LayerZero Publishes Full Post-Mortem On $292M KelpDAO Exploit
LayerZero Labs traces the $292M April 18 attack on KelpDAO's rsETH bridge to TraderTraitor, a developer machine compromise, and poisoned internal RPC nodes.
LayerZero Labs published a full post mortem on the April 18 attack on KelpDAO's rsETH bridge. LayerZero attributed the attack to TraderTraitor, the same group behind the $1.5B Bybit hack in February 2025. The attack began six weeks earlier, on March 6, when an attacker tricked a LayerZero developer into cloning a malicious GitHub repo that dropped malware on their macOS machine, harvesting session keys and opening a path into LayerZero's internal RPC infrastructure.
The attacker quietly poisoned two internal RPC nodes to return forged chain state while appearing clean to LayerZero's own monitoring tools. On the day of the exploit, the attacker launched a denial-of-service attack against an external RPC provider to force the DVN signing service onto the compromised nodes exclusively.
The result was a valid attestation for a fabricated cross-chain message. LayerZero again pointed blame to KelpDAO's single-DVN setup that allowed one valid attestation to unlock 116,500 rsETH on Ethereum. LayerZero says it will now refuse to sign as the sole required attestor on any channel. KelpDAO's rsETH recovery entered its final stage earlier this month, and Kelp resumed withdrawals on May 15.
ETHConf lands in NYC June 8-10, bringing together 5,000+ attendees, 150+ speakers, and 100+ companies across Ethereum, stablecoins, and institutional adoption.
Get your tickets at ethconf.com and use code ETHDAILY for 30% off General and 20% off VIP.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created
Mantle DAO Approves Aave Loan
Mantle DAO authorized its treasury to lend up to 30,000 ETH to Aave DAO to help cover bad debt from the April 18 KelpDAO LayerZero exploit.
Mantle DAO passed a governance proposal authorizing its treasury to lend up to 30,000 ETH to Aave DAO to address bad debt stemming from the April 18 KelpDAO LayerZero exploit. The vote closed with 100% approval. The loan carries a variable interest rate of the Lido staking yield plus 1% APR and a maturity of up to 36 months.
As collateral, Aave will allocate 5% of protocol revenue and AAVE tokens with a fair market value of no less than $11 million to a designated multisig over which Mantle holds a first-priority lien. Mantle will also be delegated 130,000 AAVE tokens for governance during the loan.
Interest generated on the loan may be directed toward MNT burns or ecosystem development, and the deal accelerates Aave's native deployment on Mantle Network, with Aave V3 Mantle carrying the largest estimated WETH market exposure among all markets impacted by the exploit. The Mantle Foundation will now finalize definitive agreements with Aave DAO.
The Mantle loan adds to a growing recovery effort that includes Aave's liquidations of attacker rsETH positions and ArbitrumDAO's approval of its own rsETH recovery contribution.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created
Aave Liquidates Attackers' rsETH Positions
Approximately 89,567 rsETH was seized from the April 18th KelpDAO attacker across Ethereum mainnet and Arbitrum V3 markets via a controlled oracle adjustment
Aave has successfully executed a controlled liquidation sequence on rsETH collateral from the April 18th KelpDAO attacker's positions on the lending protocol. Approximately 89,567 rsETH was seized from the attacker across the Ethereum mainnet and Arbitrum V3 markets.
A temporary oracle adjustment put the attacker's rsETH positions into a liquidatable state, after which the collateral was seized and swept to a recovery guardian multisig. The guardian flag was enabled, payloads executed, and then the flag was disabled, with all configuration changes fully reverted upon completion.
No other users were affected by the liquidation process. The recovered rsETH is now being redeemed for ETH through Kelp's standard redemption procedure, with the resulting ETH used to clear the deficit across affected Aave markets on Ethereum and Arbitrum. The full restoration of rsETH backing remains in its final stages.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created