Kelp DAO’s rsETH bridge apparently exploited for roughly $292 million in LayerZero-based attack

Kelp DAO's rsETH bridge suffered a $292 million exploit through a LayerZero-based attack, with the protocol's emergency multisig freezing core contracts within 46 minutes and blocking two additional exploitation attempts. The incident highlights critical vulnerabilities in cross-chain bridge infrastructure and the risks associated with LayerZero's messaging protocol.

The Kelp DAO exploit represents a significant failure in bridge security architecture, one of the most persistent vulnerabilities in decentralized finance. Cross-chain bridges serve as critical infrastructure for multi-chain liquidity, yet they remain attractive targets due to their concentration of value and complex technical requirements. The $292 million drain through LayerZero mechanisms demonstrates that attackers continue to identify novel vectors even as the industry matures its security practices.

This attack follows a well-established pattern in DeFi exploits. LayerZero's messaging protocol, while innovative in its approach to chain abstraction, creates attack surfaces that require continuous scrutiny. The vulnerability likely involved either a flaw in message validation, signature verification, or logical errors in the bridge's smart contract implementation. The speed of the emergency response—46 minutes to contract freezing—shows protocol governance can react quickly, but this occurs only after funds are already drained.

For the broader DeFi ecosystem, this exploit reinforces that bridge security remains a critical weak point. The $292 million loss impairs confidence in Kelp DAO's rsETH liquid staking derivative and raises questions about the robustness of LayerZero implementations across other protocols. Developers and protocols using similar infrastructure face increased scrutiny from auditors and users alike.

The incident will likely accelerate discussions around bridge security standards, multi-signature verification improvements, and potential protocol redesigns. LayerZero will face pressure to conduct comprehensive security audits, while users may migrate liquidity to alternative bridges and staking solutions perceived as lower-risk.

• →A $292 million exploit of Kelp DAO's rsETH bridge through LayerZero reveals persistent cross-chain bridge vulnerabilities.
• →The protocol's emergency multisig froze contracts within 46 minutes but only after the primary drain succeeded.
• →LayerZero-based infrastructure faces renewed scrutiny following the attack, affecting multiple protocols using its messaging system.
• →Cross-chain bridges remain the most vulnerable infrastructure layer in DeFi despite significant security investments.
• →Users of rsETH and similar bridge-dependent tokens face increased counterparty and technical risks requiring reassessment.