LayerZero Publishes Full Post-Mortem On $292M KelpDAO Exploit
LayerZero Labs traces the $292M April 18 attack on KelpDAO's rsETH bridge to TraderTraitor, a developer machine compromise, and poisoned internal RPC nodes.
LayerZero Labs published a full post mortem on the April 18 attack on KelpDAO's rsETH bridge. LayerZero attributed the attack to TraderTraitor, the same group behind the $1.5B Bybit hack in February 2025. The attack began six weeks earlier, on March 6, when an attacker tricked a LayerZero developer into cloning a malicious GitHub repo that dropped malware on their macOS machine, harvesting session keys and opening a path into LayerZero's internal RPC infrastructure.
The attacker quietly poisoned two internal RPC nodes to return forged chain state while appearing clean to LayerZero's own monitoring tools. On the day of the exploit, the attacker launched a denial-of-service attack against an external RPC provider to force the DVN signing service onto the compromised nodes exclusively.
The result was a valid attestation for a fabricated cross-chain message. LayerZero again pointed blame to KelpDAO's single-DVN setup that allowed one valid attestation to unlock 116,500 rsETH on Ethereum. LayerZero says it will now refuse to sign as the sole required attestor on any channel. KelpDAO's rsETH recovery entered its final stage earlier this month, and Kelp resumed withdrawals on May 15.
ETHConf lands in NYC June 8-10, bringing together 5,000+ attendees, 150+ speakers, and 100+ companies across Ethereum, stablecoins, and institutional adoption.
Get your tickets at ethconf.com and use code ETHDAILY for 30% off General and 20% off VIP.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created
Ethereum Foundation Launches Clear Signing Standard
The standard ships ERC-7730 descriptors, a neutral mirrorable registry, ERC-8176 auditor attestations on EAS, and ERC-8213 cryptographic fingerprints, with Ledger, Trezor, MetaMask, and WalletConnect onboard.
The Ethereum Foundation launched Clear Signing, an open standard designed to end blind signing, where raw hex transaction data is approved without signers being able to read what they're signing. The standard ships four coordinated infrastructure pieces, including an updated ERC-7730 for human-readable transaction descriptors, a neutral mirrorable registry, ERC-8176 for auditor attestations built on the Ethereum Attestation Service, and ERC-8213 providing cryptographic fingerprints.
The Clear Signing working group members include Ledger, Trezor, MetaMask, WalletConnect, Cyfrin, Fireblocks, Zama, and Sourcify. Its guiding principle is "What You See Is What You Sign." ERC-7730 descriptors map contract function calls to readable intents and field-rendering instructions, converting raw calldata into a readable display. The descriptors are curated by protocol teams, reviewed, and collected in the EF-hosted registry. Protocols can add support without redeploying contracts.
ETHConf lands in NYC June 8-10, bringing together 5,000+ attendees, 150+ speakers, and 100+ companies across Ethereum, stablecoins, and institutional adoption.
Get your tickets at ethconf.com and use code ETHDAILY for 30% off General and 20% off VIP.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created
ArbitrumDAO Approves rsETH Recovery Effort
ArbitrumDAO voted 90.96% in favor of routing 30,765.67 ETH frozen from the KelpDAO exploiter to the DeFi United recovery multisig.
ArbitrumDAO approved a temperature check vote to release 30,765.67 ETH frozen by the Arbitrum Security Council following the April 18 KelpDAO exploit. The vote passed on May 7 with 90.96% in favor and effectively no opposition.
The frozen ETH was seized from the exploiter on Arbitrum One on April 21 and moved to a protocol-controlled address pending a governance decision on its destination. This proposal routes those funds into the coordinated DeFi United recovery effort, a 3-of-4 multisig controlled by signers from Aave Labs, KelpDAO, EtherFi, and Certora.
The funds will be applied toward restoring rsETH's backing. The next steps involve a 3-day voting delay once the vote is submitted for onchain execution, a 14-day vote, an 8-day L2 waiting period, a 1-week L1 message finalization, and a final 3-day L1 waiting period before execution. In total, approximately 42 days remain before the transfer is fully executed.
Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created