BlockBeats News, April 19th, according to The Block report, on-chain data shows that an attacker on Saturday stole 116,500 rsETH from the LayerZero-based cross-chain bridge of Kelp DAO, equivalent to approximately $292 million at the current market price. The attacker’s controlled wallet called the lzReceive method on the LayerZero EndpointV2 contract, triggering Kelp’s bridging contract to release 116,500 rsETH to another attacker address. The attacker’s wallet received funds approximately 10 hours ago via Tornado Cash. On-chain sleuth ZachXBT stated: “KelpDAO was apparently hacked for over $280 million roughly an hour ago on Ethereum and Arbitrum; the attacker’s address received funds through Tornado Cash.”
Kelp DAO issued a tweet stating that it has identified suspicious cross-chain activity involving rsETH and has suspended the rsETH contract on the mainnet and multiple Layer 2 chains. They are conducting a root cause analysis in collaboration with LayerZero, Unichain, and security experts. Aave promptly froze the rsETH markets on V3 and V4 and mentioned that they would explore compensation solutions for any resulting losses; the AAVE token price dropped approximately 10% after the incident. This is the second security incident that Kelp has experienced in about a year; last April, there was an excessive minting of rsETH due to a flaw in the fee contract, but at that time, no user funds were lost.
