Kelp DAO Cross-Chain Bridge Suffers $294M Hack, Shaking DeFi Ecosystem

The decentralized finance (DeFi) landscape was rocked yesterday by a significant security breach. Kelp DAO, a prominent liquidity restaking protocol, saw its cross-chain bridge compromised by hackers, leading to the unauthorized minting and transfer of its native rsETH token. Preliminary estimates peg the total loss at a staggering $292 to $294 million, making it the largest DeFi security event of 2024 to date. The fallout has affected numerous DeFi platforms, including the sector’s largest lending protocol, Aave, which now faces substantial bad debt risks.

Anatomy of the Attack: Forged Messages Exploit Cross-Chain Vulnerability

According to on-chain data and subsequent analyses, the sophisticated attack unfolded on April 19 at 1:35 AM (UTC+8). The perpetrators specifically targeted Kelp DAO’s OFT (Omnichain Fungible Token) cross-chain bridge, which is built on LayerZero. By meticulously forging cross-chain messages, the hackers successfully deceived the system into minting and transferring 116,500 rsETH—representing approximately 18% of the token’s total circulating supply—directly to addresses under their control. View the transaction on Etherscan.

Investigations reveal that the attackers meticulously prepared their funds via Tornado Cash beforehand, launching their offensive after approximately 10 hours of strategic waiting. The exploit was triggered by leveraging a vulnerability within LayerZero’s lzReceive function. Notably, the hackers attempted a second, even larger theft of approximately 80,000 rsETH (valued at around $200 million), but this attempt was thwarted by Kelp DAO’s swift emergency contract suspension.

Ripple Effect: DeFi Lending Markets Face Collateral Damage

Following their initial success, the hackers quickly moved to capitalize on their ill-gotten gains. They deposited the stolen rsETH as collateral into several major lending protocols, including Aave V3/V4, SparkLend, and Fluid, subsequently borrowing substantial amounts of WETH/ETH. Once rsETH was identified as a compromised asset, these lending platforms immediately confronted severe bad debt exposure.

Aave, despite its core protocol remaining uncompromised, reacted decisively by freezing the rsETH markets on both V3 and V4, thereby halting all related deposit and borrowing functionalities. This incident starkly illustrates the “DeFi Lego” effect—the interconnectedness that, while fostering innovation, also amplifies risk. A vulnerability in a single protocol’s cross-chain bridge rapidly cascaded into a systemic challenge across multiple platforms, underscoring the inherent composability risks within the DeFi ecosystem.

Kelp DAO’s Rapid Response and Ongoing Situation

Upon detecting the anomalous activity, Kelp DAO initiated its emergency protocols within a remarkable 46 minutes. This swift action led to the suspension of rsETH contracts on the Ethereum mainnet and several Layer 2 networks, effectively freezing core protocol functionalities. Kelp DAO is now actively collaborating with key partners including LayerZero, Unichain, leading security audit firms, and external security experts to conduct a comprehensive investigation. An official statement has been released, urging users to rely solely on official channels for the latest updates.

As of the afternoon of April 19, the situation stands as follows:

• Contract Status: All relevant contracts remain paused as a precautionary measure.
• Asset Flow: On-chain tracking indicates that the hacker has successfully converted approximately $250 million of the stolen tokens into ETH.
• Technical Analysis: The incident is primarily attributed to a cross-chain bridge and messaging layer vulnerability (LayerZero OFT), rather than a direct breach of Kelp DAO’s core staking contracts. While the ETH collateral corresponding to the mainnet appears secure, cross-chain liquidity has been severely impacted, leading to a deadlock in wrapped Ethereum liquidity across various chains.
• Recommended Action: Given that the incident occurred over a holiday period, the response time from several DeFi platforms has been slower than ideal. The large-scale withdrawal of collateral and asset conversions could potentially lead to further suspensions of withdrawals and exchanges on other DeFi platforms. Users who have funds staked on DeFi platforms are strongly advised to withdraw their assets to self-custody wallets as soon as possible.

Prominent security researchers, including ZachXBT and PeckShield, are actively monitoring the hacker’s addresses. The investigation is ongoing, and details regarding compensation plans for affected lending protocols and users have yet to be announced. Investors are encouraged to closely monitor subsequent official announcements from Kelp DAO for the latest developments.