Kelp DAO LayerZero Bridge Exploit: $292M Drained — On-Chain Forensic Analysis

TL;DR

• Incident — Kelp DAO rsETH OFT bridge exploited via forged LayerZero lzReceive.
• Time of attack — 2026-04-18 17:35:35 UTC (Ethereum block 24,908,285).
• Loss — 116,500 rsETH ≈ $292M (≈ 18% of circulating rsETH supply).
• Attacker cluster — 9 EOAs (1 primary receiver + 8 cash-out nodes), two chains.
• Funds visible at attacker hub — 75,700.76 ETH (Ethereum hub) + 30,765.67 ETH (Arbitrum hub) ≈ $266M in borrowed ETH form.
• Outflow status (T+9h) — 0 OUT on either chain; the recovery window remains open.
• Aave collateral standoff — ~89,567 rsETH (Ethereum 53,400 + Arbitrum 36,167, verified via aToken balanceOf) is supplied as collateral against the $266M of borrowed ETH at ~99% LTV. The collateral is contractually locked while the debt is outstanding, but the attacker's net equity in those positions is effectively zero (this is the same value already counted as borrowed ETH at the hub — not an additional pool of stolen funds).
• Root cause — Single-DVN (1/1) configuration on the rsETH OFT; preliminary evidence suggests source-chain DVN trust compromise. The OFT Adapter then released canonical rsETH on Ethereum to the attacker-supplied recipient.

1. The Attack in One Diagram

Attacker Caller EOA                 LayerZero ULN302 (DVN verifier)
0x4966260619...0131f8575e ─────────► 0xc02ab410f073...
                       commitVerification(packetHeader, payloadHash) [forged]
                                              │
                                              ▼
                                   LayerZero EndpointV2
                                   0x1a44076050125825900e736c501f859c50fe728c
                                              │
                       lzReceive(_origin, _receiver, ...)
                                              │
                                              ▼
                                   Kelp RSETH_OFTAdapter
                                   0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3
                                              │
                                  release/mint 116,500 rsETH
                                              │
                                              ▼
                                   Primary Attacker EOA
                                   0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b
                                              │
            ┌────────────┬───────────┬────────┼────────┬──────────┬──────────┐
            ▼            ▼           ▼        ▼        ▼          ▼          ▼
         53K rsETH    30K rsETH   10K rsETH  6K rsETH 5K rsETH  8K rsETH   4.5K rsETH
            A1           A4          A5        A3       A6         A7          A8
            │            │           │         │        │          │           │
            └────► supply rsETH to Aave V3 (Ethereum) or LayerZero OFT to Arbitrum
                              ↓ borrow ETH against collateral
                   75,700 ETH on Ethereum  +  30,765 ETH on Arbitrum
                                      ↓ consolidated
                          A2 hub: 0x5d3919F12bCc...c257Ccc

2. Timeline (UTC)

• T−7h to T−4h (11:18 — 14:03) — Five attacker addresses each withdraw 0.0978 ETH from the public Tornado Cash 0.1 ETH pool (gas staging).
• T−4 min (17:31:11) — commitVerification call to ULN302 (forged DVN attestation), block 24,908,283.
• T+0 (17:35:35) — lzReceive to EndpointV2 → OFT Adapter releases 116,500 rsETH to the primary attacker EOA, block 24,908,285, tx 0x1ae232da212c45f3....
• T+2 to T+6 min (17:37 — 17:42) — Primary attacker fans out rsETH to seven sibling EOAs (53K + 30K + 10K + 6K + 5K + 8K + 4.5K = 116,500).
• T+5 to T+11 min (17:39 — 17:46) — All cash-out EOAs approve rsETH to Aave V3, multicall open positions, and approveDelegation on Variable Debt WETH.
• T+5 to T+27 min (17:39 — 18:01) — Each EOA: supply() rsETH → receive aRSETH → borrow() ETH at ~99% LTV.
• T+9 min (17:44:47) — First major consolidation: A1 → A2 hub, 52,440.676 ETH.
• T+25 to T+90 min (18:00 — 19:00) — A4/A5/A6/A7/A8 mirror the same pattern on Arbitrum via the rsETH OFT, then consolidate to the same hub address (A2) on Arbitrum.
• T+46 min (18:21) — Kelp emergency multisig executes pauseAll across mainnet and L2 contracts.
• T+51 / +53 min (18:26 / 18:28) — Two follow-up lzReceive retries (each ~40K rsETH) revert against the now-paused Adapter.
• T+9h (04-19 02:40) — Hub balance: 75,700 ETH on Ethereum + 30,765 ETH on Arbitrum, zero outbound transactions.

