KelpDAO Bridge Exploit: $292M rsETH Released on Phantom Burn
Attackers linked to North Korea’s Lazarus Group exploited the KelpDAO Bridge on April 18, 2026, releasing about $292M worth of rsETH (116,500 rsETH) on Ethereum against a burn that never happened. The KelpDAO Bridge exploit was not a smart-contract bug. It targeted LayerZero’s off-chain verification setup (a 1-of-1 DVN relying on LayerZero-hosted RPC nodes).
By compromising LayerZero internal RPC endpoints and using DDoS to disrupt external nodes, the attackers forced the verifier into accepting forged cross-chain state. The DVN “confirmed” rsETH burn on the Unichain source chain, while no corresponding burn occurred. Ethereum therefore released rsETH with valid signatures and normal-looking calldata, making the activity hard to detect via transaction-level monitoring.
KelpDAO quickly paused affected contracts and L2 deployments, blacklisted attacker addresses, and stopped a second attempt to steal about 40,000 rsETH (~$95M). Separately, the Arbitrum Security Council coordinated with law enforcement and froze 30,766 ETH tied to downstream attacker funds. The earlier Chainalysis framing remains central: DeFi security must focus on cross-chain invariant monitoring, not only “malicious code detection.” The KelpDAO Bridge exploit is a textbook example of an invariant failure where released assets ≠ burned/locked assets.
For traders, this raises bridge-risk pricing. If rsETH is used as collateral or for liquidity, expect higher risk premiums, more conservative liquidity routing, and potential peg/market dislocation until teams prove invariant consistency with real-time monitoring and fast pause governance.
Bearish
This event is a direct breach of the bridge invariant (released rsETH on Ethereum without a matching burn on the source chain), which increases perceived fragility for rsETH’s bridging model. In the short term, traders may price in higher uncertainty and widen risk spreads, especially if rsETH is accepted as collateral or routed into DeFi liquidity pools. In the long term, even with the quick pause and blacklisting, the reliance on a specific off-chain verification path (1-of-1 DVN via RPC) can raise ongoing concerns until teams demonstrate robust real-time cross-chain consistency monitoring and fast governance controls. Overall, the immediate market reaction for rsETH is more likely negative due to heightened counterparty/bridge-risk premium from the KelpDAO Bridge exploit.