Network News
OPERATING VACHER DAO: A cross-chain bridge containing nearly a fifth of the circulating supply of a reinvested ether token has just been exhausted, and the fallout is spreading across DeFi faster than Kelp DAO can suspend contracts. An attacker drained 116,500 rsETH (reinvested ether) from Kelp DAO’s LayerZero-powered bridge at 5:35 p.m. UTC over the weekend, worth approximately $292 million at current prices and representing approximately 18% of the 630,000 circulating tokens of rsETH tracked by CoinGecko. LayerZero is a cross-chain messaging layer, or the infrastructure that allows different blockchains to send verified instructions to each other. Kelp DAO is a liquid takeover protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradable receipt. The bridge that was dumped contained the rsETH reserve wrapped versions of the token deployed on over 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into believing that a valid instruction had arrived from another network, prompting Kelp’s bridge to release 116,500 rsETH to an address controlled by the attacker. Kelp’s multisig emergency pause froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC were both canceled, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth around $100 million. — Shaurya Malwa Learn more.
NORTH KOREA CRYPTO HEIST PLAYBOOK: Less than three weeks after hackers linked to North Korea used social engineering to hit crypto trading company Drift, hackers linked to the nation appear to have pulled off another major exploit with Kelp. The attack on Kelp, a restoration protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but by exploiting the basic assumptions built into decentralized systems. Taken together, the two incidents indicate something more organized than a series of one-off hacks, as North Korea continues to intensify its efforts to divert funds from the crypto sector. “It’s not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t patch your way out of a supply schedule. » More than $500 million was embezzled from the Drift and Kelp operations in just over two weeks. At its core, the Kelp exploit did not involve breaking encryption or hacking keys. The system actually worked as it was designed. Rather, the attackers manipulated the data feeding the system and forced it to rely on these compromised inputs, causing it to approve transactions that never occurred. — Margaux Nijkerk Learn more.
AAVE AFFECTED BY KELP DAO HACK: An attacker exploited this configuration by falsifying a transfer message that appeared to be valid. The system approved the transfer even though the tokens were never removed from the sending chain, meaning new tokens were effectively created without support, releasing 116,500 rsETH from the bridge on the Ethereum side. Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed approximately $190 million in ETH and associated assets on Ethereum and Arbitrum, according to the report. This left Aave exposed to collateral whose support may be significantly compromised. Aave Labs said it acted quickly to contain the risk. Within hours, the protocol froze rsETH markets across all of its deployments, set loan-to-value ratios at zero, and halted new borrowing on the asset. The outcome now largely depends on how Kelp manages the deficit. If the losses are distributed among all rsETH holders, the token would face an estimated 15% reduction (meaning the value of tokens staked would not match the value of actual ETH), resulting in approximately $124 million in bad debt for Aave. If losses were instead limited to Layer 2 networks, the impact would be much more severe, with bad debts totaling approximately $230 million and concentrated on networks such as Arbitrum and Mantle. Margaux Nijkerk Learn more.
COINBASE COMMISSION DOCUMENT ON THE RISKS OF QUANTUM COMPUTING: A new report commissioned by Coinbase sounds a cautious, but urgent, alarm: Quantum computing won’t break crypto tomorrow, but the industry can’t afford to wait. The 50-page paper, authored by an independent advisory board made up of prominent cryptographers and academics such as Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation and Sreeram Kannan of Eigen Labs, concludes that while current blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now. In recent months, concerns about quantum risk have become increasingly widespread. Google researchers have published estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto ecosystems have already started crafting their responses. The Ethereum Foundation has proposed new types of digital signatures designed to be secure against quantum computers, while Solana and others are experimenting with quantum-resistant wallet designs. The report highlights that current quantum machines are nowhere near powerful enough to crack the cryptography that underpins Bitcoin, Ethereum and other networks. Breaking standard encryption would require a huge computational load, a step still considered a major engineering challenge. — Margaux Nijkerk Learn more.
In Other news
- Some of Kelp DAO’s transportation is no longer going anywhere. The Arbitrum Security Council froze 30,766 ETH worth approximately $71 million on Monday evening, moving funds related to Saturday’s $292 million rsETH exploit to an intermediary wallet accessible only through other Arbitrum governance actions. The board said it acted on information provided by law enforcement regarding the identity of the exploiter and executed the freeze “without affecting Arbitrum users or applications.” The transfer was completed at 11:26 p.m. ET on April 20, according to Arbitrum’s statement on X. The stolen funds are no longer under the control of the address that originally held them. — Shaurya Malwa Learn more.
- A Polymarket contract on whether Kelp DAO will spread losses from the weekend’s $292 million exploit beyond those directly affected indicates a clear answer: probably not. Punters give a 14% chance that Kelp will “socialize losses” or implement a mechanism forcing rsETH holders on Ethereum, which was not affected, to share the pain of users on other chains. The attackers drained approximately 116,500 rsETH from a LayerZero-powered bridge that held the reserves backing the token across more than 20 blockchains. This has left parts of the system under-collateralized, with some holders effectively owning tokens that are no longer fully backed by ether (ETH). “Socializing losses” would mean that Kelp redistributes the deficit among all rsETH holders, including those on the Ethereum mainnet, rather than leaving losses concentrated among users and protocols linked to the compromised bridge. The most widely cited precedent for this approach dates back to 2016, when Bitfinex imposed losses on all users after a $60 million hack, pooling the hit to avoid shutdown. — Sam Reynolds Learn more.
Regulation and policy
- April appears to be a lost cause for the Crypto Clarity Act, but a U.S. Senate committee hearing in May could keep the critical market structure legislation alive, provided it can reach a final vote by the full Senate by July, according to lobbyists and a lawmaker aide focusing on the market structure bill’s slow progress. The legislative calendar is running out of room for this year, but a Senate aide told CoinDesk that another potential delay of a few weeks — allowing Republican Sen. Thom Tillis to finish discussions with bankers on stable coin yield issues — doesn’t yet push that work beyond the point of no return. The aide also said that prior negotiations over decentralized finance (DeFi) protections were effectively settled, leaving few other obstacles to committee approval. One of the main issues facing the crypto industry (if it can overcome the stubborn obstacle of banking industry objections to stablecoin rewards) is that the Senate Banking Committee’s hearing that the bill must be approved would only be a first step among many. — Jesse Hamilton Learn more.
- Tron creator Justin Sun on Tuesday sued World Liberty Financial, the stablecoin and crypto company backed by members of U.S. President Donald Trump’s family, alleging the project unfairly blocked his $WLFI holdings, made fraudulent misrepresentations, and threatened and defamed Sun. The lawsuit filed, which includes a line about Sun’s support for Trump himself, alleged that World Liberty executives engaged “in an illegal scheme to seize assets” in the form of tokens from Sun, which Sun claimed to have purchased after being solicited by the World Liberty team in 2024. “At this pivotal time for World Liberty, Mr. Sun invested $45 million to purchase $WLFI tokens from World Liberty, not only because of the claims of the project according to which it would promote the adoption of decentralized finance. – an issue that Mr. Sun cares deeply about and to which he has devoted much of his work – but also because of the Trump family’s association with the project,” the complaint states. Nikhilesh De and Sam Reynolds Learn more.
Calendar
- May 5-7, 2026: Consensus, Miami
- June 2-3, 2026: Proof of Talk, Paris
- June 8-10, 2026: ETHConf, New York
- September 29-October 1, 2026: Korean Blockchain Week, Seoul
- October 7 and 8, 2026: Token2049, Singapore
- November 3-6, 2026: Devcon, Mumbai
- November 15-17, 2026: Solana Breakpoint, London
