A forged LayerZero cross-chain message drained 74% of Kelp DAO's rsETH escrow. Two independent security failures compounded: an observation-layer compromise in LayerZero Labs' DVN infrastructure and a single-DVN configuration on the Kelp adapter.
Cross-chain bridges have evolved architecturally since 2022, when Ronin, Wormhole, and Nomad collectively lost more than $1B to multisig compromises and validator exploits. LayerZero V2 replaced multisig committees with Decentralised Verifier Networks, offchain observers that cryptographically attest to cross-chain events before destination contracts release funds. The Kelp DAO exploit demonstrates what happens when a bridge's security model concentrates observation authority in a single organisation and that observer's infrastructure produces attestations over events that never occurred.
KelpDAO operates rsETH, a liquid restaking token representing staked positions across multiple liquid staking protocols. To enable rsETH usage across chains, Kelp deployed an Omnichain Fungible Token (OFT) adapter on Ethereum using LayerZero V2, with a lock-and-release escrow holding approximately 156,874 rsETH (~$392M) at the time of the attack. Cross-chain transfers burn rsETH on the source chain and mint equivalent supply on the destination chain, with the Ethereum escrow backing all bridged tokens.
LayerZero V2 is a cross-chain messaging protocol that relies on Decentralised Verifier Networks to authenticate messages between chains. Each DVN operates infrastructure that observes source-chain events (specifically PacketSent emissions from LayerZero endpoints) and signs attestations confirming those events occurred. OApp developers configure how many DVNs must attest before a destination-chain contract accepts a message. Kelp's rsETH OFTAdapter on the Unichain-to-Ethereum pathway required exactly one DVN: LayerZero Labs.
On April 18, 2026 at 17:35 UTC, the Ethereum-side Kelp rsETH OFTAdapter released 116,500 rsETH (~$291M) to an attacker wallet in response to a cross-chain message that claimed to originate from Unichain but was never emitted by any Unichain transaction. The attack moved through three transactions:
The packet authenticated correctly at every onchain checkpoint, the sender address matched the legitimate Kelp OFT peer on Unichain, and the nonce was sequential. The payload hash matched what the DVN had attested. The weakness was not in the contracts that correctly enforced their stated guarantees but in the offchain observation that fed the DVN an event that never entered canonical chain state.
The observation layer produced a signed attestation over a fabricated event, and the Kelp adapter's configuration concentrated bridge security to that single source with no redundancy. Either failure alone would have been containable but both together were not.
LayerZero Labs' DVN infrastructure signed over a PacketSent payload that does not exist on Unichain. The failure occurred between the Unichain network and the DVN's signing nodes. DVNs rely on offchain infrastructure to monitor source chains for PacketSent emissions. If that pipeline is compromised the DVN produces attestations decoupled from canonical chain state. Onchain contracts downstream have no mechanism to verify that the attested event actually occurred. They trust the DVN's signature.
The Kelp adapter's UlnConfig for the Unichain-to-Ethereum pathway set requiredDVNCount to 1, with requiredDVNs containing only LayerZero Labs. No optional DVNs were configured. This is a single point of failure: if the one required DVN's observation stack is compromised or produces a false attestation, no independent verifier exists to catch it. The configuration also set confirmations to 42 L2 blocks (approx. 42 seconds on Unichain's 1-second block time). L2 finality at this depth is soft; the L2 sequencer can reorg blocks if the underlying L1 batch has not been submitted and verified and observation based on soft finality is exploitable if the observer can be fed data that diverges from what eventually settles on L1.
Beyond these two, no downstream constraint existed. The OFT adapter imposed no per-packet amount cap, no daily throughput limit, no supply inflation check. A message claiming to bridge 116,500 rsETH (327 times the adapter's largest prior inbound transfer) passed without additional scrutiny. The escrow held 156,874 rsETH. The drain removed 74.3% in a single transaction.
The problem was not only who observed but when the observer failed, no layer of defence existed independently, and the resulting protocol state, an escrow short by 116,500 rsETH relative to outstanding cross-chain supply, had no limit that would have contained it.
