DEV Community

Pavel Espitia
Pavel Espitia

Posted on

The $292M KelpDAO Bridge Hack: Why the Audit Wasn't the Problem

On April 18, 2026, attackers drained about 116,500 rsETH, roughly $292 million, from a cross-chain bridge KelpDAO built on LayerZero. It is the largest DeFi hack of the year so far. I spend my days finding bugs in smart contracts, and the most uncomfortable thing about this hack is that finding bugs would not have stopped it. Here is the post-mortem and what it should change about how you think about security.

What actually happened

The bridge held the reserve of rsETH backing the token across more than 20 chains: Base, Arbitrum, Linea, Blast, Mantle, Scroll, and others. When the reserve drained, every wrapped version downstream was suddenly under-collateralized.

The root cause, per LayerZero's post-mortem, was not a Solidity bug. The attack began on March 6, six weeks earlier, when a developer was socially engineered. The contract code did what it was written to do. The keys that controlled it ended up in the wrong hands.

KelpDAO froze the system about 46 minutes after the drain. The attacker tried twice more to take another $100 million and failed because of that freeze. The 46 minutes is the one genuinely good part of this story.

The pattern is the story, not the protocol

KelpDAO is not an outlier in 2026. Two weeks earlier, Drift Protocol lost $285 million on Solana. That post-mortem also found no code exploit. It was a six-month social engineering operation against the people who held the admin keys. Drift's TVL fell from $550 million to under $300 million in an hour.

Put the two together and the theme is unmissable: the most expensive failures of 2026 are not bugs. They are humans being patiently targeted. Security firms attribute 76% of crypto hack losses this year to North Korea-linked actors, up from 64% in 2025. These are not smash-and-grab opportunists. They are state-backed teams running multi-month campaigns.

What an audit covers, and what it does not

I want to be precise here because "audits are useless" is the wrong takeaway. Audits are not useless. They are scoped.

An audit answers: does this code do what it claims, and does it have known classes of vulnerabilities? Reentrancy, access control gaps, integer issues, oracle manipulation, logic flaws. I find these for a living and they still matter. Plenty of money is still lost to plain bugs.

An audit does not answer: will the person holding the upgrade key get phished in March? Is the multisig actually multi-party, or are three of the five signers the same engineer on three laptops? Does the bridge operator have a key-rotation policy? Those are operational security questions, and the contract source code is silent on all of them.

The questions I now ask alongside the code review

When I look at a protocol now, I treat the contracts as one layer and the key custody as another. The code review is necessary. It is not sufficient. The questions that would have mattered for KelpDAO and Drift:

  • Who can move the reserve, and how many independent humans must agree?
  • Are admin keys in hardware wallets, in an HSM, or in a hot wallet a server can reach?
  • Is there a time delay on privileged actions, so a drain is visible before it completes?
  • Is there a circuit breaker, and who can pull it, and how fast? (KelpDAO's 46-minute freeze is the difference between $292M and $392M.)
  • What is the social engineering surface? How many people could a patient attacker target?

None of those are answerable from the .sol files. All of them mattered more than the .sol files.

Where this leaves AI-assisted security

I build AI tooling for contract analysis, so people ask whether AI helps here. Honestly, partially. AI is good at the layer audits already cover: reasoning about code, catching cross-function logic flaws, explaining what a privileged function can do. It does not phish-proof your team.

But there is a second-order effect worth naming. Reports this year note that AI is lowering the bar for exploit discovery, with automated reconnaissance increasingly targeting old and unverified contracts. The same capability that helps me audit helps attackers scan. The defensive move is not to avoid AI. It is to use it on your own attack surface before someone else does, and to remember that the attack surface includes your people.

The contracts were fine. The keys were not. Spend accordingly.

Top comments (0)