Network news
KELP DAO EXPLOITATION: A cross-chain bridge containing nearly a fifth of the circulating supply of a re-staked ether token just ran out, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts. An attacker drained 116,500 rsETH (repurchased ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC over the weekend, worth approximately $292 million at current prices and representing around 18% of the circulating supply of 630,000 rsETH tokens tracked by CoinGecko. LayerZero is a cross-chain messaging layer, or the infrastructure that allows different blockchains to send verified instructions to each other. Kelp DAO is a liquid recovery protocol, which takes user-deposited ETH, routes it through EigenLayer for additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradable receipt. The bridge that was drained contained the rsETH reserve that backed wrapped versions of the token deployed on more than 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into believing that a valid instruction had arrived from another network, causing the Kelp bridge to release 116,500 rsETH to an address controlled by the attacker. Kelp’s multisig emergency pauser froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC reverted, each with the same LayerZero packet attempting another drain of 40,000 rsETH worth approximately $100 million. — Shaurya Malwa Read more.
GAME MANUAL FOR THE NORTH KOREA CRYPTOMATIC HEIST: Less than three weeks after hackers linked to North Korea used social engineering to attack cryptocurrency trading company Drift, hackers linked to the nation appear to have pulled off another major exploit with Kelp. The attack on Kelp, a recovery protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting basic assumptions built into decentralized systems. Together, the two incidents point to something more organized than a series of one-off attacks, as North Korea continues to ramp up its efforts to hijack crypto sector funds. “This is not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t go off a procurement schedule.” More than half a billion dollars was siphoned off through the exploits of Drift and Kelp in just over two weeks. At its core, the Kelp exploit did not involve breaking encryption or decrypting keys. In reality, the system worked as designed. Rather, the attackers manipulated data coming into the system and forced it to trust those compromised inputs, causing it to approve transactions that never actually occurred. — Margaux Nijkerk Read more.
AAVE AFFECTED BY THE KELP DAO HACK: An attacker exploited that configuration by forging a transfer message that appeared valid. The system approved the transfer even though the tokens were never taken off the sending chain, meaning new unbacked tokens were effectively created, releasing 116,500 rsETH from the Ethereum-side bridge. According to the report, instead of selling the assets on the open market, the attacker deposited 89,567 rsETH in Aave as collateral and borrowed approximately $190 million worth of ETH and related assets on Ethereum and Arbitrum. This left Aave exposed to collateral whose support may be significantly affected. Aave Labs said it acted quickly to contain the risk. Within hours, the protocol froze rsETH markets across all its implementations, set the loan-to-value ratio to zero, and stopped new lending against the asset. The outcome now largely depends on how Kelp handles the deficit. If the losses are spread across all rsETH holders, the token would face an estimated 15% decoupling (meaning the value of the staked tokens would not match the value of the actual ETH), resulting in around $124 million in bad debts for Aave. If, instead, losses are limited to Layer 2 networks, the impact would be much more severe, with bad debts rising to approximately $230 million and concentrated in networks such as Arbitrum and Mantle. Margaux Nijkerk Read more.
COINBASE COMMISSIONS DOCUMENT ON QUANTUM COMPUTING RISKS: A new report commissioned by Coinbase sounds a cautious but urgent alarm: Quantum computing won’t destroy cryptocurrencies tomorrow, but the industry can’t afford to wait. The 50-page paper, written by an independent advisory board that includes prominent cryptographers and academics such as Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation, and Sreeram Kannan of Eigen Labs, concludes that while current blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now. In recent months, concerns around quantum risk have become increasingly common. Google researchers have published estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto ecosystems have already started planning their responses. The Ethereum Foundation has proposed new types of digital signatures designed to be secure against quantum computers, while Solana and others are experimenting with quantum-resistant wallet designs. The report emphasizes that current quantum machines are far from being powerful enough to crack the cryptography that underpins Bitcoin, Ethereum and other networks. Breaking standard encryption would require a large computational overhead, a milestone that is still considered a major engineering challenge. — Margaux Nijkerk Read more.
