network news
KELP DAO vulnerability: A cross-chain bridge holding nearly a fifth of the re-staking Ethereum circulating supply has just been depleted, and the impact is spreading across DeFi faster than the Kelp DAO contract suspension. Over the weekend at 17:35 UTC, an attacker drained 116,500 rsETH (recollateralized Ether) from Kelp DAO’s LayerZero-powered bridge, worth about $292 million at current prices and about 18% of the 630,000 rsETH token circulating supply tracked by CoinGecko. LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquidity restaking protocol that accepts user-deposited ETH, routes it through EigenLayer to earn additional yields on top of standard Ethereum staking rewards, and issues rsETH as tradable receipts. Depleted Bridge holds rsETH reserves and supports wrapped versions of the token deployed on over 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into believing that valid instructions had arrived from another network, triggering Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address. Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after it successfully exhausted itself (18:21 UTC). Two subsequent attempts at 18:26 and 18:28 UTC recovered, each carrying the same LayerZero packet, and the attempt again consumed 40,000 rsETH, worth approximately $100 million. — Shaurya Malwa Read more.
North Korea Cryptocurrency Heist Playbook: Less than three weeks after hackers linked to North Korea used social engineering to attack cryptocurrency trading firm Drift, hackers linked to the country appear to have carried out another major attack using Kelp. Attacks on Kelp, a restaking protocol tied to LayerZero’s cross-chain infrastructure, illustrate an evolution in the way North Korea-linked hackers operate, where they are not just looking for faulty or stolen credentials, but rather exploiting fundamental assumptions built into decentralized systems. Taken together, the two incidents suggest there is something more organized than a series of one-off hacks as North Korea continues to ramp up its efforts to hijack funds from the cryptocurrency space. “It’s not a series of events; it’s a rhythm,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t get away from a procurement plan.” In just over two weeks, the Drift and Kelp exploits diverted more than $500 million. Essentially, the Kelp vulnerability does not involve breaking encryption or cracking keys. The system actually works the way it was designed. Instead, attackers manipulate data fed into the system, forcing the system to rely on those compromised inputs, causing the system to approve transactions that never actually occur. — Margot Neckar Read more.
AAVE affected by KELP DAO hacker attack: An attacker could exploit this setting by forging a transmission message that appears to be valid. Even though the tokens were never taken out of the sending chain, the system approved the transfer, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum side bridge. According to the report, instead of selling the assets on the open market, the attackers deposited 89,567 rsETH into Aave as collateral and borrowed approximately $190 million in ETH and related assets through Ethereum and Arbitrum. This leaves Aave exposed to collateral risks and its support could be severely compromised. Aave Labs said it acted quickly to contain the risk. Within hours, the protocol froze the rsETH market in its deployments, setting the loan-to-value ratio to zero and halting new borrowing against the asset. The outcome now depends largely on how Kelp handles the shortage. If losses were spread across all rsETH holders, the token would face an estimated 15% decoupling (meaning the value of the pledged tokens does not match the value of actual ETH), resulting in Aave incurring approximately $124 million in bad debt. If the losses were limited to Layer 2 networks, the impact would be much more severe, with bad debt rising to about $230 million and concentrated on networks like Arbitrum and Mantle. Margot Neckar Read more.
Coinbase committee document on quantum computing risks: A new report commissioned by Coinbase sounds cautious but urgent: Quantum computing won’t break cryptocurrencies tomorrow, but the industry can’t wait. The 50-page paper, written by an independent advisory committee that includes prominent cryptographers and academics such as Stanford University’s Dan Boneh, the Ethereum Foundation’s Justin Drake, and Eigen Labs’ Sreeram Kannan, concludes that while today’s blockchains remain secure, it is increasingly likely that “fault-tolerant quantum computers” capable of breaking widely used encryption will emerge in the future, and preparations must begin immediately. Concerns about quantum risks have moved further into the mainstream in recent months. Google researchers have released estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto ecosystems have already begun formulating countermeasures. The Ethereum Foundation has proposed new digital signatures designed to be secure against quantum computers, while Solana and others are experimenting with quantum-resistant wallet designs. The report highlights that current quantum machines are nowhere near powerful enough to break the cryptography that underpins Bitcoin, Ethereum and other networks. Breaking standard encryption requires significant computational overhead, and this milestone is still considered a significant engineering challenge. — Margot Neckar Read more.