Each stage of the KelpDAO exploit passed through a gap where a hard control could have stopped the sequence. What follows maps each gap to the policy that would have closed it, the monitoring signal that would have surfaced it, and the automated onchain response that would have contained it.
The gap. The DVN observation infrastructure produced a signed attestation over a PacketSent event that was never emitted on canonical Unichain. No consensus mechanism across independent data sources validated the observation before attestation.
Policy. A multi-DVN verification policy: block any cross-chain packet on high-value pathways unless attested by at least two DVNs operated by independent organisations.
Monitoring and response. For protocols with LayerZero OFT exposure, monitoring for cross-chain messages where the claimed source transaction does not exist on the source chain would have identified the phantom PacketSent at the infrastructure layer. Our LayerZero monitoring suite detects mismatches between destination-chain packet delivery and corresponding source-chain emissions, flagging messages that either lack a verifiable origin transaction or a mismatch in amount. Configured as a trigger for automated onchain response, this detection pauses the OFT adapter before the forged message can execute lzReceive, preventing the escrow release regardless of whether the DVN attestation passed verification.
The gap. The Kelp adapter's UlnConfig set requiredDVNCount to 1 with no optional DVNs, concentrating bridge security to LayerZero Labs' entire observation and signing stack.
Policy. An OFT configuration policy: block deployment or flag for governance review any OFT adapter where requiredDVNCount is less than 2 or where all required DVNs are operated by the same organisation.
Monitoring and response. Monitoring for changes to UlnConfig parameters on production OFT adapters — particularly decreases in requiredDVNCount or removal of independent DVNs from the required set — would have surfaced the configuration risk before the exploit. For lending protocols and yield aggregators accepting rsETH as collateral, monitoring for large, rapid inflows of rsETH from LayerZero bridges, cross-referenced against expected bridge activity and source-chain supply changes, would have flagged the 116,500 rsETH release as anomalous. Automated response at this stage freezes deposit, borrow, and mint functions on rsETH-collateralised markets, limiting exposure before the drained escrow creates systemic bad debt.
The gap. The OFT adapter imposed no cap on per-packet transfer size, no daily throughput limit, no cross-check against circulating supply on the source chain. The 116,500 rsETH release (327 times the adapter's prior largest inbound transfer and 2,300 times the total rsETH supply on Unichain) executed without additional scrutiny.
Policy. A supply reconciliation policy: block any OFT credit transaction that would create a supply imbalance exceeding X% between the destination-chain escrow and the sum of source-chain circulating supplies.
Monitoring and response. Monitoring for large single-transaction withdrawals from OFT escrow contracts, particularly those exceeding historical norms by orders of magnitude, would have flagged the 116,500 rsETH release as it occurred. For positions with rsETH exposure, LP positions in rsETH/ETH pools, rsETH collateral in lending markets, or yield strategies holding rsETH should be monitoring available liquidity and triggering automated withdrawal upon liquidity returning enabling them to become first-in-line when utilisation spikes occur. Following the Kelp exploit, major lending protocols reached 100% utilisation as borrowers rushed to close positions and LPs moved to exit. Aave V3's WETH, USDT, USDC, and USDe markets all hit full utilisation, with borrow rates spiking above 14% APR. Any incoming repayments were consumed within seconds. Hypernative customers with liquidity monitoring and automated withdrawal responses configured were able to exit before pools locked, being first-in-line as each repayment created momentary withdrawal windows.
The gap. Each individual action is individually routine. The combination, with the attestation binding to an event that does not exist and the released amount exceeding source-chain supply by orders of magnitude, is a compromise pattern. No policy evaluated the sequence as a whole.
Policy. A stateful cross-chain integrity policy: block any OFT credit transaction where the claimed source-chain event cannot be verified across multiple independent observation sources and the credited amount would create a supply imbalance exceeding threshold T.
Monitoring and response. Hypernative detected the anomalous 116,500 rsETH transfer upon transaction confirmation at 17:35 UTC and issued alerts to protocols monitoring Kelp DAO and rsETH exposure. For Hypernative customers with LayerZero monitoring configured, the detection layer would have surfaced multiple signals: destination-chain packet delivery without corresponding source-chain emission, large OFT credit transaction exceeding historical transfer patterns, and supply imbalance between escrow holdings and cross-chain circulating supply. Automated onchain response connects these signals to executable actions like pausing the OFT adapter, freezing affected lending markets, or triggering emergency withdrawal from LP positions without waiting for human review. The gap between detection and containment is precisely what automated response closes.
