystem: SparkLend and Fluid froze rsETH markets; Lido Finance paused deposits into earnETH due to rsETH exposure; and Ethena temporarily paused LayerZero OFT bridges as a precautionary measure. At least 9 protocols were materially affected and market freezes were implemented across more than 20 chains.","heading":"Contagion: Aave Bad Debt and DeFi-Wide Liquidity Crisis","severity":"critical","sources":[{"credibility":1,"name":"Aave could face up to $230 million in losses after Kelp DAO bridge exploit triggers DeFi chaos — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/aave-could-face-up-to-usd230-million-in-losses-after-kelp-dao-bridge-exploit-triggers-defi-chaos"},{"credibility":1,"name":"rsETH incident — 2026-04-18 — Aave Governance Forum","type":"official","url":"https://governance.aave.com/t/rseth-incident-2026-04-18/24481"},{"credibility":1,"name":"rsETH Incident Report (April 20, 2026) — Aave Governance Forum","type":"official","url":"https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580"},{"credibility":2,"name":"Anatomy of a Liquidity Freeze — Glassnode Insights","type":"research","url":"https://insights.glassnode.com/anatomy-of-a-liquidity-freeze/"},{"credibility":2,"name":"The Day a $292M KelpDAO Bridge Exploit Turned Into a $14B DeFi Stress Test — Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/trending/the-day-a-292m-kelpdao-bridge-exploit-turned-into-a-14b-defi-stress-test/"}]},{"content":"LayerZero's April 20 incident statement placed primary responsibility on KelpDAO's configuration choices, stating that 'KelpDAO chose to utilize a 1/1 DVN configuration' and that a multi-DVN setup would have rendered the attack ineffective. KelpDAO disputed this characterization, alleging that LayerZero's default settings and integration documentation were responsible for the insecure configuration, and that LayerZero had approved the setup at the time of deployment. CoinDesk reported on May 5, 2026, that Kelp claimed LayerZero had approved the configuration it later blamed for the exploit. OpenZeppelin's independent analysis found that 'the contracts were correct, the code was clean, the system failed operationally,' and identified a gap in the standard audit process: smart contract audits typically do not assess third-party integration configurations, infrastructure single points of failure, or system behavior when off-chain dependencies are compromised. This responsibility dispute was ongoing as of the time of reporting.","heading":"Disputed Responsibility: KelpDAO vs. LayerZero","severity":"high","sources":[{"credibility":1,"name":"Kelp DAO hits back at LayerZero for trying to shift the blame — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/kelp-dao-claims-layerzero-s-default-settings-are-what-actually-caused-the-usd290-million-disaster"},{"credibility":1,"name":"Kelp says LayerZero approved setup it blamed for $292 million bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":2,"name":"Kelp DAO Disputes LayerZero's Account of the $290 Million Exploit — Unchained","type":"news_article","url":"https://unchainedcrypto.com/kelp-dao-disputes-layerzeros-account-of-the-290-million-exploit-escalating-blame-game/"},{"credibility":2,"name":"$292 Million Lost, Zero Bugs Found: Lessons From the rsETH Bridge Exploit — OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/lessons-from-kelpdao-hack"}]},{"content":"Of the 116,500 rsETH drained, 89,567 were deposited into Aave and converted to approximately $190 million in real ETH. The remaining portion was moved through a layered laundering operation. On-chain data cited by Arkham Intelligence tracked the funds moving through THORChain, the Wasabi Bitcoin mixer, and subsequently back to Ethereum before being withdrawn through Tornado Cash and the privacy protocol Umbra. By June 2, 2026, the attacker had laundered approximately $220 million of the unfrozen portion of the stolen funds, with only approximately $1.7 million remaining in the main attacker wallet. The Arbitrum Security Council separately froze 30,766 ETH (approximately $71 million) on Arbitrum