#KelpDAOBridgeHacked


#Gate13thAnniversaryLive
KelpDAO's ZRO-backed bridge was hacked on April 18, 2026, resulting in the theft of approximately $292–294 million worth of coins across more than 20 chains; this became the largest DeFi attack of 2026. The attack, using a single compromised ZRO validator, caused immediate freezes on Aave, Arbitrum, and other protocols.

Basic Information

Attack date: April 18, 2026, ~17:35 UTC

Funds stolen: ~116,500 coins (~$292–294 million), ~18% of circulating supply

Attack vector: Fake ZRO cross-chain message via compromised 1-to-1 Decentralized Validator Network (DVN) setup

Affected protocols: Aave, SparkLend, Fluid, Arbitrum, Lido, Ethena, Compound, Euler

Immediate consequences:

Aave froze V3 and V4 and faced a risk of ~$177–196 million in bad debt.

Arbitrum froze 30,766 ETH (~$100 million) linked to the hacker's wallet.

ZRO dropped more than 22% in 24 hours.

The AAVE token price dropped by approximately 20% to $92.06.

Market Impact

Ethereum (ETH): The price dropped to $2,300 immediately after the attack and was fully priced in by prediction markets.

Bitcoin (BTC): Risk aversion increased the probability of prediction contracts for BTC reaching $60,000 by the end of April to 22%.

DeFi Liquidity: Approximately $9 billion was withdrawn from Aave in a panic; this points to a systemic fear regarding bridge collateral security.

Accountability and Attribution

Suspected attacker: The North Korean Lazarus Group, which used sophisticated forgery techniques.

KelpDAO's stance: Blames ZRO's infrastructure, specifically the compromised RPC nodes and insecure 1-to-1 DVN setup. Kelp insists that its own contracts were not directly exploited.

ZRO's response: Acknowledging flaws in the validator setup, actively working on corrective actions with KelpDAO.

Measures and Next Steps

Emergency freezes: KelpDAO halted stolen coin transfers between Ethereum and L2s within 46 minutes.
Blocked wallets: KelpDAO has blacklisted the abusive addresses and implemented SEAL 911, a hotline for security threats.

Governance action: Arbitrum DAO will vote on the fate of $100 million worth of frozen ETH.

Future fixes: Calls are being made for multiple validator DVN setups to prevent single points of failure in cross-chain messaging.

Risks and Lessons

Bridge vulnerabilities remain the biggest systemic risk in DeFi.

Single validator setups are unacceptable for high-value protocols; redundancy is critical.

Collateral spread: Using compromised assets as collateral (e.g., on Aave) could cause damage to spread across multiple platforms.

Community trust: KelpDAO, which had $1.57 billion in total locked value before the attack, has suffered a blow to its credibility, and recovery will depend on fixes implemented transparently.
$ZRO $AAVE $ARB
ZRO-7,04%
AAVE-0,41%
ARB-2,05%
post-image
post-image
post-image
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 6
  • Repost
  • Share
Comment
Add a comment
Add a comment
ChuDevil
· 1h ago
Chong Chong GT 🚀
View OriginalReply0
ChuDevil
· 1h ago
Steadfast HODL💎
View OriginalReply0
ChuDevil
· 1h ago
Buy the dip and enter the market 😎
View OriginalReply0
ChuDevil
· 1h ago
Just charge it 👊
View OriginalReply0
HighAmbition
· 1h ago
good 👍 good
Reply0
ybaser
· 1h ago
2026 GOGOGO 👊
Reply0
  • Pin