1777012774817.pdf (3 MB)

SOOHO.IO's bulletin describes the April 18, 2026 KelpDAO rsETH bridge incident, in which 116,500 rsETH, about $290 million to $294 million, was released from the Ethereum escrow contract without a valid source-chain burn. The source frames the failure as an off-chain trust and configuration problem rather than a smart contract bug: KelpDAO relied on a single LayerZero DVN, and the verifier's RPC infrastructure accepted a forged cross-chain message. The attacker moved stolen rsETH into lending protocols before emergency freezes and blacklists, creating about $236 million in possible secondary exposure while Arbitrum governance later secured roughly $71 million. The excerpt does not attribute the attack to DPRK, so the summary preserves the incident mechanics without adding unsupported actor claims.