KelpDAO Hit by $292M Hack on Ethereum and Arbitrum

KelpDAO, a prominent liquid restaking protocol, has fallen victim to a major attack on its LayerZero-powered rsETH bridge. Today, attackers drained around 116,500 rsETH tokens, valued at approximately $292 million, using sophisticated cross-chain manipulation techniques.

The attackers used unbacked tokens as fake collateral to borrow real assets from decentralized finance (DeFi) lending platforms. The incident marks another example of how cross-chain messaging can create single points of failure when not fully isolated.

$292 Million Vanishes to Grim Hack

The attacker prepared a wallet funded through Tornado Cash just hours before the main incident. They executed a targeted call to the lzReceive function on the LayerZero EndpointV2 contract. This tricked the Kelp bridge adapter into releasing the rsETH without a corresponding valid burn on another chain.

The exploit was rooted in configuration issues specific to the omnichain fungible token setup, rather than a failure within the core LayerZero protocol. Notably, two subsequent drain attempts, each targeting around 40,000 rsETH, failed after the team activated emergency measures.

Kelp DAO promptly paused rsETH contracts across the Ethereum mainnet and multiple layer-two networks to limit further damage. The organization is now collaborating closely with LayerZero experts, Unichain auditors, and independent security firms.

Broader Impact on DeFi Protocols

In response to the breach, Aave quickly froze the rsETH markets on both version three and version four deployments to block new activity. The platform reviews all post-exploit borrowers and may use its safety module to cover potential bad debt estimated at above $280 million.

Other protocols, including Compound, also took swift protective steps. Euler Fluid Spark and Morpho implemented pauses or isolated risk measures for affected positions. Lido Finance halted new deposits into its earnETH product due to indirect rsETH holdings.

As a result of the breach, the AAVE token price dropped about 11% amid a market reaction to the news. Lending pools now hold illiquid collateral, which threatens suppliers of real ETH and stable assets. While isolated market designs helped contain some spillover, users with leveraged positions face heightened liquidation risks. rsETH shows zero liquidity on mainnet and potential depegging on layer-two chains.

Meanwhile, the Kelp DAO users await updates on potential compensation or recovery plans from the multisig team. The broader lesson reinforces the need for users to understand indirect exposures through wrapped assets and bridges.

The post KelpDAO Hit by $292M Hack on Ethereum and Arbitrum appeared first on CoinTab News.