Kelp Completes Bridge Hardening After April 18 Exploit, Moves To 4-Dvn Verification

What Happened: The April 18 Exploit

@KelpDAO has completed a full security hardening of its bridging infrastructure, eleven days after suffering what became the largest DeFi exploit of 2026. On April 18, an attacker drained 116,500 $rsETH from Kelp DAO's LayerZero-powered bridge at 17:35 UTC, worth roughly $292 million at current prices and representing about 18% of rsETH's 630,000-token circulating supply.

The target of the attack was not KelpDAO's own contracts nor the LayerZero contracts themselves — it was the off-chain infrastructure that LayerZero Labs operated to watch the source chain on KelpDAO's behalf. The attacker first compromised two of the RPC nodes used by LayerZero's DVN, then launched a distributed denial-of-service attack against the remaining clean servers, forcing LayerZero's verification system to fail over to the compromised nodes. With control of the verification layer, the attacker forged a cross-chain message that tricked Kelp's bridge into releasing 116,500 rsETH to an attacker-controlled address.

The rsETH bridge had been configured with a single verifier — LayerZero Labs' DVN — with no second DVN required to agree. Kelp's emergency pauser multisig froze the protocol's core contracts 46 minutes after the drain. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million.

The Hardening: Four Independent Attestors, Hub-and-Spoke Routing

In response, @KelpDAO has now overhauled its verification architecture. Verification requires four independent attestors — Canary, Horizen, LayerZero Labs, and Nethermind — all four of which must confirm messages in both directions on every pathway. Each runs on independent infrastructure and RPC endpoints across separate jurisdictions, eliminating the single point of failure that made the original attack possible.

Block confirmations have been raised from 42 to 64 across all chains, increasing the cost of reorg-based attacks. The bridge topology has also shifted from a full mesh to a hub-and-spoke model, with all L2-to-L2 routes deprecated and every pathway now routing exclusively through Ethereum.

The hardening is described as an interim measure. LayerZero has said it will no longer sign messages for any project running a single-verifier configuration. Kelp's next steps include sunsetting low-TVL spoke chains, reactivating bridging in tranches, evaluating in-built rate limits for $rsETH, and investigating a more secure cross-chain infrastructure provider altogether. A firm timeline is expected to follow.

The exploit has reignited a broader debate about bridge security defaults. Bridge hacks like the $292 million Kelp DAO exploit keep happening because bridges rely on trusted intermediaries and external data sources rather than fully verifying blockchain activity — a problem that is structural, not just a matter of bugs or mistakes.

Sources
CoinDesk — Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains
Chainalysis — Inside the KelpDAO Bridge Exploit
Hypernative — The KelpDAO Observation-Layer Exploit