KelpDAO 292M Cross-Chain Bridge Exploit: A Full Postmortem
At 04:18 UTC on April 18, 2026, KelpDAO’s rsETH OFT contract on Arbitrum produced an anomalous mint. Without a single legitimate LayerZero message from Ethereum mainnet, the attacker caused the Arbitrum contract to mint 116,500 rsETH out of thin air — roughly $292M at the day’s ETH price of 2,505. The largest cross-chain incident of 2026 so far, and the first time the liquid restaking sector took a hit of this magnitude head-on.
Timeline: What Happened in 90 Minutes
Reconstructed from Tenderly traces and Arbiscan logs. UTC throughout.
| Time (UTC) | Event | Impact |
|---|---|---|
| 04:12 | Attack contract deployed on Arbitrum, gas funded via Tornado Cash | Setup |
| 04:18 | First lzReceive call succeeds, minting 12,500 rsETH |
Vulnerability confirmed |
| 04:21 | Eight batched mints follow, totaling 104,000 rsETH | Main exploit window |
| 04:29 | About 40,000 rsETH swapped to wstETH via Camelot V3 | First cashout |
| 04:47 | KelpDAO multisig pauses the OFT contract’s mint function | Bleeding stopped |
| 05:34 | rsETH depegs to 0.71 on the Curve rsETH-WETH pool | Secondary shock |
Active attack window: 29 minutes, market shock lasted three days. The Curve rsETH-WETH depeg cascaded into liquidations downstream (section three).
Root Cause: An Endpoint Trust Assumption Broken
A lot of people concluded “LayerZero was hacked again.” Inaccurate. The LayerZero v2 protocol itself was fine. The bug lived in KelpDAO’s own OFT contract — how it validated _lzReceive inputs.
Stripped down, the Arbitrum-side receiver looked roughly like:
function _lzReceive(
Origin calldata _origin,
bytes32 _guid,
bytes calldata _message,
address _executor,
bytes calldata _extraData
) internal override {
if (_origin.srcEid == ETHEREUM_EID) {
(address to, uint256 amount) = abi.decode(_message, (address, uint256));
_mint(to, amount);
}
}
The contract only validated the source chain endpoint id, never _origin.sender. LayerZero v2’s security model requires application-level peer enforcement — the receiver must assert “this message came from exactly this address on Ethereum.” KelpDAO installed a lock but never read the key.
The attacker’s work was trivially direct: deploy a throwaway contract on mainnet, push an ABI-encoded message through the LayerZero endpoint to Arbitrum: “mint 12,500 rsETH to address X.” The endpoint just delivers. The Arbitrum contract saw srcEid == 30101 and obliged.
This endpoint trust mismatch has bitten LayerZero integrators before — see a brief history of bridge hacks.
The Money Trail: Why Recovery May Stay Below 15%
Within 48 hours, on-chain analysts mapped the funds:
- Phase one (Arbitrum-internal): 116,500 rsETH swapped to wstETH, WETH, USDC via Camelot V3 and Uniswap V3, netting ~$178M
- Phase two (cross-chain): ~$82M bridged to mainnet via Across and Stargate; ~$96M stayed on Arbitrum
- Phase three (obfuscation): of the mainnet portion, $34M through Tornado Cash, $48M through Railgun, rest scattered across 10+ fresh wallets
- Cold-holding: Arbitrum residual split across 27 addresses, idle for over two weeks
KelpDAO with Chainalysis and TRM Labs filed for OFAC-coordinated freezes on CEX deposit addresses by day three. As of late May, publicly traceable frozen funds ~$41M, about 14%. The remaining 86% is either in attacker wallets or fully laundered.
Protocol Response: Compensation, Restart, and Governance
Response was quick. Within 36 hours, KelpDAO published a first-cut postmortem and put a three-way compensation vote on chain as KIP-12:
- Plan A: 60% of treasury plus the next 12 months of protocol revenue to buy back 1:1 burned rsETH
- Plan B: Mint
rsETH-R(Recovery) at 1:1 against burned amounts; future recovered funds flow exclusively to rsETH-R holders - Plan C: Hybrid — 50% immediate 1:1 compensation, 50% in rsETH-R
Plan C won with 67.4%. Pragmatic — exit liquidity for retail, residual claim for long-term holders. Contested decision: Curve rsETH-WETH LPs were excluded because they held LP tokens, not rsETH directly. The boundary was drawn too mechanically.
Context: restaking real risks and case studies, EigenLayer AVS status 2026.
Spillover Into LRT: Three Second-Order Effects
The real concern wasn’t the $292M headline — it was the structural fragility exposed. LRT depends on three reinforcing assumptions; this incident dented at least two.
First, the cognitive bias of treating LRT tokens like ordinary ERC20 bridge assets. Vanilla USDC OFT breaks → USDC depeg on one chain. LRT OFT breaks → billions of ETH-denominated collateral whose price feeds Aave, Morpho, Pendle, and leveraged vaults. The rsETH depeg triggered ~$68M of liquidations on Aave — see Aave rsETH bad debt incident.
Second, blind spots in audit coverage. KelpDAO’s OFT contracts passed three audits in 2025; none flagged the missing peer check. The canonical OFT template includes peer enforcement, but KelpDAO “trimmed” it during customization, and auditors did not treat that omission as a primary finding. Audits cover code as written — design-intent assumptions live with the team.
Third, DVN economic model in LayerZero v2 did not function as intended. Multiple DVN nodes can flag abnormal messages, but KelpDAO had only the LayerZero Labs default configured — single point of pressure. Major LRT protocols have since revisited DVN configuration.
Three Concrete Actions for an LRT Holder
If you hold LRT:
- Audit OFT configuration. LayerZero Scan exposes DVN setup and peer status per contract. Below two configured DVNs is high risk.
- Avoid long-term holdings of bridged LRT. rsETH, ezETH, weETH — mainnet-native and L2-bridged versions are not the same risk asset. For yield, stay on mainnet.
- Watch LRT-collateralized lending closely. Aave liquidations here were driven by price drift, not users. Keep LTV under 50%.
Cross-chain security is a weakest-link assumption — one missing require can vaporize TVL across a chain. KelpDAO is an expensive but instructive case study.