blockchainsv
News

Security Warning: How the $293M KelpDAO LayerZero Exploit Redefined Smart Contract Hacks in 2026

A single point of trust failure in cross-chain messaging drained KelpDAO of 116,500 rsETH—roughly $293 million—in under two minutes. The exploit did not touch KelpDAO's native staking contracts.

Caleb North·updated June 29, 2026

Security Warning: How the $293M KelpDAO LayerZero Exploit Redefined Smart Contract Hacks in 2026

The Attack Vector

The breach bypassed native staking logic entirely. Attackers injected fraudulent state instructions into the cross-chain messaging layer. The smart contracts executed exactly as designed. They validated a malicious payload that falsely confirmed an external asset deposit, then released and minted approximately 18% of the total rsETH supply.

Execution metrics: 1 minute 48 seconds for the initial exploit transaction. Full consolidation into the master attacker wallet: under two hours.

For related context, see Crypto passive income, airdrops, staking and lending.

Post-Exploit Capital Flow

The stolen rsETH was deployed as collateral across multiple lending platforms, extracting $236 million in USDC and USDT before oracle health factors adjusted. On-chain forensic tracking showed the borrowed stablecoins routed through THORChain to the Bitcoin network. Portions were fragmented into 100 ETH batches and pushed through Tornado Cash and additional privacy-centric cross-chain protocols.

The Arbitrum Security Council froze 30,766 ETH (over $71 million) tied to the exploit, locking it inside a governance-controlled wallet.

What It Confirms

Cross-chain bridge exploits now account for over 38% of Q2 2026 losses. Total industry damage from cyberattacks this quarter has crossed $840 million. The pattern is structural: the messaging layer is the single point of trust. When that assumption fails, downstream contracts process invalid state without resistance.

The invariant—"a valid cross-chain message implies a real source-chain deposit"—broke. Nothing else did.

Engineering Guardrails

For protocol teams building on cross-chain messaging primitives:

  • Treat the message payload as untrusted input. Validate the source chain, block height, and depositor identity independently of the relayer.
  • Add rate limits and per-address caps on minting from bridge messages. A single transaction should not release 18% of supply.
  • Implement governance-controlled pause hooks on the mint path, not just on transfers.
  • Monitor the time delta between the source-chain event and the destination-chain message. The 1 minute 48 second window here is itself a signal.
  • Run adversarial scenarios where the relayer is compromised. A code audit does not cover this. The threat model must.

The contracts worked. The trust model did not.