Kelp | Crypto

Solv Protocol and other DeFi projects are migrating to Chainlink infrastructure after the $293 million exploit exposed risks in third-party bridge and oracle setups. Decentralized finance protocols are reevaluating their blockchain oracle providers’ security after the fallout from the $293 million Kelp DAO exploit last month. Several protocols have announced migrations to Chainlink infrastructure in recent days, citing security concerns around third-party oracle and bridge providers. On Thursday, Bitcoin DeFi platform Solv Protocol announced it would migrate to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) and replace LayerZero bridges, citing an “extensive security review” concluding that CCIP provided the “strongest security assurances.”  A day earlier, liquidity protocol Tydro also said it was moving to Chainlink after its previous oracle provider, Chaos Labs, suffered an incident that prompted Tydro to pause markets over concerns about inaccurate price feeds. Read more

The Snapshot vote would move the recovery effort toward a binding onchain Arbitrum governance proposal. A joint proposal to release the roughly $71 million in Ether frozen after the Kelp DAO exploit is set to pass later on Thursday, moving a cross-protocol recovery effort closer to restoring part of rsETH’s backing. Over 90.5% of the tokens were cast in favor of the motion, representing 173.9 million Arbitrum (ARB) tokens, while 9.4%, or 18.1 million tokens, abstained. Less than 1%, or 1,700 tokens, voted against the proposal before the voting period’s scheduled end at 6:54 pm UTC, according to a Snapshot at the time of writing. Co-authored by Aave Labs, Kelp DAO, LayerZero, EtherFi and Compound, the proposal seeks to unfreeze the 30,765 Ether (ETH) that was frozen by Arbitrum’s Security Council on April 21, days after an attacker drained about 116,500 restaked Ether (rsETH) from Kelp Dao, worth between $290 million and $293 million at the time. Read more

The $292M exploit, linked to North Korean hackers, led Kelp to migrate its rsETH off LayerZero's "OFT" standard to Chainlink's "CCIP."

Gerstein Harrow has filed similar cases in the past, arguing its clients have a claim to funds stolen by the DPRK and frozen by crypto firms. A US law firm has filed a restraining notice to block the transfer of frozen Ether from the Kelp exploit, arguing that its clients are owed over $877 million in compensation and damages by North Korea.  Charlie Gerstein, a lawyer for US law firm Gerstein Harrow LLP, said in a post on the Arbitrum DAO forum on Friday that a New York district court signed off on a restraining notice and three writs of execution preventing the DAO from moving the Ether under threat of contempt of court. The law firm argued that its clients, who were not affected by the Kelp exploit, won default judgments against North Korea in three separate US court cases in 2010, 2015 and 2016 and are owed a collective $877 million in compensatory and punitive damages, plus interest. Read more

DeFi United published a technical plan to restore rsETH backing and unwind attacker-linked DeFi positions after the $293 million Kelp exploit. The Aave-linked recovery group DeFi United has published a technical implementation plan to restore rsETH backing after the April 18 Kelp bridge exploit released 116,500 rsETH, worth about $293 million at the time, without a corresponding burn on Unichain. The plan would convert committed Ether (ETH) into rsETH in tranches and deposit the tokens into the affected bridge lockbox, allowing the bridge to resume normal operations once the backing is restored. LayerZero and Kelp have also implemented additional security measures before the bridge returns to full operation, according to Aave.  In parallel, DeFi United plans to clear attacker-linked positions across Aave and Compound to recover collateral and resolve market impairments caused by the exploit. The group said seven addresses associated with the exploiter still hold active rsETH-backed positions on Aave and Compo...

More than $21 million in contributions has been made to the "DeFi United" relief effort so far, with another $215 million to be potentially allocated if certain governance proposals succeed. Aave Labs has proposed that the decentralized autonomous organization behind Arbitrum unfreeze $73.5 million in Ether tied to the Kelp DAO attack and to direct those funds to “DeFi United,” a fund aimed at restoring rsETH and compensating its holders. Last week, the Arbitrum Security Council moved to freeze 30,765 Ether (ETH) held in a wallet connected to the $293 million Kelp exploit.  In a proposal posted Saturday on the Arbitrum governance forum, Aave Labs said directing those funds to a planned remediation effort would “restore normal conditions for Arbitrum users” and the wider ecosystem and that the Ether on Arbitrum “represents a material contribution” toward restoring the Kelp DAO restaked ETH (rsETH) token. Read more

The wallet linked to the Kelp DAO exploit appears to have laundered most of the $175 million worth of stolen Ether, while another $71 million remains frozen by Arbitrum’s security council. The exploiter behind the roughly $293 million Kelp DAO hack appears to have laundered nearly all of the unfrozen Ether stolen in the attack, narrowing recovery efforts to the tranche Arbitrum’s security council managed to freeze. The Kelp Dao hacker appears to have laundered nearly all of the 75,700 Ether (ETH) stolen from the protocol on Saturday. The hacker primarily used the THORChain to swap the Ether for Bitcoin (BTC), generating about $910,000 in fee revenue for the protocol, according to blockchain analyst EmberCN in a Thursday X post. The attacker began moving the funds on Tuesday, sending roughly 75,700 ETH, worth about $175 million at the time, into newly created wallets before routing the assets through THORChain and privacy protocol Umbra. Arkham data showed the attacker’s tagged main wallet had been largely emp...

