How Is the Attacker Moving Stolen Funds?
The attacker behind the roughly $290 million Kelp DAO exploit has begun moving large amounts of Ether across newly created blockchain addresses, indicating early-stage laundering activity. On Tuesday, wallets linked to the exploit transferred approximately 75,700 ETH, worth about $175 million, across multiple transactions. The movements included a 25,000 ETH transfer to one new address and additional transfers totaling 50,700 ETH and a smaller 0.7 ETH to another. The use of fresh addresses and fragmented transactions suggests an attempt to reduce traceability and prepare funds for further routing through decentralized protocols. Blockchain investigator ZachXBT reported that addresses tied to the exploit had already begun interacting with privacy-focused and cross-chain infrastructure, including THORChain and Umbra. He identified three THORChain transactions totaling around $1.5 million and an additional $78,000 routed through Umbra.What Went Wrong in the Kelp DAO Exploit?
The exploit occurred on Saturday, when an attacker drained approximately 116,500 restaked Ether (rsETH), valued between $290 million and $293 million at the time, from Kelp DAO’s LayerZero-powered bridge. LayerZero later pointed to a structural weakness in the protocol’s configuration. According to the firm, Kelp DAO’s decentralized verifier network relied on a single verifier path for cross-chain messaging, effectively creating a single point of failure. The setup had previously been flagged as a risk. The incident highlights ongoing vulnerabilities in cross-chain infrastructure, particularly where security models depend on limited validation paths rather than distributed verification.Investor Takeaway
Single-point-of-failure designs in cross-chain systems continue to expose large pools of capital. Bridge security remains one of the most critical risks in DeFi infrastructure.
How Is the Exploit Affecting the Wider DeFi Ecosystem?
The fallout has extended beyond Kelp DAO, impacting multiple DeFi protocols. Arbitrum’s security council took emergency action to freeze 30,766 ETH linked to the exploit, transferring the funds into a controlled wallet governed by the network. Aave was also affected, as the attacker used stolen assets as collateral to borrow funds. Initial estimates placed the exposure at around $195 million, though later assessments outlined potential bad debt ranging from $123.7 million to $230.1 million depending on recovery scenarios. The situation triggered liquidity stress across the protocol. Aave reported that borrowing rates for USDt surged from 3% to 14%, while total value locked dropped by roughly $10 billion to $16.4 billion as users withdrew funds amid contagion concerns. In response, Aave partially restored operations by unfreezing Wrapped Ether reserves on its Ethereum Core V3 market, though several other markets remain restricted.Investor Takeaway
DeFi exploits can quickly cascade across lending and liquidity protocols. Collateral reuse amplifies systemic risk, especially when large positions are involved.
