Kelp DAO Bridge Exploit Drains $292 Million in Cross-Chain Attack

A cross-chain bridge tied to liquid restaking protocol Kelp DAO has been exploited, with roughly $292 million in tokens siphoned out, CoinDesk reported. The attack occurred at 17:35 UTC last weekend and targeted Kelp DAO's bridge integration supported by LayerZero. The hacker ultimately extracted 116,500 rsETH, an amount valued at about $292 million at current prices. CoinGecko data cited by CoinDesk shows this equals roughly 18% of rsETH's circulating supply, estimated at 630,000 tokens. LayerZero provides cross-chain messaging infrastructure designed to transmit verified instructions between blockchains. Kelp DAO, a liquid restaking protocol, accepts user-deposited ETH, routes it through EigenLayer to earn additional yield beyond standard Ethereum staking rewards, and issues rsETH as a tradable token. According to the report, the compromised bridge held rsETH reserves used to back wrapped rsETH deployed across more than 20 other blockchains. The attacker is said to have tricked LayerZero's messaging layer into treating a forged message as a valid instruction from another network, prompting the bridge to release funds to attacker-controlled addresses. Kelp DAO activated its emergency pause multisig and froze core contracts 46 minutes after the theft, at 18:21 UTC. Two follow-up attempts at 18:26 and 18:28 UTC failed, each reusing the same LayerZero data packet and seeking to take an additional 40,000 rsETH, worth about $100 million. Shorya Malwa