Network news
KELP DAO EXPLOIT: A cross-chain bridge that holds nearly a fifth of a resumed ether token’s circulating supply has just been drained, and the fallout is moving through DeFi faster than the Kelp DAO can pause contracts. An attacker drained 116,500 rsETH (reclaimed ether) from Kelp DAO’s LayerZero powered bridge at 17:35 UTC this weekend, worth about $292 million at current prices and representing about 18% of rsETH’s 630,000 supply tracked by the Coin token. LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send confirmed instructions to each other. Kelp DAO is a floating restaking protocol that takes user-deposited ETH, routes it through EigenLayer to earn extra dividends on top of standard Ethereum stake rewards, and issues rsETH as a tradable receipt. The bridge that was drained contained the rsETH reserve backing wrapped versions of the token installed on more than 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into thinking a valid instruction had arrived from another network, triggering Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address. Kelp’s emergency breaks multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both returned, each with the same LayerZero package attempting another 40,000 rsETH drain worth approx. $100 million. — Shaurya Malwa Read more.
NORTH KOREA CRYPTO HEIST PLAYBOOK: Less than three weeks after hackers linked to North Korea used social engineering to hit crypto trading firm Drift, it appears hackers linked to the nation have pulled off another major exploit with Kelp. The attack on Kelp, a restaking protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting the fundamental assumptions built into decentralized systems. Taken together, the two incidents point to something more organized than a series of isolated hacks as North Korea continues to escalate its efforts to hijack funds from the crypto sector. “This is not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t patch your way out of a shopping plan.” More than $500 million was raised across the Drift and Kelp businesses in just over two weeks. At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked as designed. Rather, the attackers manipulated the data entered into the system and forced it to trust the compromised inputs, causing it to approve transactions that never actually took place. — Margaux Nijkerk Read more.
AAVE AFFECTED BY KELP DAO HACK: An attacker exploited this setup by forging a transfer message that appeared to be valid. The system approved the transfer even though the tokens were never taken out of the sending chain, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum side bridge. Instead of selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed about $190 million in ETH and related assets across Ethereum and Arbitrum, according to the report. This made Aave exposed to collateral, the support of which may be significantly impaired. Aave Labs said it moved quickly to limit the risk. Within hours, the protocol froze the rsETH markets across its deployments, setting the leverage ratio to zero and halting new borrowing against the asset. The result now largely depends on how Kelp handles the shortage. If losses are spread across all rsETH holders, the token will face an estimated 15% depegging (meaning the value of the staked tokens will not match the value of actual ETH), resulting in around $124 million in bad debt to Aave. If losses are instead isolated to Layer 2 networks, the impact will be far more severe, with bad debt rising to around $230 million and concentrated in networks like Arbitrum and Mantle.— Margaux Nijkerk Read more.
COINBASE COMMISSION PAPER ON QUANTUM COMPUTING RISKS: A new report commissioned by Coinbase sounds a cautious but urgent alarm: Quantum computing won’t break crypto tomorrow, but the industry can’t afford to wait. The 50-page paper, authored by an independent advisory committee that includes prominent cryptographers and academics such as Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation, and Sreeram Kannan of Eigen Labs, concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” must increasingly begin to encrypt and is now increasingly capable of breaking and encrypting. In recent months, concerns about quantum risk have moved further into the mainstream. Google researchers have published estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto-ecosystems have already begun mapping out their responses. The Ethereum Foundation has proposed new types of digital signatures designed to be secure against quantum computers, while Solana and others are experimenting with quantum-resistant wallets. The report emphasizes that current quantum machines are far from powerful enough to crack the cryptography that underpins Bitcoin, Ethereum and other networks. Breaking standard encryption would require large computational overhead, a milestone still considered a major engineering challenge. — Margaux Nijkerk Read more.
In other news
- Part of the Kelp DAO move is no longer going anywhere. Arbitrum’s Security Council on Monday night froze 30,766 ETH worth about $71 million, moving funds tied to Saturday’s $292 million rsETH exploit into an intermediate wallet that can only be accessed through further Arbitrum governance actions. The council said it acted on input from law enforcement agencies regarding the exploiter’s identity and carried out the freeze “without affecting any Arbitrum users or applications.” The transfer was completed at 11:26 PM ET on April 20, according to Arbitrum’s statement on X. The stolen funds are no longer under the control of the address that originally held them. — Shaurya Malwa Read more.
- A Polymarket contract on whether the Kelp DAO will spread the losses from this weekend’s $292 million exploit beyond those directly affected points to a clear answer: probably not. Bettors give a 14% chance that Kelp will “socialize the losses” or implement a mechanism that forces rsETH holders on Ethereum who were not hit to share the pain of users on other chains. The attackers drained around 116,500 rsETH from a LayerZero-powered bridge that held the reserves backing the token across more than 20 blockchains. That left parts of the system under collateral, with some holders effectively owning tokens that are no longer fully backed by ether (ETH). “Socializing the losses” would mean that Kelp redistributed the deficit across all rsETH holders, including those on the Ethereum network, rather than leaving losses concentrated among users and protocols attached to the compromised bridge. The most widespread precedent for this approach came in 2016, when Bitfinex imposed losses on all users after a $60 million hack, effectively mutual-hitting each other to avoid shutting down. — Sam Reynolds Read more.
Legislation and policy
- April appears to be a lost cause for the crypto Clarity Act, but a U.S. Senate committee hearing sometime in May could keep the critical market structure legislation alive as long as it can reach a final vote in the overall Senate before July, according to lobbyists and a legislative aide focused on the market structure bill’s slow progress. The legislative calendar is running out of space for this year, but a Senate aide told CoinDesk that a potential new delay of a few weeks — allowing Republican Sen. Thom Tillis to finish discussions with bankers about concerns about stablecoin dividends — does not yet push this work past the point of no return. The aide also said previous negotiations over decentralized finance (DeFi) protections have effectively been settled, leaving few other obstacles in the way of committee approval. One of the main issues facing the crypto industry (if it can jump over the stubborn hurdle of banking industry objections to stablecoin rewards) is that the Senate Banking Committee only needs to hear that Senate Banking Inquiry. — Jesse Hamilton Read more.
- Tron creator Justin Sun on Tuesday sued World Liberty Financial, the stablecoin and crypto firm backed by members of US President Donald Trump’s family, alleging the project unfairly locked up his $WLFI holdings, made fraudulent misrepresentations and threatened and defamed Sun. The filed lawsuit, which includes a line about Sun’s support for Trump himself, alleged that World Liberty’s management had engaged “in an illegal scheme to seize property” in the form of Sun’s tokens, which Sun claimed he had purchased after being solicited by the World Liberty team in 2024. “At the crucial time for Sunken $WLFI to invest $WLFI $45 million from buying World Liberty $45 million from Liberty. only because of the project’s claims that it would advance the adoption of decentralized finance — an issue Mr. Sun cares deeply about and has devoted much of his life’s work to — but also because of the Trump family’s association with the project,” the suit said. Nikhilesh De & Sam Reynolds Read more.
Calendar
- 5.-7. May 2026: Consensus, Miami
- 2.-3. June 2026: Proof of Talk, Paris
- 8.-10. June 2026: ETHConf, New York
- September 29-1. October 2026: Korea Blockchain Week, Seoul
- 7.-8. October 2026: Token2049, Singapore
- 3.-6. November 2026: Devcon, Mumbai
- 15.-17. November 2026: Solana Breakpoint, London
