Kelp DAO Suffers $292 Million Security Breach

Kelp DAO, a liquid restaking protocol under KernelDAO, has fallen victim to a major security breach. On April 18, an attacker took advantage of LayerZero's cross-chain messaging system to drain approximately $292 million worth of rsETH from its bridge.

The attack occurred through a flexible bridge setup, which allows Kelp's rsETH to run on multiple blockchains using different cross-chain setups. This flexibility comes with trade-offs in terms of security, as protocol teams and integrators must handle message checks, execution paths, and troubleshooting.

The incident highlights the risks associated with single-provider bridge security and may lead to increased scrutiny of this design choice. Several platforms, including Aave, SparkLend, and Fluid, have frozen rsETH markets in response to the breach, while Lido has halted new deposits into a product with rsETH exposure.

Kelp DAO is investigating the incident with partners and security firms, and it remains to be seen how this event will impact the broader DeFi ecosystem. The fact that rsETH sits inside many decentralized finance products means that the fallout could reach beyond Kelp itself.