A detailed post-mortem by Certik blockchain analyst Wenzhao Dong has shed light on the sophisticated cross-chain attack on Kelp DAO, revealing a strategic shift in how cybercriminals exploit decentralized finance (DeFi). The attack, attributed to the North Korean-linked Lazarus Group, demonstrates a deep understanding of market liquidity and protocol dependencies, turning a bridge exploit into systemic bad debt on the lending platform Aave.
From Bridge Exploit to Lending Market Contagion
According to Dong's analysis, the attackers did not simply cash out stolen assets through spot markets—a move that would have triggered significant slippage and early detection. Instead, they used the minted but worthless rsETH—obtained via a vulnerability in Kelp DAO's cross-chain bridge—as collateral on Aave to borrow Wrapped Ether (WETH). This effectively transferred the financial risk from the bridge to the lending protocol, creating a situation Dong describes as 'systemic bad debt'.
'The Kelp DAO exploit shows a clear risk pattern in modern DeFi,' Dong explained. 'A bridge vulnerability doesn’t stay isolated; it becomes a problem for lending markets. By using fake rsETH as collateral on Aave, the attacker turned a bridge heist into defaulted debt on Aave.' This represents a departure from previous attacks, such as the Hyperbridge incident, where hackers minted 1 billion DOT but only managed to convert around $240,000 before the price collapsed. The Kelp DAO attackers chose a far more efficient cash-out route by leveraging Aave's deep liquidity.
Arbitrum Security Council Intervention and Community Debate
The Arbitrum Security Council (ASC) intervened on April 18 by freezing 30,766 ETH (approximately $71 million) following tips from law enforcement. While this action prevented further losses, it reignited a fundamental debate within the blockchain community: the tension between immutable decentralization and pragmatic governance. Purists argue that the ASC's ability to unilaterally freeze assets sets a 'slippery slope' toward censorship, while pragmatists view it as a necessary 'digital fire brigade' to protect users from state-sponsored attackers.
The ASC stated that it weighed its commitment to security and integrity while ensuring no adverse consequences for Arbitrum users or applications. Despite the freeze, approximately $220 million in digital assets remain unaccounted for, according to Kelp DAO's latest update.
Hackers Move Stolen Funds to Bitcoin Mixers
Blockchain data reveals that the Kelp DAO exploiter has already transferred 75,701 ETH (worth about $175 million) to the Ethereum mainnet and begun routing the funds through mixers to Bitcoin. This ongoing laundering effort underscores the challenge of recovering the remaining assets.
Kelp DAO confirmed that its immediate focus is collaborating with Aave and other partners to address the 'defaulted debt' created by the exploit, while exploring all avenues to restore the rsETH peg and support affected holders. The team expressed gratitude to the ASC and the security collective SEAL 911 for their critical coordination.
Broader Implications for DeFi Security
Dong's analysis serves as a stark warning: DeFi protocols can no longer focus solely on their own contract security. They must assess the risks introduced by every dependency in their system—including cross-chain bridges, lending markets, and oracles. 'DeFi security is interconnected,' Dong emphasized. 'Protocols cannot just focus on their own contracts; they must consider the risk that each dependency in their system introduces and implement defensive measures accordingly.'
This incident marks a new chapter in cross-chain cybercrime, where bridge vulnerabilities are systematically used to infect lending markets, creating systemic risk that echoes across the entire decentralized finance ecosystem. As the Kelp DAO case demonstrates, the stakes have never been higher.

