A significant cross-chain bridge tied to Kelp DAO was recently drained of nearly 18% of its circulating supply of rsETH (restaked ether), resulting in a loss estimated at $292 million. The breach occurred at 17:35 UTC over the weekend when an attacker managed to siphon off 116,500 rsETH using LayerZero’s cross-chain messaging layer. This attack compromised the infrastructure facilitating communication between different blockchains. Kelp DAO operates as a liquid restaking protocol, utilizing user-deposited ETH through EigenLayer for additional yield, and issues rsETH tokens in exchange. The drained bridge supported wrapped versions of rsETH on over 20 other blockchains. By deceiving LayerZero into verifying a falsified instruction from another network, the attacker triggered the release of rsETH to their control. Kelp DAO implemented an emergency pause on its core contracts 46 minutes post-drain at 18:21 UTC, thwarting two subsequent attempts each worth around $100 million that occurred shortly after.
The recent exploit highlights a shift in tactics by North Korea-linked hackers, who have transitioned from targeting vulnerabilities and credentials to exploiting foundational assumptions of decentralized systems. This organized pattern suggests an escalation in efforts to divert crypto funds, as evidenced by over $500 million siphoned in two weeks between the Drift incident and this Kelp DAO breach. Alexander Urbelis, CISO at ENS Labs, emphasizes that this is part of a strategic cadence rather than isolated incidents.
The exploit’s mechanism involved forging a transfer message that appeared valid within the system, leading to approval without actual token movement from the sending chain, effectively creating unsupported new tokens. The attacker used 89,567 rsETH as collateral on Aave and borrowed approximately $190 million in ETH and related assets across Ethereum and Arbitrum. This action left Aave vulnerable due to potentially impaired collateral backing. To mitigate risk, Aave Labs quickly froze rsETH markets, adjusted loan-to-value ratios, and halted new borrowing against the asset. The impact largely depends on Kelp DAO’s response to the shortfall; a 15% depegging across all rsETH holders could result in $124 million of bad debt for Aave, while concentrating losses on Layer 2 networks might cause bad debt to rise to about $230 million.
Meanwhile, Coinbase has released a report addressing quantum computing risks. Authored by experts including Dan Boneh and Justin Drake, the paper warns that while current blockchains remain secure, the crypto industry must prepare for potential future threats posed by fault-tolerant quantum computers capable of breaking encryption. Although Google researchers suggest such machines could eventually crack Bitcoin’s cryptography, practical realization remains an engineering challenge. Ethereum Foundation and other ecosystems are exploring quantum-resistant solutions, including new digital signatures and wallet designs.