Aave’s supplied balance has tanked since the Kelp DAO bridge exploit, as users pull funds amid uncertainty over how much of the rsETH-linked shortfall the protocol will ultimately absorb. Aave, the largest decentralized lending protocol, has seen around $15 billion in deposits withdrawn since the Kelp Dao exploit on Saturday.  Total value supplied to Aave fell from $45.8 billion on Saturday to $30.8 billion on Wednesday, according to Aavescan data. The decline followed an attack that drained about 116,500 restaked Ether (rsETH), worth roughly $293 million, from Kelp DAO’s LayerZero-powered rsETH bridge. The exploiter then used part of the stolen funds to borrow on Aave. Read more

DPRK-linked crypto theft topped $578M in April after the Kelp DAO exploit, as attacks continue to expand across protocols, companies and end users. Kelp DAO suffered a $292 million hack on Saturday, overtaking Drift as the largest crypto exploit of the year so far. North Korea-linked hackers are suspected to be behind the attack. Kelp DAO said Monday that the exploit stemmed from a failure of cross-chain messaging protocol LayerZero’s infrastructure. LayerZero said the breach was enabled by Kelp DAO’s use of a single verifier configuration to approve cross-chain messages. LayerZero said that “preliminary indicators” attributed the exploit to TraderTraitor, a subgroup of North Korea’s state-backed hacking unit known as Lazarus Group.  Read more

Umbra has shut down its front end to stop hackers, but says it can’t stop the use of its smart contracts or another version of its open-source front end. Privacy-focused crypto protocol Umbra said it has taken down its front-end website to make it more difficult for hackers who have been using it to move funds from recent “high-profile hacks.” Umbra posted to X on Tuesday that it is aware that around $800,000 worth of stolen funds were moved via its protocol. It added that it made the decision to move the hosted version of its front end into maintenance mode and would restore it “as soon as we are assured that doing so won't create obstacles to the current recovery efforts.” Read more

The Kelp DAO attacker has moved $175 million of stolen Ether in an apparent bid to start laundering it after the $290 million exploit. The attacker behind the roughly $290 million Kelp DAO exploit began moving tens of thousands of Ether to newly created blockchain addresses on Tuesday, in what appears to be an effort to start laundering the stolen funds. The wallet tagged by Arkham as linked to the Kelp DAO exploit moved about 75,700 Ether (ETH) worth roughly $175 million across three transactions on Tuesday, including a 25,000 ETH transfer to one newly created address and transfers of 50,700 ETH and 0.7 ETH to another. Blockchain investigator ZachXBT wrote in a Tuesday Telegram post that addresses tied to the exploit had begun moving funds through THORChain and Umbra. He flagged three THORChain transactions totaling about $1.5 million and a separate $78,000 transfer through Umbra. Read more

Aave published a report outlining two possible outcomes: around $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2s, with the final impact depending on how Kelp DAO allocates the shortfall.

LayerZero said that Kelp’s DVN setup allowed the $290 million exploit, as investors questioned which protocol would step up to cover the shortfall. Interoperability protocol LayerZero claims that an inadequate setup tied to Kelp’s decentralized verifier network (DVN) enabled malicious actors to steal $290 million from Kelp DAO, adding that preliminary signs point to North Korea-linked threat actors. An attacker drained about 116,500 Restaked ETH (rsETH), worth as much as $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge on Saturday. LayerZero said Monday that the exploit stemmed from a single point of failure in Kelp’s setup, which relied on a single LayerZero DVN as the only verified path, despite LayerZero previously advising them against this. Read more

The Aave token fell nearly 20% to $89.5 in just over 24 hours as users withdrew billions of dollars from the lending protocol. Total value locked on decentralized lending protocol Aave dropped by nearly $8 billion over the weekend after hackers behind the $293 million Kelp DAO exploit borrowed funds on Aave, leaving roughly $195 million in “bad debt” on the protocol and triggering withdrawals. Data from DeFiLlama shows that Aave’s TVL fell from about $26.4 billion to $18.6 billion by Sunday, losing the top spot as the largest DeFi protocol.  Aave v3’s lending pools for USDt (USDT) and USDC (USDC) are now at 100% utilization, meaning that more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid.  Read more

2026 is shaping up to be DeFi's "worst year in terms of hacks," Ledger's CTO said, as the Kelp exploit shows how a single point of failure can cascade across systems.

The contagion from the Kelp exploit could have been contained, but at the cost of capital efficiency, according to the founder of Curve Finance. The exploit of the Kelp liquid restaking protocol shows how non-isolated lending and integrations in decentralized finance (DeFi) can cause broader ecosystem contagion, according to crypto industry executives and blockchain security firms. Non-isolated lending on DeFi platforms, including earlier versions of the Aave lending protocol, exposes users to risks from all the various tokens used as collateral on the platforms, according to Michael Egorov, founder of the Curve Finance DeFi protocol. Kelp was the target of a cyber attack on Saturday, causing the platform to pause smart contracts for its restaking token (rsETH) while it moved to investigate the attack that left the platform drained of about $293 million. DeFi teams should also vet prospective digital assets to ensure that tokens do not feature single points of failure or attack surfaces before approving token...

The attack caused a "cross-protocol contagion" that has impacted at least nine crypto protocols, blockchain security firm Cyvers said. Kelp, a liquid restaking protocol, was the victim of a cyber attack on Saturday, causing the platform to pause smart contracts for its restaking token (rsETH), as it “investigates” the attack amid reports of hundreds of millions of dollars in losses. “Earlier today, we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several Layer-2s,” the Kelp platform said in an X post. The attacker exploited the rsETH adapter bridge contract, the software code that manages Kelp’s rsETH token, and drained the platform of about $293 million in funds, according to blockchain security firm Cyvers. Read more