#rsETHAttackUpdate

#rsETHAttackUpdate: The Bridge Failure That Shook DeFi
The rsETH exploit has become one of the most serious security incidents in DeFi during 2026, exposing how dangerous weak cross-chain infrastructure can be. On April 18, KelpDAO’s rsETH protocol suffered a massive $292 million exploit after attackers manipulated its LayerZero bridge system and minted 116,500 unbacked rsETH tokens—equal to nearly 18% of total supply.

This was not a simple smart contract bug. It was a deep infrastructure-level attack that targeted the trust layer of cross-chain verification itself.
The core weakness came from KelpDAO’s use of a 1-of-1 DVN (Decentralized Validator Network) setup. This meant LayerZero Labs acted as the sole validator for bridge message verification. Instead of decentralization, the bridge relied on one single trust point—and attackers exploited exactly that.

The attack began by compromising RPC nodes connected to the LayerZero DVN. Malicious actors replaced legitimate op-geth binaries with altered versions capable of serving forged blockchain state data. These fake responses were specifically delivered to DVN verification endpoints.

To make the attack successful, clean nodes were hit with DDoS pressure, forcing verification traffic to route entirely through compromised infrastructure. Once control over message verification was established, attackers forged a fake cross-chain message claiming valid origin from KelpDAO’s Unichain deployment.
Because the manipulated message passed the required 2-of-3 multisig verification process, the bridge accepted it as legitimate and released 116,500 rsETH directly to attacker-controlled wallets.

These tokens had no real collateral backing.
The attackers then moved quickly, using the fake rsETH as collateral across Aave V3 and V4 lending markets. They borrowed 52,834 WETH on Ethereum mainnet and another 29,782 WETH plus 821 wstETH on Arbitrum, extracting a total value of roughly 83,427 WETH and wstETH.
This immediately created massive bad debt inside Aave.

Aave responded by freezing rsETH markets and removing borrowing power, while KelpDAO paused rsETH contracts across Ethereum and Layer 2 networks. Arbitrum froze 30,000 ETH linked to exploit wallets, and Tether froze $344 million USDT across Tron addresses.
Still, panic spread fast.

More than $7 billion was withdrawn across DeFi protocols. Aave alone saw a $6.2 billion TVL reduction, while Morpho, Sky, and Jupiter Lend also suffered heavy liquidity exits as users rushed to reduce risk exposure.
Early attribution points toward North Korea’s Lazarus Group (TraderTraitor), known for highly advanced crypto infrastructure attacks.

The biggest lesson from this exploit is simple: bridge security is protocol security.
DeFi cannot claim decentralization while relying on centralized validation systems. Single-validator bridges create systemic risk, and protocol composability means one weak bridge can trigger damage across the entire ecosystem.

The rsETH attack proves that scalability without security is not innovation—it is delayed failure.
Cross-chain architecture must now evolve toward distributed validation, real-time collateral verification, and stronger industry-wide security standards before the next exploit becomes even bigger.
‍#GateSquare #ContentMining #Gate13周年