KelpDAO rsETH $292M Bridge Exploit (Explained)
2026-04-23 • Quill Audits •
https://www.quillaudits.com/blog/hack-analysis/kelp-dao-hack
Lazarus Group’s TraderTraitor cluster is preliminarily linked to a $292M KelpDAO rsETH bridge exploit that abused a 1-of-1 LayerZero DVN setup rather than a smart contract flaw. The attacker allegedly poisoned RPC infrastructure used by LayerZero’s DVN, forced failover from clean nodes, and made the verifier accept a forged Unichain message for a nonexistent 116,500 rsETH burn. The forged attestation released rsETH on Ethereum, after which attacker-controlled EOAs used the unbacked collateral in DeFi lending markets to borrow and consolidate ETH. KelpDAO paused the protocol 46 minutes after the drain, blocking two further forged-message attempts, while Arbitrum later froze 30,766 ETH linked to the exploit.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| WALLET | 0x85d456b2dff1fd8245387c0bfb64d… | 2026-04-23 | 2026-04-23 |
| WALLET | 0xc3eACf0612346366Db554C991D785… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x5AB40527AA622960E26a171c58011… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x7e1879A1Fba74d8107E2E3EE42f5f… | 2026-04-23 | 2026-04-23 |
| WALLET | 0xd95d7761a585bbc1b59b4b6f441b9… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x589dedbd617e0cbcb916a9223f4d1… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x4966260619701a80637cDbdAc6A6c… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x1f4c1c2e610f089d6914c4448e6f2… | 2026-04-23 | 2026-04-23 |
| WALLET | 0xbb6a6006eb71205e977eceb19fcad… | 2026-04-23 | 2026-04-23 |
| WALLET | 0xeba786c9517a4823a5cfd9c72e4e8… | 2026-04-23 | 2026-04-23 |
| WALLET | 0xcbb24a6b4dafaaa1a759a2f413ea0… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x5d3919F12bCc35c26Eee5F8226A9b… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x8d11aeac74267dd5c56d371bf4ae1… | 2026-04-23 | 2026-04-23 |
| WALLET | 0x8b1b6c9a6db1304000412dd21ae6a… | 2026-04-23 | 2026-04-23 |