In other news
- Some Kelp DAO loot is no longer going anywhere. The Arbitrum Security Council froze 30,766 ETH worth approximately $71 million on Monday night, moving funds linked to Saturday’s $292 million rsETH exploit to a mezzanine wallet that can only be accessed through new Arbitrum governance actions. The council said it acted based on input from authorities regarding the identity of the exploiter and executed the freeze “without affecting any Arbitrum users or applications.” The transfer was completed at 11:26 pm ET on April 20, according to Arbitrum’s statement on X. The stolen funds are no longer under the control of the address that originally had them. — Shaurya Malwa Read more.
- A Polymarket contract on whether Kelp DAO will spread losses from the weekend’s $292 million exploit beyond those directly affected points to a clear answer: probably not. Bettors give a 14% chance that Kelp will “socialize losses” or implement a mechanism that forces rsETH holders on unaffected Ethereum to share the pain of users on other chains. The attackers drained approximately 116,500 rsETH from a LayerZero-powered bridge that held reserves backing the token on more than 20 blockchains. That left parts of the system without sufficient collateral, with some holders effectively holding tokens that were no longer fully backed by ether (ETH). “Socializing losses” would mean Kelp redistributes the shortfall among all rsETH holders, including those on the Ethereum mainnet, rather than leaving losses concentrated among users and protocols linked to the compromised bridge. The most cited precedent for this approach came in 2016, when Bitfinex imposed losses on all users after a $60 million hack, effectively mutualizing the impact to avoid closure. — Samuel Reynolds Read more.
Regulation and policy
- April appears to be a lost cause for the Cryptocurrency Clarity Act, but a U.S. Senate committee hearing sometime in May could keep critical market structure legislation alive as long as it can reach a final vote by the broader Senate in July, according to lobbyists and a lawmaker aide focusing on the slow progress of the market structure bill. The legislative calendar is running out of room this year, but a Senate aide told CoinDesk that a possible new delay of a couple of weeks, which would allow Republican Senator Thom Tillis to finish discussions with bankers over concerns about the performance of stablecoins, is not yet taking this work past the point of no return. The aide also said that previous negotiations over decentralized finance (DeFi) protections were effectively resolved, leaving few more impediments in the way of committee approval. One of the main problems facing the crypto industry (if it can overcome the stubborn hurdle of banking sector objections to stablecoin rewards) is that the Senate Banking Committee hearing the bill must pass would be just the first step of many. — jesse hamilton Read more.
- Tron creator Justin Sun on Tuesday sued World Liberty Financial, the stablecoin and cryptocurrency firm backed by members of US President Donald Trump’s family, alleging that the project had unfairly blocked his holdings of $WLFI, made fraudulent misrepresentations, and threatened and defamed Sun. The filed lawsuit, which includes a line about Sun’s support for Trump himself, alleges that World Liberty’s leadership had engaged “in an illegal scheme to seize property” in the form of Sun tokens, which Sun alleged he had purchased after being solicited by the World Liberty team in 2024. “At that pivotal moment for World Liberty, Mr. Sun invested $45 million to purchase World Liberty’s $WLFI tokens not only because of the project’s claims that it would promote the adoption of financial decentralized, a “It is an issue that deeply concerns Mr. Sun and to which he has dedicated much of his life’s work, but also because of the Trump family’s association with the project,” the lawsuit says. Nikhilesh De & Sam Reynolds Read more.
Calendar
- May 5-7, 2026: Consensus, Miami
- June 2 and 3, 2026: Conversation test, Paris
- June 8-10, 2026: ETHConf, New York
- September 29 to October 1, 2026: Korea Blockchain Week, Seoul
- October 7-8, 2026: Token2049, Singapore
- November 3-6, 2026: Devcon, Mumbai
- November 15-17, 2026: Solana Breakpoint, London