on April 20, 2026, which remained accessible to potential recovery efforts. The successful laundering of approximately $220 million substantially closed the window for practical recovery of the unfrozen portion of the haul.","heading":"Stolen Fund Movements and Laundering","severity":"critical","sources":[{"credibility":2,"name":"Kelp DAO hacker launders $220M as recovery window closes — Crypto.news","type":"news_article","url":"https://crypto.news/kelp-dao-hacker-launders-220m-as-recovery-window-closes/"},{"credibility":2,"name":"Kelp DAO Hacker Finishes Laundering $220M, Only $1.7M Left in Main Wallet — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/kelp-dao-hacker-finishes-laundering-220m-only-1-7m-left-in-main-wallet/"},{"credibility":2,"name":"Kelp DAO Exploiter Allegedly Laundered $80 Million in ETH Through THORChain — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/kelp-dao-exploiter-allegedly-laundered-083159066.html"},{"credibility":2,"name":"Kelp DAO Hacker Moves Funds to Bitcoin — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/23/kelp-dao-hacker-moves-funds-to-bitcoin-and-it-cannot-be-frozen-heres-why/"},{"credibility":2,"name":"Kelp DAO Recovery Hopes Fade as Hacker Launders About $220 Million — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/kelp-dao-recovery-hacker-launders-most-funds-293m-exploit"}]},{"content":"On April 23, 2026, Aave began rallying DeFi ecosystem partners to contain fallout from the exploit. A coalition called 'DeFi United' subsequently unveiled a technical plan to restore full backing for rsETH. The plan operated on two tracks: committed ETH from ecosystem contributors would be converted into rsETH in staged tranches and deposited into Kelp's bridge lockbox contract to restore the token's backing at the current Kelp exchange ratio of 1.07 ETH per rsETH; and a governance-approved liquidation sequence would recover an estimated 13,000 ETH from Aave V3 positions and approximately 16,776 ETH from Compound. DeFi United raised approximately $160 million, with major contributions including up to 25,000 ETH from Aave's DAO treasury, 30,000 ETH from Mantle, 30,000 ETH from Consensys, and 5,000 ETH personal pledge from Aave founder Stani Kulechov. By late May 2026, KelpDAO announced the completion of the five-week recovery: the final tranche of 20,373.72 rsETH was sent to the rsETH OFT adapter, restoring rsETH backing above 100%. Aave and Kelp DAO subsequently announced the restoration of rsETH operations.","heading":"DeFi United Recovery Effort","severity":"high","sources":[{"credibility":1,"name":"Aave rallies DeFi partners to contain fallout from $292 million KelpDAO hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/23/aave-rallies-defi-partners-to-contain-fallout-from-usd292-million-kelpdao-hack"},{"credibility":2,"name":"DeFi United unveils plan to restore rsETH after $292 million Kelp DAO exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/399118/defi-united-detailed-plan"},{"credibility":2,"name":"DeFi United Raises $160M to Cover Aave Bad Debt from KelpDAO Exploit — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/defi-united-raises-160m-to-cover-aave-bad-debt-from-kelpdao-exploit"},{"credibility":2,"name":"KelpDAO Restored rsETH After the Biggest DeFi Hack of 2026 — Incrypted","type":"news_article","url":"https://incrypted.com/en/kelpdao-restored-rseth-after-the-biggest-defi-hack-of-2026/"},{"credibility":2,"name":"KelpDAO says rsETH recovery completed as backing returns above 100% — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/kelpdao-says-rseth-recovery-completed-as-backing-returns-above-100/"},{"credibility":2,"name":"Aave and Kelp DAO Restore rsETH Operations After April Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/aave-and-kelp-dao-restore-rseth-operations-after-april-exploit/"},{"credibility":2,"name":"Aave Proposes Binding New Risk Framework Following the $292 Million KelpDAO Exploit — Unchained","type":"news_article","url":"https://unchainedcrypto.com/aave-proposes-binding-new-risk-framework-following-the-292-million-kelpdao-exploit/"}]},{"content":"On