KelpDAO Hack: How $292M Was Drained Through a Single Bridge Verifier

KelpDAO Hack: How $292M Was Drained Through a Single Bridge Verifier

KelpDAO's ~$292 million loss was the largest single DeFi exploit of 2026 — and it didn't come from a clever bug in the vault logic. It came from trusting one verifier. The KelpDAO hack is the clearest lesson of the year on why cross-chain bridges remain the most dangerous surface in DeFi, and why "we passed an audit" means little if that audit stopped at the smart contracts.

What happened

On 18 April 2026, attackers drained roughly 116,500 rsETH — about $292 million — from KelpDAO's LayerZero-powered bridge. The protocol relied on a single-verifier setup to approve cross-chain messages. Attackers compromised the RPC infrastructure feeding data into that verifier while simultaneously disrupting external RPC services. With the verifier fed bad data, the bridge approved forged withdrawal messages and released funds that were never legitimately deposited.

The root cause — a single point of trust

Strip away the detail and the failure is simple: one component decided whether a cross-chain message was valid, and that component could be fed lies. A bridge makes two promises — "this asset was really locked on chain A" and "this message is really valid on chain B." Break either, and you can mint money out of nothing. KelpDAO's verifier was the weak link, and there was no independent second check to catch the forgery.

Why bridges keep getting drained

Bridges concentrate enormous value behind trust assumptions and off-chain infrastructure that a standard contract audit never touches. Across Q2 2026 — the most-hacked quarter on record, with about $755 million stolen across 83 incidents — bridge exploits were the single largest loss category, one LayerZero-class breach alone accounting for roughly 38% of the quarter's stolen funds. The pattern is consistent: the code compiles fine, but the validation, the verifier, or the admin keys behind the bridge are the real attack surface.

What a real review would have tested

Securing a bridge means auditing the trust model, not just the Solidity. A senior-led review asks: How many independent parties must agree before a cross-chain message is accepted? What happens if the data feeding a verifier is compromised or its RPC is disrupted? Is there a second, independent validation path? Can withdrawals be paused when message volume or value spikes abnormally? Combined with real-time monitoring and an auto-pause, a forged-withdrawal spike becomes an alert and a freeze — not a $292M headline.

The takeaway for any protocol touching a bridge

If your protocol bridges assets, the bridge is your threat model. Audited smart contracts plus an unaudited single-verifier bridge is not a secure system — it's a secure front door on a house with an open back window. Treat cross-chain trust assumptions, verifier design, and the off-chain infrastructure around them as in-scope for security review.

Frequently asked questions

How much did the KelpDAO hack lose?

Approximately $292 million (around 116,500 rsETH), making it the largest single DeFi exploit of 2026.

Was KelpDAO a smart contract bug?

No. Attackers compromised the RPC data feeding a single bridge verifier, which then approved forged cross-chain withdrawal messages.

How can bridge exploits like this be prevented?

Independent multi-party validation instead of a single verifier, resilient data feeds, and real-time monitoring with auto-pause on abnormal withdrawal activity — all stress-tested in a senior-led review.

If your protocol relies on a bridge, we pressure-test the trust model, not just the contracts. Request a senior-led audit.

Continue reading