3. Technical Root Cause: Single-DVN Trust Boundary

LayerZero's OFT (Omnichain Fungible Token) standard lets each application choose its own security stack — specifically a set of DVNs (Decentralized Verifier Networks) that must attest to a cross-chain message before lzReceive will execute on the destination chain. Kelp's rsETH OFT was configured with a 1-of-1 DVN threshold: a single verifier whose attestation was sufficient to release real rsETH on Ethereum.

The on-chain footprint shows the precise sequence:

1. 0x4966260619...575e calls commitVerification(bytes _packetHeader, bytes32 _payloadHash, ...) on the ULN302 verifier contract 0xc02ab410f073.... This is the DVN attestation step. Because the configured DVN's trust was compromised (preliminary D2 Finance analysis points to a source-chain OApp node private-key exposure), the attacker is able to provide a valid attestation for an arbitrary payload.
2. The same EOA then calls lzReceive(_origin, _receiver, ...) on the EndpointV2 contract 0x1a44076050125825900e736c501f859c50fe728c. The packet claims srcEid: 30320 — the source-chain Endpoint ID — and the EndpointV2, finding a valid attestation in storage, dispatches the payload to the OFT Adapter.
3. The OFT Adapter 0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3 interprets the payload as a legitimate burn proof from the source chain and releases the corresponding rsETH on Ethereum to the attacker-supplied recipient — 0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b.

This is a configuration choice at the OApp layer, not a LayerZero core protocol bug. DVN thresholds, executor identity and proof requirements are set by each application; here the configured threshold was 1-of-1 with no external proof of inclusion. The blast radius — release of all rsETH backing on the source side — appears tied to that active OApp/DVN configuration.

4. The Attacker Cluster: Nine Addresses, Two Chains

ZachXBT publicly identified six attacker EOAs roughly an hour after the drain. Independent on-chain reconstruction starting from a single seed address recovered the same six, plus the primary receiver EOA (the 0x8b1b6c9a that initially received 116,500 rsETH from the OFT Adapter) and two Arbitrum-active EOAs that also received rsETH directly from the primary attacker, bringing the verified cluster to nine addresses.

• AP — Primary receiver · 0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b · MistTrack 99 / Severe · Received 116,500 rsETH from OFT Adapter and immediately fanned out to seven sibling EOAs.
• A1 — Cash-out (Ethereum) · 0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF · MistTrack 100 / Severe · 53,000 rsETH → Aave V3 supply → 52,440.676 ETH borrow → A2 hub.
• A2 — Hub (dual-chain) · 0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc · MistTrack 100 / Severe · Receives all consolidations: 75,700 ETH (Ethereum) + 30,765 ETH (Arbitrum).
• A3 — Cash-out · 0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787 · MistTrack 100 / Severe · 6,000 rsETH; mirrored on Arbitrum.
• A4 — Cash-out (largest) · 0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B · MistTrack 100 / Severe · 30,000 rsETH; 12,381.96 ETH from the Arbitrum side alone.
• A5 — Cash-out · 0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC · MistTrack 100 / Severe · 10,000 rsETH; uses Aave plus Balancer Vault.
• A6 — Cash-out · 0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49 · MistTrack 100 / Severe · 5,000 rsETH; ~83 wstETH swapped on Arbitrum Uniswap V3/V4 (~$260K).
• A7 — Cash-out (cross-chain) · 0x1b748b680373a1dd70a2319261328cab2a6f644c · MistTrack 99 / Severe · 8,000 rsETH; received on Ethereum, OFT-bridged to Arbitrum, 7,877 ETH to A2.
• A8 — Cash-out (cross-chain) · 0xe9e2f48bb0018276391aec240abb46e8c3cad181 · MistTrack 96 / Severe · 4,500 rsETH; same pattern, 4,431 ETH to A2.
• Attack caller · 0x4966260619701a80637cDbdAc6A6cE0131f8575e · MistTrack 99 / Severe · Submitted commitVerification and lzReceive; never held the proceeds.

The attack caller and the primary receiver are deliberately separated — the EOA that signed the malicious LayerZero transactions never held the resulting rsETH, only paid gas. This is a weak OPSEC signal that does not on its own constitute attribution.

5. Money-Flow Reconstruction: Ethereum Side

After receiving rsETH from the primary attacker, each cash-out EOA executed an identical four-step sequence within roughly six minutes:

1. approve(Aave V3 Pool, max) on the rsETH token at 0xa1290d69c65a6fe4df752f95823fae25cb99e5a7.
2. multicall(...) against the Aave V3 Pool proxy 0x87870Bca3F3fd6335C3F4ce8392D69350B4fA4E2 to open the position.
3. approveDelegation(...) on the Variable Debt WETH contract 0xea51d7853eefb32b6ee06b1c12e6dcca88be0ffe, granting the Pool authority to mint debt tokens.
4. Repeated supply() of rsETH followed by borrow() of ETH against the rsETH collateral, achieving an effective LTV of approximately 99% on each tranche.

