kelpdao

According to monitoring by Shield, the KelpDAO attackers have begun to transfer the stolen assets: they transferred some of the stolen ETH from the Ethereum mainnet across to Arbitrum via the Across Protocol, then exchanged it for USDT, and routed it to the TRON DAO ecosystem through LayerZero.This path shows that the attackers are diversifying and laundering funds through multi-chain bridges and stablecoin conversion methods, and the subsequent flow of funds still needs to be continuously tracked.

According to a Bloomberg report citing Jefferies, a hacker attack on small crypto projects over the weekend, involving nearly $300 million, and the subsequent $10 billion fund run at the largest decentralized lending platform (the KelpDAO and Aave incident), may weaken Wall Street's interest in blockchain technology.Andrew Moss, an analyst at Jefferies' digital asset research team, pointed out that over the past year, banks, asset management companies, and payment institutions have been developing blockchain products similar to the technology system exploited by North Korean hackers. The report suggests that while such incidents are unlikely to directly impact traditional financial markets, it warns that traditional financial institutions may pause related processes and reassess risks before further advancing blockchain business.

According to on-chain analyst Specter (@SpecterAnalyst), the North Korean hacker group TraderTraitor began laundering stolen funds from KelpDAO early this morning Beijing time, just three hours after the Arbitrum Council froze 30.7 ETH (approximately $71 million).The attackers split the remaining funds into three wallets, holding approximately 25,000 ETH (about $57.6 million), 25,700 ETH (about $59.2 million), and 25,000 ETH (about $57.9 million), with the third wallet immediately starting the laundering process, currently holding about 3,800 ETH (approximately $8 million). The funds are primarily being bridged to the Bitcoin network via THORChain, with about 99% of the funds flowing through this protocol, causing THORChain's trading volume to surge to $211 million that day, more than ten times its 30-day average, generating approximately $189,000 in fees.During this laundering process, the funds were also mixed with illicit proceeds from the BTC Turk (2025) and Bybit (2025) hacking incidents, with related funds currently tracked on the Bitcoin network totaling approximately 442 BTC (about $33 million), and the entire laundering process has utilized over 400 addresses.

On-chain investigator ZachXBT updated that the funds related to the KelpDAO attack have begun to be transferred, with approximately $1.5 million being cross-chain transferred from the Ethereum mainnet to the Bitcoin network via Thorchain, and another approximately $78,000 being transferred through Umbra.The initial source of funds for the related attack addresses came from Tornado Cash, and the money laundering and cross-chain transfers are still ongoing.

According to monitoring by PeckShield, the KelpDAO attackers have transferred 75,700 ETH to 2 new addresses.

The Arbitrum Security Committee announcement has taken emergency action to rescue 30,766 ETH stored at the Arbitrum One address, which is related to the KelpDAO vulnerability. With the assistance of law enforcement, the Security Committee identified the attacker and has always ensured that the safety and integrity of the Arbitrum community are maintained without affecting any Arbitrum users or applications.After extensive technical investigation and review, the Security Committee identified and executed a technical solution to transfer the funds to a secure location without impacting the state of any other chains or Arbitrum users. As of 11:26 PM Eastern Time on April 20, the funds have been successfully transferred to an intermediate frozen wallet. The address that originally held the funds can no longer access them, and only the Arbitrum governance body can take further action to transfer these funds, which will be coordinated with the relevant parties.

The USDT0 cross-chain bridging infrastructure has resumed normal operations today, with system integrity and risk exposure unaffected. All in-transit transactions submitted before the suspension have been safely settled.Previously, USDT0 suspended OFT bridging services as a precautionary measure pending the investigation of the KelpDAO rsETH incident, emphasizing that USDT0 has no risk exposure related to this incident, and all USDT0 tokens remain fully backed 1:1 by USDT.

According to SlowMist founder Yu Xian (@evilcos), the core of the KelpDAO theft incident, which involved approximately $290 million, was a targeted poisoning attack on the downstream RPC infrastructure of LayerZero DVN (Decentralized Validator Network).The specific attack steps were: first, obtaining the list of RPC nodes used by LayerZero DVN, then breaching two independent clusters and replacing the op-geth binary file; using selective deception techniques to return forged malicious payloads only to DVN while returning real data to other IPs; simultaneously launching DDoS attacks on the unbreached RPC nodes, forcing DVN to failover to the poisoned nodes, completing the forged message verification, and then the malicious binary self-destructing and clearing logs. This ultimately led to LayerZero DVN issuing validations for "transactions that never occurred."

LayerZero Labs released an incident report stating that KelpDAO suffered an attack resulting in a loss of approximately $290 million. Preliminary assessments indicate that the attacker is the Lazarus Group, which has ties to North Korea (more specifically, TraderTraitor). The attack was executed by poisoning the downstream RPC infrastructure relied upon by its decentralized verification network (DVN). The attacker controlled some RPC nodes and, in conjunction with a DDoS attack, induced the system to switch to malicious nodes, thereby forging cross-chain transactions.All affected RPC nodes have been taken offline and replaced, and the DVN has now resumed operation. LayerZero emphasized that this incident was limited to the rsETH application configuration of KelpDAO and did not affect other assets or applications. The reason is that KelpDAO was using a single DVN (1/1) architecture at the time and did not utilize the multi-DVN redundancy mechanism that is officially recommended for long-term use, resulting in a lack of independent verification nodes to identify forged messages.LayerZero pointed out that there were no vulnerabilities in its protocol itself, and applications with multi-DVN configurations were not affected, meaning there is no contagious risk in the system. LayerZero stated that it will urge all projects using single DVN configurations to migrate to multi-DVN architectures as soon as possible and has suspended providing signature and verification services for 1/1 configuration applications. Meanwhile, the company is cooperating with global law enforcement agencies to investigate and assist industry partners in tracking the stolen funds. LayerZero noted that this incident highlights the value of modular security architecture and also reminds the industry to pay attention to the potential security risks of RPC verification links.

