Login

u/bigrkg

$292M stolen from KelpDao
▲ 5 r/Crypto_Currency_News

$292M stolen from KelpDao

https://preview.redd.it/hc9e9iteiiwg1.png?width=656&format=png&auto=webp&s=4998fd487110b9026311e60dbe9c05e761724035

Everyone’s first instinct is to look for a smart contract exploit. This wasn’t one.

No reentrancy. No key compromise. Core contracts worked exactly as designed.

What failed was the verification layer.

Here’s the breakdown:

  • Attackers (linked to Lazarus Group) targeted the RPC infrastructure feeding LayerZero’s DVN
  • Two RPC nodes were compromised, while the remaining honest nodes were DDoS’d
  • This forced the verifier to rely entirely on poisoned data
  • A forged cross-chain message was submitted and validated as legitimate
  • Result: 116,500 unbacked rsETH (~$292M) released from escrow in a single transaction

 

The critical flaw wasn’t the attack itself. It was the setup:

  • KelpDAO was running a 1-of-1 DVN configuration
  • One verifier. No redundancy. No fallback
  • ~$1B+ in assets secured by a single validation path

Once that verifier was compromised, the system had no way to reject a fake message. 

Key takeaway:

Bridges don’t fail at execution - they fail at verification assumptions.

>Wanna know more?
We’ve broken this down in detail here: "KelpDAO rsETH $292M Bridge Exploit (Explained)"

reddit.com
u/bigrkg — 2 days ago
▲ 0 r/ethdev

7 questions that could’ve saved DeFi $2B , Security now = Code + Admin/OPSEC layer)

👉 Smart contract audits cover ~30% of your attack surface.
👉 The other 70%? That’s where billions are lost.

Recent exploits (Drift, Radiant, Resolv, Bybit, WazirX) wiped out $2B+ — none were code bugs. Every protocol passed audits.

So what failed?

Not the code. The keys, governance, and operations around it.

Attackers didn’t “hack” smart contracts — they:

  • Social engineered teams for months
  • Compromised signer devices
  • Manipulated frontends
  • Exploited weak multisig setups

Reality: You secured the vault door… but left the keys exposed.

The 7 questions every founder should answer:

  1. Can you list all privileged keys in minutes?
  2. What happens if ONE signer is compromised?
  3. Do signers verify transactions or trust the UI?
  4. Can funds be drained instantly, or are there delays (timelocks)?
  5. Where are your keys stored (hardware vs cloud)?
  6. Would your team survive a 6-month social engineering attack?
  7. Can you pause the protocol within 15 minutes during an attack?

We’ve broken this down in detail here: “7 questions that could have saved DeFi $2 billion"

reddit.com
u/bigrkg — 6 days ago