April 30, 2026, the U.S. District Court for the Southern District of New York issued a restraining order barring Arbitrum DAO from moving 30,766 ETH (approximately $71 million) that the Arbitrum Security Council had frozen in connection with the exploit. The restraining order was obtained by plaintiffs represented by Gerstein Harrow LLP on behalf of families holding unpaid U.S. terrorism judgments against North Korea totaling more than $877 million (excluding interest). The primary plaintiffs include Han Kim and Yong Seok Kim, whose family member Reverend Kim Dong-shik was abducted in China and killed by North Korean agents; a 2015 ruling by the U.S. District Court for the District of Columbia produced a roughly $330 million default judgment against the DPRK in that matter. The legal theory rests on the Foreign Sovereign Immunities Act and the Terrorism Risk Insurance Act, which permit creditors to attach assets linked to state sponsors of terrorism. Because LayerZero's incident report attributed the April 18 attack to North Korea's Lazarus Group, the plaintiffs argued the frozen ETH constitutes DPRK property subject to attachment. No SEC, CFTC, or DOJ enforcement actions specifically targeting KelpDAO or LayerZero had been publicly announced as of the time of reporting.","heading":"Legal and Regulatory Proceedings","severity":"high","sources":[{"credibility":1,"name":"U.S. Court Freezes $71 Million in Kelp DAO ETH After North Korea Terrorism Creditors File Claim — Unchained","type":"court_filing","url":"https://unchainedcrypto.com/u-s-court-freezes-71-million-in-kelp-dao-eth-after-north-korea-terrorism-creditors-file-claim/"},{"credibility":2,"name":"North Korea terrorism creditors move to seize Arbitrum-frozen Kelp DAO ETH — The Block","type":"news_article","url":"https://www.theblock.co/post/399819/north-korea-terrorism-creditors-move-to-seize-arbitrum-frozen-kelp-dao-eth-ahead-of-defi-united-vote"},{"credibility":2,"name":"Arbitrum's KelpDAO Freeze Backfires as US Court Blocks $71 Million Recovery — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/arbitrum-kelpdao-freeze-backfires-us-160122096.html"},{"credibility":2,"name":"North Korea-linked creditors target frozen Kelp DAO funds — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/north-korea-creditors-target-kelp-dao-funds/"},{"credibility":1,"name":"Lawyer pops up on Arbitrum DAO forums seeking funds for victims of decades-old North Korean terrorist acts — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/04/laywer-pops-up-on-arbitrum-dao-forums-seeking-funds-for-victims-of-decades-old-north-korean-terrorist-acts"}]},{"content":"Following the exploit, both LayerZero and KelpDAO announced significant security changes. LayerZero announced that its DVN would no longer sign messages for any application running a 1-of-1 configuration, enforcing a protocol-wide baseline security policy. LayerZero also announced it would rebuild the affected cloud infrastructure from the ground up rather than patching it, redeploying on hardened baselines with no legacy credentials or configurations carried over. Additional LayerZero security initiatives included development of a second DVN client written in Rust to add software diversity, and a new platform called Console to provide asset issuers with configuration monitoring and anomaly detection capabilities. KelpDAO migrated rsETH from LayerZero's OFT (Omnichain Fungible Token) standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP), which uses multiple independent nodes to validate messages rather than a single verifier. OpenZeppelin's independent analysis characterized the incident as exposing a fundamental gap in standard security review practices: smart contract audits do not assess third-party integration configurations, infrastructure single points of failure, or system behavior under off-chain dependency compromise. Aave subsequently proposed a binding new risk framework to formalize integration security requirements for collateral assets.","heading":"Protocol Security Changes