Borrowed ETH was then consolidated to the hub 0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc in a small number of large transfers within about ten minutes of the initial release. By T+27 minutes the Ethereum hub held 75,700.76 ETH from five distinct cash-out EOAs.

A5 deviates from the pure Aave V3 path and additionally interacts with the Balancer Vault 0x00000011f84b9aa48e5f8aa8b9897600006289be and the canonical WETH9 contract 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2, suggesting the operator scripted multiple borrow venues to maximise extracted ETH per unit of rsETH collateral.

6. Money-Flow Reconstruction: Arbitrum Side

At least 36,167 rsETH ended up supplied as Aave collateral on Arbitrum (A3+A4+A5+A6+A7+A8) through the LayerZero OFT path (rsETH OFT at 0x4186BFC76E2E237523CBC30FD220FE055156b41F). On Arbitrum, the cluster did not swap rsETH for ETH on a DEX. Instead, the same Aave-collateral pattern was repeated against the Arbitrum deployment of Aave V3 Pool at 0x6b030ff3fb9956b1b69f475b77ae0d3cf2cc5afa, with the resulting ETH flowing to the same A2 EOA — the hub address is identical across the two chains because both run on EVM with the same key.

The Arbitrum side is dominated by A4 (12,381.96 ETH), A7 (7,877 ETH), and A8 (4,431 ETH). Smaller balances arrive from A3 (758 ETH), A5 (4,317 ETH across three transfers), and A6 (998 ETH). By T+90 minutes the Arbitrum hub holds 30,765.67 ETH and stops receiving inflows.

Of the cluster, only A6 takes a tangential path: in addition to the Aave-borrow loop it ferries ~83 wstETH (~$260K) through Uniswap V3 pools 0x35218a1cbac5..., 0xfcbf1e627120..., 0x7092e723285f... and a Uniswap V4 PoolManager 0x360e68faccca.... This is the cluster's only confirmed DEX activity and represents less than 0.1% of the total stolen capital; the assets involved appear to come from prior balances rather than the rsETH drain itself.

7. Recovery Window: Funds Are Still Sitting

Nine hours after the drain, both legs of the consolidation hub are quiet. The Ethereum hub holds 75,700.76 ETH (~$189M); the Arbitrum hub holds 30,765.67 ETH (~$77M). Neither has executed an outbound transaction. No deposits have been made to centralized exchanges. No Tornado Cash deposits have been observed from the hub. No further cross-chain bridging has occurred since the last Arbitrum consolidation closed at roughly T+90 minutes.

Approximately 89,567 rsETH remains supplied as collateral inside Aave V3 Pools on Ethereum and Arbitrum, supporting the $266M of borrowed ETH that already sits at the hub. Because rsETH markets were paused by Aave shortly after the drain — and the rsETH backing those positions is no longer redeemable at parity — those positions cannot be liquidated through normal mechanisms; the collateral is contractually locked for the attacker as well, who cannot withdraw without repaying the borrowed ETH or finding another path to discharge the debt.

It is important not to double-count: the rsETH collateral and the borrowed ETH are two sides of the same supply/borrow transaction. The attacker's net equity in those Aave positions is effectively zero at ~99% LTV. The actual stolen value remains the $292M of rsETH released by the OFT Adapter; the $266M ETH currently visible at the hub is the laundered, freezable form of most of that value. The remainder — roughly $26M of rsETH that did not enter Aave — is dispersed across the cluster and the LayerZero OFT cross-chain path. For a large theft, the disciplined motionless posture at the hub is unusual; it is possibly consistent with an operator waiting for Tornado Cash deposit volume to recover before laundering, or testing the response of major exchanges before attempting a deposit.

8. Lazarus / DPRK Correlation: Medium Confidence

We do not currently have direct private-key, infrastructure, or attribution evidence linking this incident to Lazarus Group. We do have several indirect signals consistent with a state-actor pattern that the Drift Protocol incident on April 1 2026 was attributed to with medium confidence (Mandiant / Elliptic):

• Pre-attack staging from Tornado Cash 0.1 ETH pool, 3–6 hours before the drain, with consistent gas funding amounts (~0.0978 ETH per address).
• Operational compartmentation: separate EOAs for the malicious LayerZero call, primary receipt, and consolidation.
• Cross-chain laundering performed via a non-DEX path (Aave on both chains) to minimise discoverable swap routes.
• Disciplined post-attack quiet period — funds untouched for hours rather than rushed through mixers.

The Drift incident, also using a Tornado Cash pre-stage (10 ETH pool, March 11) and attributed to UNC4736 / AppleJeus / Citrine Sleet / Golden Chollima / Gleaming Pisces, occurred 17 days earlier with broadly the same operational signature. We assess this as medium-confidence Lazarus pending formal attribution from Mandiant, Elliptic, TRM Labs, or similar.