Hypernative detected the exploit within the same block as the drain transaction, immediately issuing alerts to protocols monitoring Kelp DAO and rsETH exposure. The team joined war rooms with affected lending markets and yield protocols, helping assess collateral exposure and coordinate freeze decisions as downstream impact cascaded through DeFi. But detection alone does not prevent the second-order market impact that followed. As lending protocols paused rsETH markets and borrowers rushed to unwind leveraged positions, correlated asset pools reached full utilization and the consequence was that LPs could not withdraw, and any incoming repayments were consumed within seconds. Monitoring surfaces risk as it develops, while policies enforce hard limits at the point of execution. Automated onchain response connects the two, enabling customers to be first-in-line to withdraw the moment liquidity becomes available, to freeze affected markets before bad debt accumulates, or to exit positions before utilisation locks.
The same policy and response layer that would have stopped this exploit also prevents operational errors during normal bridge operations. LayerZero OApps routinely undergo DVN configuration changes, pathway additions, and parameter updates that carry misconfiguration risk.
Consider where a protocol team adding a new chain pathway accidentally sets requiredDVNCount to 1 instead of 2 during deployment, intending to add a second DVN post-launch but forgetting to complete the change. Without policy enforcement, that misconfiguration is functionally identical to what enabled the Kelp exploit; a pathway with no observation redundancy. Or a governance proposal that adjusts confirmations from L1-batch-inclusion depth to L2 block depth, unintentionally weakening finality guarantees during a routine parameter optimisation. Without a configuration integrity policy, the error executes.
Bridge infrastructure also faces operational risks at the observation layer. An RPC provider experiencing data corruption, a DVN node pulling from a stale indexer, or a network partition causing temporary divergence between observation sources can all produce attestations over incorrect state. Requiring consensus across multiple independent DVN organisations catches these operational failures the same way it catches adversarial ones. The monitoring layer does not need to distinguish between malice and mistake. It tracks whether the resulting protocol state is safe.
Bridge infrastructure also faces operational risks at the observation layer. An RPC provider experiencing data corruption, a DVN node pulling from a stale indexer, or a network partition causing temporary divergence between observation sources can all produce attestations over incorrect state. Requiring consensus across multiple independent DVN organisations catches these operational failures the same way it catches adversarial ones.
This pattern, privileged paths without hard limits, extends beyond LayerZero.
The Kelp DAO exploit is the third major bridge or cross-chain protocol compromise in April 2026, following Hyperbridge ($237K) and Drift Protocol ($285M). The attacks share no common codebase, architecture, or attack vector. Hyperbridge failed through compounding gaps in proof verification, message validation, and access control, while Drift's exploit targeted a different mechanism entirely. Kelp failed at the observation layer; infrastructure that sits outside the onchain contracts and feeds them data about external state.
What connects them is structural: each protocol had privileged execution paths that could alter critical state without hard constraints on the resulting protocol state. In each case, the exploit moved through functions operating within their designed parameters. The problem was not that one function misbehaved. The problem was that no layer of defence evaluated whether the sequence of valid actions produced an impossible or unsafe outcome.
This is the pattern that policy-based enforcement addresses. A supply reconciliation policy does not need to know whether rsETH arrived via a forged LayerZero message, a compromised multisig, or a contract exploit. It evaluates whether 116,500 rsETH can physically exist on Ethereum when Unichain holds 49 rsETH. A stateful combination policy does not need to understand Hyperbridge's MMR verification logic. It evaluates whether an admin role change followed immediately by a billion-token mint represents normal protocol operation.
The common thread is the absence of hard limits that operate independently of trust assumptions. Hyperbridge trusted proof verification would catch invalid commitments. Kelp trusted its DVN would only attest to real events. Both failed. The protocols that avoid loss will have constraints that do not depend on those assumptions holding.
.png)
.png)