Other news
- Most of Kelp DAO’s shipping will no longer go anywhere. The Arbitrum Council froze 30,766 ETH, worth approximately $71 million, on Monday night, moving funds related to Saturday’s $292 million rsETH breach into an intermediary wallet that can only be accessed through further Arbitrum governance actions. The committee said it acted on input from law enforcement regarding the identity of the exploiter and implemented the freeze, which “will not impact any Arbitrum users or applications.” According to Arbitrum’s statement on X, the transfer was completed at 11:26 pm ET on April 20. Stolen funds are no longer controlled by the address that originally held the funds. — Shaurya Malwa Read more.
- A Polymarket contract on whether the Kelp DAO will spread the $292 million in losses from the weekend’s exploit beyond those directly affected gives a clear answer: probably not. There is a 14% chance among punters that Kelp will “socialize losses,” or implement a mechanism that forces unhit rsETH holders on Ethereum to share the pain of other on-chain users. The attackers siphoned off approximately 116,500 rsETH from the LayerZero-powered bridge, which holds reserves of tokens supported across more than 20 blockchains. This leaves parts of the system undercollateralized, with some holders effectively owning tokens that are no longer fully backed by Ethereum (ETH). “Loss socialization” means that Kelp redistributes the shortfall to all rsETH holders, including those on the Ethereum mainnet, rather than having losses concentrated on the users and protocols associated with the compromised bridge. The most widely cited precedent for this approach occurred in 2016, when Bitfinex suffered a $60 million hack that inflicted losses on all users, effectively fighting together to avoid a shutdown. — Sam Reynolds Read more.
Regulation and Policy
- April appears to be the reason the Cryptocurrency Clarity Act failed, but according to lobbyists and a congressional aide concerned about the slow progress of the market structure bill, a U.S. Senate committee hearing sometime in May may preserve the key market structure legislation as long as it can get a final vote from the full Senate before July. There is no room on this year’s legislative calendar, but a Senate aide told CoinDesk that a delay of a few more weeks — to allow Republican Sen. Thom Tillis to finish discussions with bankers about concerns about stablecoin yields — is possible but has not yet pushed the effort past the point of no return. The aide also said that earlier negotiations on decentralized finance (DeFi) protections have been effectively resolved, with few additional obstacles in the way of committee approval. One of the major issues facing the cryptocurrency industry—if it can get past the stubborn hurdle of the banking industry’s opposition to stablecoin rewards—is that hearing the bill before the Senate Banking Committee is just the first step in the many issues it needs to clear. — Jesse Hamilton Read more.
- Tron founder Justin Sun sued World Liberty Financial, a stablecoin and cryptocurrency company backed by members of U.S. President Donald Trump’s family, on Tuesday, accusing the project of unfairly locking up his WLFI USD holdings, making fraudulent misrepresentations, and threatening and defaming Sun. The lawsuit filed includes concerns about Sun’s support for Trump himself, claiming World Liberty’s leadership engaged in an “illegal scheme to seize property” in the form of Sun tokens, which Sun claims he purchased after being solicited by the World Liberty team in 2024. “At a critical time for World Liberty, Sun invested $45 million to purchase WLFI tokens from World Liberty not only because of the project’s claim that it would promote the adoption of decentralized finance – an issue that is close to Mr. Sun’s heart and a part of much of his life’s work – but also because of the Trump family’s ties to the project,” the lawsuit states. —— Nikhilesh De and Sam Reynolds Read more.
calendar
- May 5-7, 2026: Consensus, Miami
- June 2-3, 2026: Proof of Talk, Paris
- June 8-10, 2026: ETHConf, New York
- September 29-October 1, 2026: Korea Blockchain Week, Seoul
- October 7-8, 2026: Token2049, Singapore
- November 3-6, 2026: Devcon, Mumbai
- 15-17 November 2026: Solana Breakpoint, London