According to on-chain data, the Kelp DAO appears to have just had 116,500 rsETH withdrawn from the LayerZero cross-chain bridge on Saturday, with an estimated value of approximately $292 million.
The withdrawal transaction occurred at approximately 00:35 AM (Vietnam time). Specifically, the attacker's wallet called the lzReceive function on the LayerZero EndpointV2 contract, thereby triggering the Kelp bridge to transfer 116,500 rsETH to another address controlled by the attacker (based on the transaction log).
The hacked address was " Capital" approximately 10 hours prior via Tornado Cash (pool 1 ETH) – a common method to conceal the source of funds in DeFi exploits. ZachXBT also stated that the hacked addresses were Capital via Tornado Cash and that the incident affected Ethereum and Arbitrum.
Kelp reacted quite quickly. Around 01:21 AM (Vietnam time), the project's emergency multisig wallet triggered pauseAll, causing a number of key components of the protocol to temporarily stop, including the deposit pool, withdrawal contracts, oracle, and even the rsETH Token .
Around 3:10 AM, Kelp posted a public announcement confirming that they had detected unusual cross-chain activity related to rsETH, had temporarily suspended rsETH contracts on the mainnet and some L2 servers for investigation, and were coordinating with LayerZero, Unichain, the audit team, and security experts to trace the cause.
The attacker also attempted two more withdrawals at approximately 1:26 AM and 1:28 AM, but both failed (the attempts were reversed), indicating that the "pause" command blocked the subsequent withdrawals. These two attempts were believed to be aimed at withdrawing an additional 40,000 rsETH (approximately $100 million); if successful, the total loss could have reached approximately $391 million.
The incident is believed to have targeted LayerZero's OFT (Omnichain Fungible Token) bridge, which Kelp uses to transfer rsETH between networks. The 116,500 rsETH stolen is equivalent to approximately 18% of the circulating rsETH supply.
Following the incident, AAVE price dropped by approximately 10% due to concerns that AAVE might incur "bad debt" related to rsETH. AAVE stated that it has frozen the rsETH market on AAVE V3/V4, and affirmed that the problem stemmed from rsETH itself, not AAVE's smart contracts; they are reviewing rsETH loans incurred after the exploit and will update their handling plan if any shortfalls are found.
Follow CoinMoi to stay updated on the hottest issues in the crypto market. Okay!!
The article "Kelp DAO hacked, rsETH bridge loses up to $292 million" first appeared on CoinMoi .
