Arbitrum Freezes 30,766 ETH From KelpDAO Exploiter
The Arbitrum Security Council executed an emergency upgrade to freeze $71M in ETH tied to the KelpDAO exploit, briefly modifying an inbox contract to impersonate the exploiter.
The Arbitrum Security Council executed an emergency upgrade to freeze 30,766 ETH from an address involved in the KelpDAO exploit. As part of the recovery effort, $71 million in ETH was moved from the exploiter's wallet into a frozen intermediary address. The funds will remain frozen until an Arbitrum DAO vote approves further action.
Council member Patrick McCorry explained that the council briefly modified the chain's inbox contract on L1 to include a function enabling cross-chain messages that could impersonate any sender. Using this capability, a single transaction impersonated the exploiter's address to transfer the funds. Immediately afterward, the inbox contract was restored to its original state.
The Arbitrum DAO will need to decide how to allocate the recovered funds. It will need to determine whether to use them to compensate Aave users for losses or return them to KelpDAO to help restore rsETH backing.
Update (May 4, 2026): A U.S. law firm has filed a restraining notice in SDNY seeking to claim the frozen 30,766 ETH for its own clients, citing the exploit's attribution to North Korea's Lazarus Group. Aave LLC has filed an emergency motion to vacate the notice and is requesting a $300M bond if it stands. The DAO transfer vote remains legally blocked pending the court's decision.
EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn
Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.
LayerZero RPC-Poisoning Attack
LayerZero attributed the KelpDAO exploit to an RPC-poisoning attack by the TraderTraitor subgroup of North Korea's Lazarus Group.
LayerZero published a statement claiming the $290 million KelpDAO exploit stemmed from a sophisticated RPC-poisoning attack that manipulated its DVN's verification process. It attributed the attack to the TraderTraitor subgroup of North Korea's Lazarus Group. According to LayerZero, the attackers compromised RPC nodes and fed forged data directly to the DVN while masking activity from monitoring systems.
LayerZero Labs placed responsibility on KelpDAO, arguing its 1-of-1 DVN configuration enabled the exploit, even though LayerZero's own DVN was the sole verifier KelpDAO relied on. LayerZero stated that it will no longer support single-DVN setups. The company also did not outline any intentions to compensate impacted users. Aave subsequently froze WETH and LST markets as the exploit rippled through DeFi.
EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn
Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.
KelpDAO Loses $290M In LayerZero Bridge Exploit
An attacker released 116,500 rsETH from KelpDAO's bridge contract on Ethereum mainnet without a corresponding burn on L2.
KelpDAO, a liquid restaking protocol, suffered a $290 million exploit involving its LayerZero-powered cross-chain bridge. On April 18, 2026, at approximately 17:35 UTC, an attacker was able to release 116,500 rsETH from the bridge contract on Ethereum mainnet without a corresponding burn event on a Layer 2. The amount represents roughly 18% of the rsETH circulating supply.
The attacker exploited a single point of failure in KelpDAO's 1-of-1 Decentralized Verifier Network (DVN) configuration, in which LayerZero Labs' DVN acted as the sole verifier. The funds were quickly distributed across multiple wallets and used as collateral across Aave V3, Compound V3, and Euler, allowing the attacker to borrow an estimated $236 million in WETH. Aave is facing significant bad debt exposure, potentially exceeding $170 million across deployments.
Tensions between LayerZero Labs, KelpDAO, Aave, and users are escalating as attribution of the attack remains unconfirmed, with responsibility still disputed. LayerZero has since attributed the attack to North Korea's Lazarus Group. Aave froze ETH and LST markets in response, and Fluid launched an aWETH redemption protocol to help stranded lenders.
EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn
Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.