Post-Exploit","severity":"medium","sources":[{"credibility":2,"name":"LayerZero details $292M KelpDAO exploit and tightens bridge security — Crypto.news","type":"news_article","url":"https://crypto.news/layerzero-details-292m-kelpdao-exploit-and-tightens-bridge-security/"},{"credibility":2,"name":"KelpDAO Hack Update: LayerZero Details Security Changes After $292M Hack — The Market Periodical","type":"news_article","url":"https://themarketperiodical.com/2026/05/10/kelpdao-hack-update-layerzero-details-security-changes-after-292m-hack/"},{"credibility":3,"name":"Kelp DAO Moves to Chainlink After $292M LayerZero Hack — Spaziocrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/kelp-dao-moves-chainlink-after-292m-layerzero-hack/"},{"credibility":2,"name":"LayerZero Details Single-Verifier Flaw Behind $292M KelpDAO Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/20/layerzero-details-single-verifier-flaw-behind-292m-kelpdao-exploit/"},{"credibility":2,"name":"Aave Proposes Binding New Risk Framework Following the $292 Million KelpDAO Exploit — Unchained","type":"news_article","url":"https://unchainedcrypto.com/aave-proposes-binding-new-risk-framework-following-the-292-million-kelpdao-exploit/"}]},{"content":"Security analysts and industry commentators characterized the KelpDAO exploit as a systemic demonstration of the risks inherent in cross-chain bridge infrastructure. The $292 million Kelp DAO exploit illustrates why crypto bridges remain one of the industry's weakest links: bridges require both flawless smart contract code and robust off-chain operational security, and a single compromised verification layer can be sufficient to drain funds. The incident highlighted that the standard practice of point-in-time smart contract audits does not provide meaningful coverage against operational infrastructure attacks. The DeFi ecosystem's rapid contagion response — in which the attacker was able to deposit stolen tokens as Aave collateral before the exploit was even publicly acknowledged — also demonstrated structural vulnerabilities in oracle pricing systems that do not assess asset-backing integrity. Total value locked across affected protocols at the time of the stress test exceeded $14 billion. Industry analysts from Bank Policy Institute and others noted the incident as illustrating the intersection of crypto hacks and bank-run-like liquidity dynamics in DeFi.","heading":"Broader Significance: Bridge Security and DeFi Infrastructure Risk","severity":"high","sources":[{"credibility":1,"name":"The $292 million Kelp DAO exploit shows why crypto bridges are still one of the industry's weakest links — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/21/the-usd292-million-kelp-dao-exploit-shows-why-crypto-bridges-are-still-one-of-the-industry-s-weakest-links"},{"credibility":2,"name":"Crypto Hacks and DeFi Runs — Bank Policy Institute","type":"research","url":"https://bpi.com/crypto-hacks-and-defi-runs/"},{"credibility":3,"name":"Crypto Bridge Hacks: $340M Stolen in 2026 and Why — Spaziocrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/crypto-bridge-hacks-340-million-stolen-2026-design-flaw/"},{"credibility":2,"name":"The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge, and Who Actually Pays — DeFi Prime","type":"research","url":"https://defiprime.com/kelpdao-rseth-exploit"},{"credibility":2,"name":"The Day a $292M KelpDAO Bridge Exploit Turned Into a $14B DeFi Stress Test — Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/trending/the-day-a-292m-kelpdao-bridge-exploit-turned-into-a-14b-defi-stress-test/"}]}],"sources_used":[{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Aave could face up to $230 million in losses after Kelp DAO bridge exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/aave-could-face-up-to-usd230-million-in-losses-after-kelp-dao-bridge-exploit-triggers-defi-chaos"},{"credibility":1,"name":"The $292 million Kelp DAO exploit shows why crypto bridges are still one of the industry's weakest links — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/21/the-usd292-million-kelp-dao-exploit-shows-why-crypto-bridges-are-still-one-of-the-industry-s-weakest-links"},{"credibility":1,"name":"Aave rallies DeFi partners to contain fallout from $292 million KelpDAO hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/23/aave-rallies-defi-partners-to-contain-fallout-from-usd292-million-kelpdao-hack"},{"credibility":1,"name":"Kelp DAO hits back at LayerZero for trying to shift the blame — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/kelp-dao-claims-layerzero-s-default-settings-are-what-actually-caused-the-usd290-million-disaster"},{"credibility":1,"name":"Kelp says LayerZero approved setup it blamed for $292 million bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":1,"name":"Lawyer pops up on Arbitrum DAO forums seeking funds for North Korean terrorist act victims — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/04/laywer-pops-up-on-arbitrum-dao-forums-seeking-funds-for-victims-of-decades-old-north-korean-terrorist-acts"},{"credibility":1,"name":"rsETH Incident Report (April 20, 2026) — Aave Governance Forum","type":"official","url":"https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580"},{"credibility":1,"name":"rsETH incident — 2026-04-18 — Aave Governance Forum","type":"official","url":"https://governance.aave.com/t/rseth-incident-2026-04-18/24481"},{"credibility":1,"name":"LayerZero KelpDAO Incident Statement — LayerZero","type":"official","url":"https://layerzero.network/blog/kelpdao-incident-statement"},{"credibility":1,"name":"LayerZero Labs KelpDAO Incident Report — LayerZero","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"credibility":2,"name":"$292 Million Lost, Zero Bugs Found: Lessons From the rsETH Bridge Exploit — OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/lessons-from-kelpdao-hack"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"Explained: The Kelp DAO Hack (April 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-kelp-dao-hack-april-2026"},{"credibility":2,"name":"The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/the-biggest-hack-of-2026-what-we-know-about-the-294m-kelpdao-exploit/"},{"credibility":1,"name":"LayerZero Ties KelpDAO Exploit to Lazarus Subgroup TraderTraitor — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-ties-kelpdao-exploit-lazarus-071321486.html"},{"credibility":2,"name":"LayerZero Pins 292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Decrypt","type":"news_article","url":"https://decrypt.co/364872/layerzero-pins-292m-kelpdao-bridge-hack-on-north-koreas-lazarus-group"},{"credibility":2,"name":"LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/lazarus-kelpdao-290m-layerzero-rpc-hack-da50p3"},{"credibility":1,"name":"U.S. Court Freezes $71 Million in Kelp DAO ETH After North Korea Terrorism Creditors File Claim — Unchained","type":"court_filing","url":"https://unchainedcrypto.com/u-s-court-freezes-71-million-in-kelp-dao-eth-after-north-korea-terrorism-creditors-file-claim/"},{"credibility":2,"name":"North Korea terrorism creditors move to seize Arbitrum-frozen Kelp DAO ETH — The Block","type":"news_article","url":"https://www.theblock.co/post/399819/north-korea-terrorism-creditors-move-to-seize-arbitrum-frozen-kelp-dao-eth-ahead-of-defi-united-vote"},{"credibility":2,"name":"DeFi United unveils plan to restore rsETH after $292 million Kelp DAO exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/399118/defi-united-detailed-plan"},{"credibility":2,"name":"Kelp DAO hacker launders $220M as recovery window closes — Crypto.news","type":"news_article","url":"https://crypto.news/kelp-dao-hacker-launders-220m-as-recovery-window-closes/"},{"credibility":2,"name":"Kelp DAO Hacker Finishes Laundering $220M, Only $1.7M Left in Main Wallet — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/kelp-dao-hacker-finishes-laundering-220m-only-1-7m-left-in-main-wallet/"},{"credibility":2,"name":"Kelp DAO Recovery Hopes Fade as Hacker Launders About $220 Million — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/kelp-dao-recovery-hacker-launders-most-funds-293m-exploit"},{"credibility":2,"name":"Anatomy