Note: Tornado Cash withdrawal alone is not Lazarus-specific; the original 2022 OFAC sanctions on Tornado Cash were lifted on March 21, 2025, and the protocol is used by many actors. The combination of TC pre-staging, operational discipline, and cross-chain coordination is the discriminating signal here.

9. What Each Stakeholder Can Do Now

Centralized exchanges and on-/off-ramps. Add all nine attacker EOAs to compliance watchlists on both Ethereum and Arbitrum. Hold any inbound deposit pending coordinated law enforcement engagement.

LayerZero Labs. Make available the EndpointV2 packet metadata for the malicious lzReceive call (block 24,908,285), the DVN attestation chain that produced the apparently valid signature, and any associated DVN node operator information. These are the artefacts that distinguish a configuration failure from a verifier compromise.

Aave Labs / Aave DAO. Surface the supply and borrow records for the nine attacker addresses against the rsETH market on both chains. The aRSETH and variableDebtWETH ledgers are the basis for any future bad-debt accounting and any potential recovery via collateral seizure if rsETH becomes redeemable.

Kelp DAO. Publish the precise OFT configuration that was active on April 18 2026 (DVN set, threshold, executor) and the subsequent multisig response. The OFT Adapter source plus deployment proof at 0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3 is essential for downstream protocols to assess their exposure.

Other LRT bridges using LayerZero OFT. Audit the DVN configuration of every omnichain LRT or LST bridge under management. The single-DVN failure mode demonstrated here is replicable on any OFT that has not adopted a multi-DVN threshold or external proof of inclusion.

10. Q&A

Was LayerZero itself hacked? No. The LayerZero core protocol was not compromised. The incident is a configuration failure at the OFT application layer, where a single DVN sufficed to authorise release of all rsETH backing on the source chain.

Can the funds be recovered? The $266M of borrowed ETH still sitting at the hub on both chains is the realistic recovery target — it has not moved for hours. Recovery depends on (a) attacker deposit attempts at compliant exchanges that are then frozen, (b) legal action at custodial endpoints, or (c) negotiated return — historically observed in 5–15% of major DeFi incidents. The 89,567 rsETH collateral inside Aave is contractually locked while the borrowed ETH remains outstanding, but it is collateralised against that same $266M and should not be added to the recovery total.

How fast was the response? Kelp's emergency multisig executed pauseAll 46 minutes after the drain, blocking two follow-up lzReceive retries that would have released a further ~80,000 rsETH (~$200M). On the protocol side, Aave V3, Aave V4, SparkLend, Fluid, Lido (earnETH new deposits), and Upshift froze rsETH-related markets within hours.

Is this Lazarus? Indirect signals are consistent with Lazarus-style tradecraft — Tornado Cash pre-staging, operational compartmentation, and cross-chain coordination. We assess medium confidence. Formal attribution will require artefacts from Mandiant, Elliptic, TRM Labs or peer firms.

11. Key Indicators (Copy-Paste Ready)

Victim contract (rsETH OFT Adapter, Ethereum):
  0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3

Attack-call EOA (lzReceive / commitVerification submitter):
  0x4966260619701a80637cDbdAc6A6cE0131f8575e

Primary attacker EOA (received 116,500 rsETH):
  0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b

Cash-out cluster (eight EOAs, all MistTrack >=96 / Severe):
  0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF   (A1)
  0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc   (A2 — dual-chain hub)
  0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C787   (A3)
  0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B   (A4)
  0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC   (A5)
  0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49   (A6)
  0x1b748b680373a1dd70a2319261328cab2a6f644c   (A7 — Eth + Arb)
  0xe9e2f48bb0018276391aec240abb46e8c3cad181   (A8 — Eth + Arb)

Key transaction (drain):
  0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222
  block 24,908,285, 2026-04-18T17:35:35Z

12. Reach Out

Innora Security maintains the full forensic dossier for this incident, including per-attacker transaction trees on both chains, the full Aave supply/borrow ledger per address, draft subpoena packs (English and Chinese) addressed to each material counterparty, and a real-time monitor watching the consolidation hub for any outbound transaction.

We will share the complete report with security teams at affected protocols, established incident-response firms (Mandiant, Cyvers, Elliptic, TRM Labs, Chainalysis, SlowMist, PeckShield), law-enforcement agencies acting on a verified theft report, and verified victims of the incident.

Verified investigators and affected parties: please reach us at [email protected] to request the complete dossier. Attribution evidence and live hub-monitor access can be provided under a coordinated-disclosure agreement.

This analysis is the work of the Innora Security Research Team. All addresses, transaction hashes, and balances were independently verified against Etherscan and Arbiscan, with risk-label cross-checks against MistTrack. No third-party leaks or non-public source material were used. The complete address-and-transaction registry, evidence chain, and subpoena packs supporting every claim above are available on request.