.png){kind=small}
Kelp DAO is a liquid restaking protocol that issues rsETH, a receipt token for users who deposit ETH through EigenLayer to earn staking and restaking rewards. Its bridge, built on LayerZero infrastructure, allows rsETH to move across chains.
On April 19, attackers drained approximately 116,500 rsETH, worth roughly $292 million, from Kelp DAO’s LayerZero-powered bridge.
Attacker address: 0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b
What Went Wrong?
Two RPC nodes used by LayerZero’s Decentralized Verifier Network (DVN) were compromised.
A third node was simultaneously hit with a DDoS attack, forcing failover to the tainted verifiers.
This allowed a phantom cross-chain message to pass verification, minting rsETH on Ethereum without burning the corresponding tokens on Unichain.
Arbitrum’s Security Council moved quickly, seizing 30,766 ETH, worth around $71 million, from an exploiter address on Arbitrum One. Those funds are now frozen pending governance action.
The rest of the stolen funds are still moving on Ethereum.
Cross-chain bridges remain the highest-risk surface in DeFi. This is not an edge case. It is a recurring attack vector. Threat actors continue to evolve from social engineering to exploiting structural gaps in shared infrastructure. On-chain forensics and protocol-level intervention, such as Arbitrum’s freeze, are becoming critical incident response tools.
At Merkle Science, we work with law enforcement and compliance teams globally to trace funds, support attribution, and assist recovery efforts in exactly these scenarios. The Kelp DAO hack is a reminder that blockchain’s transparency remains one of the most valuable assets in the aftermath of an exploit: every move the attackers make is visible.
We’re monitoring on-chain activity tied to this exploit closely.
How Merkle Science Can Help
Merkle Science supports institutions before and after an exploit takes place.
Predictive Analytics within Compass helps teams detect suspicious behaviors, exploit indicators, and high-risk fund flows early.
Tracker enables investigators to trace stolen assets across wallets and chains, monitor how funds move, and support attribution and recovery efforts.
If your team is looking to strengthen exploit detection, trace illicit fund flows, or support recovery efforts, contact Merkle Science.