of a Liquidity Freeze — Glassnode Insights","type":"research","url":"https://insights.glassnode.com/anatomy-of-a-liquidity-freeze/"},{"credibility":2,"name":"Aave Proposes Binding New Risk Framework Following the $292 Million KelpDAO Exploit — Unchained","type":"news_article","url":"https://unchainedcrypto.com/aave-proposes-binding-new-risk-framework-following-the-292-million-kelpdao-exploit/"},{"credibility":2,"name":"DeFi United Raises $160M to Cover Aave Bad Debt from KelpDAO Exploit — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/defi-united-raises-160m-to-cover-aave-bad-debt-from-kelpdao-exploit"},{"credibility":2,"name":"KelpDAO says rsETH recovery completed as backing returns above 100% — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/kelpdao-says-rseth-recovery-completed-as-backing-returns-above-100/"},{"credibility":2,"name":"Aave and Kelp DAO Restore rsETH Operations After April Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/aave-and-kelp-dao-restore-rseth-operations-after-april-exploit/"},{"credibility":2,"name":"KelpDAO Bridge Exploit Analysis: North Korean Hackers Steal $292 Million Via Off-Chain Attack — Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/04/275261-kelpdao-bridge-exploit-analysis-north-korean-hackers-steal-292-million-via-off-chain-attack/"},{"credibility":2,"name":"The KelpDAO $292M crypto hack: What IT execs must know — TechTarget","type":"news_article","url":"https://www.techtarget.com/searchcio/feature/The-KelpDAO-crypto-hack-What-IT-execs-must-know"},{"credibility":2,"name":"How KelpDAO Lost $292M: Inside 2026's Biggest DeFi Hack — Bitcoin Foundation","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/how-kelpdao-lost-292m-inside-2026s-biggest-defi-hack-and-what-went-wrong/"},{"credibility":2,"name":"KelpDAO, Bybit, Ronin: Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"},{"credibility":2,"name":"The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge, and Who Actually Pays — DeFi Prime","type":"research","url":"https://defiprime.com/kelpdao-rseth-exploit"},{"credibility":2,"name":"Incident Report: Kelp DAO rsETH Bridge Exploit — Credshields","type":"research","url":"https://discover.credshields.com/incident-report-kelp-dao-rseth-bridge-exploit/"},{"credibility":2,"name":"Crypto Hacks and DeFi Runs — Bank Policy Institute","type":"research","url":"https://bpi.com/crypto-hacks-and-defi-runs/"},{"credibility":2,"name":"LayerZero Details Single-Verifier Flaw Behind $292M KelpDAO Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/20/layerzero-details-single-verifier-flaw-behind-292m-kelpdao-exploit/"}],"summary":"On April 18, 2026, attackers drained 116,500 rsETH (approximately $292–294 million) from KelpDAO's LayerZero-powered cross-chain bridge, making it the largest DeFi exploit of 2026. The attack exploited a single-DVN (Decentralized Verifier Network) configuration by compromising RPC nodes and using a DDoS to force failover to poisoned infrastructure, tricking the bridge verifier into approving a phantom token release. The operation has been attributed with preliminary confidence to North Korea's Lazarus Group, specifically the TraderTraitor subunit, and triggered systemic contagion across at least 9 DeFi protocols and 20+ chains, including a major liquidity crisis on Aave.","timeline":[{"date":"2026-04-18","event":"Attack executed at approximately 17:35 UTC. Attackers compromise KelpDAO's LayerZero bridge via poisoned RPC nodes, draining 116,500 rsETH (approximately $292 million). The DDoS against external nodes ran between approximately 10:20–11:40 a.m. Pacific Time to force failover to the attacker-controlled infrastructure.","source":"CoinDesk, LayerZero Incident Statement","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-18","event":"Attacker deposits 89,567 stolen rsETH into Aave as collateral and borrows approximately $190.86 million in wrapped ETH before the asset is frozen.","source":"CoinDesk, Aave Governance Forum","source_url":"https://www.coindesk.com/tech/2026/04/20/aave-could-face-up-to-usd230-million-in-losses-after-kelp-dao-bridge-exploit-triggers-defi-chaos"},{"date":"2026-04-18","event":"KelpDAO's emergency pauser multisig freezes core contracts at 18:21 UTC, approximately 46 minutes after the exploit. Two follow-up drain attempts by the attacker at 18:26 and 18:28 UTC are blocked. Aave Guardian freezes rsETH markets at approximately 18:52 UTC.