DefiLlama founder 0xngmi has outlined three possible courses of action that KelpDAO may take following the rsETH hacking incident. Each of the three paths has significant flaws, and the final decision will test KelpDAO's credibility and Aave's risk tolerance.Path One: All users share the losses. KelpDAO will uniformly deduct 18.5% of the losses from all rsETH holders proportionally. Currently, there are about 666,000 rsETH collateralized across the Aave network, primarily highly leveraged on the mainnet and L2 (assuming all are at a 95% liquidation LTV). Once socialized losses occur, the equity of all positions on the mainnet will be completely wiped out, resulting in approximately $216 million in bad debt. The Umbrella protocol can cover $55 million in bad debt, and the Aave treasury will additionally bear $85 million, leaving a gap of about $76 million. KelpDAO may fill this gap by borrowing or selling Aave tokens (currently valued at about $51 million), but this would still put significant pressure on Aave, and all users would need to share the losses.Path Two: Directly rug the rsETH holders on L2. KelpDAO will only guarantee the mainnet rsETH and consider the rsETH on L2 as worthless. Currently, Aave L2 has about $359 million in rsETH collateral (calculated at current oracle prices), and if all are calculated at maximum leverage, it would result in approximately $341 million in bad debt, which cannot be covered by the Umbrella protocol at all. Aave can only use the treasury or borrowing to save part of the market, most likely abandoning chains like Arbitrum, Mantle, and Base, which have the largest losses, leading to a collapse of these L2 markets. This option has a minor impact on the Aave mainnet but would severely damage the credibility of the L2 ecosystem and could trigger a chain reaction.Path Three: Attempt to refund only the holders based on a snapshot taken before the hack, which is extremely difficult to execute. KelpDAO tries to fully refund only the rsETH holders based on the snapshot taken before the hack, while subsequent buyers or transfer holders would bear the losses themselves. However, since funds have significantly flowed after the attack, and the nature of DeFi protocols is liquidity pools, it is impossible to truly distinguish between different batches of depositors, making technical execution very challenging. The hacker borrowed $124 million on the Aave mainnet and $18 million on Arbitrum, and after deducting the coverage from the Umbrella protocol, there remains about $91 million in losses. Although this plan theoretically minimizes the spread of impact, its practical implementation is nearly impossible and could easily lead to legal and community disputes.

Defillama founder 0xngmi posted on the X platform that the KelpDAO hacking incident triggered a chain reaction of panic withdrawals from DeFi lending protocols, even those on Solana that were not directly affected were not spared. The specific data is as follows: Aave net outflow of $6.2 billion (-23%), Morpho net outflow of $716 million (-9%), Sky net outflow of $272 million (-4%), JupLend net outflow of $76 million (-8%).0xngmi added that the entire DeFi TVL directly evaporated by nearly $10 billion as a result. In such events, no one is a winner; it only shrinks the "cake" of the entire industry, and everyone suffers.

LayerZero posted on platform X that it is aware of the rsETH vulnerability incident and has been actively working with the KelpDAO team on handling and remediation since the incident occurred, while continuing to monitor the situation.LayerZero stated that, aside from the rsETH-related incident, other applications remain secure. Regarding the root cause of the incident, LayerZero is collaborating with SEAL_Org and others to investigate and has indicated that it will release a complete post-incident analysis report in conjunction with KelpDAO once all information is gathered.

Michael Egorov, the founder of Curve Finance, posted on the X platform expressing hope that Aave can address the relevant issues. He pointed out that non-isolated lending has good scalability but carries higher risks, with the key being risk management, an area where Aave has historically performed well.He stated that the market can adopt a fully isolated model like that of Curve Finance or a hybrid model, although the latter is very complex, it is feasible. However, the market has yet to understand its advantages. Michael Egorov also mentioned that Aave v4's hub and spoke model might be a step towards a semi-isolated and safer direction.

ChainCatcher news, the blockchain liquidity infrastructure project Sumer.money has launched today a points referral program and has partnered with KelpDAO, Ether.fi, and Pendle. Assets from KelpDAO, Ether.fi, and Pendle are now available on Sumer.Holders of rsETH, weETH, PT-rsETH, and PT-weETH can participate in lending and minting synthetic assets on Sumer:Deposit assets on SumerSumer will automatically allow users to lend or mint highly correlated assets at a high collateralization rate, or lend or mint less correlated assets at a relatively low collateralization rate.Holders of rsETH and weETH can earn 2x Sumer points (early bird incentive) and lending returns while also receiving Ethereum staking rewards, EigenLayer points, and re-staking points from KelpDAO or EtherFi.Holders of PT-rsETH and PT-weETH can earn 2x Sumer points (early bird incentive), lending returns, and PT users on Arbitrum can also share a weekly reward of 200 ARB from Pendle for each type of PT asset.Users who deposit ETH, USDC, and USDT can earn 4x Sumer points.Joining the Sumer points program through this referral link also grants a 5% lifetime bonus points reward.