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-18","event":"KelpDAO publicly acknowledges the incident at approximately 20:10 UTC, roughly 3 hours after the initial drain.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-20","event":"Arbitrum Security Council freezes 30,766 ETH (approximately $71 million) attributable to the attacker on the Arbitrum network.","source":"Unchained Crypto","source_url":"https://unchainedcrypto.com/u-s-court-freezes-71-million-in-kelp-dao-eth-after-north-korea-terrorism-creditors-file-claim/"},{"date":"2026-04-20","event":"LayerZero releases a statement attributing the exploit to KelpDAO's 1-of-1 DVN configuration and linking the attack with preliminary confidence to North Korea's Lazarus Group / TraderTraitor subunit. KelpDAO disputes LayerZero's characterization and alleges LayerZero's default settings were responsible.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-04-21","event":"Chainalysis publishes on-chain analysis of the KelpDAO bridge exploit, consistent with TraderTraitor/Lazarus Group attribution.","source":"Chainalysis","source_url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"date":"2026-04-23","event":"Aave begins rallying DeFi ecosystem partners to contain fallout; DeFi United coalition begins forming.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/04/23/aave-rallies-defi-partners-to-contain-fallout-from-usd292-million-kelpdao-hack"},{"date":"2026-04-30","event":"U.S. District Court for the Southern District of New York issues a restraining order barring Arbitrum DAO from moving the 30,766 ETH frozen by the Arbitrum Security Council, following a claim filed by terrorism-judgment creditors of North Korea.","source":"Unchained Crypto","source_url":"https://unchainedcrypto.com/u-s-court-freezes-71-million-in-kelp-dao-eth-after-north-korea-terrorism-creditors-file-claim/"},{"date":"2026-05-05","event":"KelpDAO claims LayerZero had approved the single-DVN configuration it subsequently blamed for the exploit, escalating the public responsibility dispute.","source":"CoinDesk","source_url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"date":"2026-05-10","event":"LayerZero publishes detailed incident report and announces security changes, including a policy to refuse signing messages on any 1-of-1 DVN configuration and a full rebuild of the compromised cloud infrastructure.","source":"The Market Periodical","source_url":"https://themarketperiodical.com/2026/05/10/kelpdao-hack-update-layerzero-details-security-changes-after-292m-hack/"},{"date":"2026-05-20","event":"LayerZero publishes additional technical detail on the single-verifier architectural flaw at the root of the exploit.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/05/20/layerzero-details-single-verifier-flaw-behind-292m-kelpdao-exploit/"},{"date":"2026-05-26","event":"Aave and KelpDAO announce restoration of rsETH operations following the DeFi United recovery effort. KelpDAO confirms the final tranche of 20,373.72 rsETH has been delivered to the rsETH OFT adapter, completing the operational recovery phase.","source":"CryptoTimes, AMBCrypto","source_url":"https://www.cryptotimes.io/2026/05/26/aave-and-kelp-dao-restore-rseth-operations-after-april-exploit/"},{"date":"2026-06-02","event":"On-chain data cited by Arkham Intelligence indicates the attacker has laundered approximately $220 million of unfrozen stolen funds through THORChain, Wasabi, Tornado Cash, and Umbra, with only approximately $1.7 million remaining in the main attacker wallet.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/02/kelp-dao-hacker-finishes-laundering-220m-only-1-7m-left-in-main-wallet/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 19a72789-b8fd-4d62-81d6-d55c8141d4b1copy