In April, Kelp DAO suffered an incident that shook DeFi. Exploiting anomalies in the bridge's validation mechanism, the attacker forged cross-chain messages and moved over $290M illegally. Because the team paused the protocol in time, another $100M+ of forged transfers never executed — otherwise losses would have grown further.

On June 2, on-chain data delivered the update: the roughly $220M that was never frozen has now essentially finished laundering, with only about $1.7M still sitting in the original attack address. Apart from the $71M frozen, most stolen funds are now beyond conventional tracking.

From validation failure to a $290M loss

Per Kelp DAO's disclosures, the attack did not hit rsETH's contracts but the cross-chain message-validation step: the attacker obtained the validator network's signed confirmation of a transaction that never existed.

Kelp DAO 跨链桥验证机制异常流程分析

Figure 1: how Kelp DAO's cross-chain validation anomaly signed off a fake transaction

Normally a bridge mints or releases on the target chain only after validators confirm the source-chain transaction exists. Here the attacker crafted fake messages that fooled the validation system into believing a real transfer had occurred, minting large amounts of rsETH to attacker addresses. Kelp DAO paused the protocol and blocked two further forged transfers exceeding $100M.

Delta & Capital's take: the biggest warning is not the single bug but that the validation networks bridges depend on have become the new risk concentration point. Once the validation layer breaks, attackers obtain system-recognized "legitimate assets" even when contract code is flawless.

How $220M was laundered step by step

On April 20, the Arbitrum Security Council froze about 30,766 ETH (~$71M) — the only large tranche successfully controlled in the whole incident.

Arbitrum 安全委员会紧急冻结资金流向

Figure 2: the emergency interception mechanisms triggered by the Arbitrum Security Council on mainnet and Layer 2

The day after the freeze, industrial-scale laundering began. The attacker first split ~75,701 ETH across many fresh addresses, then pushed the funds into multi-layer anonymization. Reconstructed by multiple investigators, the flow ran: ETH splitting, cross-chain swaps, anonymizing mixers, transit through the BTC network, bridging back into the Ethereum ecosystem, and dispersal across many addresses.

2.2 亿美元被盗资产链上洗钱混币路径

Figure 3: full topology of the stolen assets' laundering via multi-hop transfers, privacy mixers, and cross-chain swaps

Throughout, funds were repeatedly split and recombined via bridges, privacy tools, and mixing systems. Trading volume on some protocols spiked to several times — even ten times — the norm within a day.

Delta & Capital's view: such attacks are no longer classic "coin theft". Modern on-chain laundering resembles an automated funds-processing network: from theft to anonymization, cross-chain migration, address splitting, and re-aggregation in hours to days. For investigators, the earlier the freeze, the higher the recovery odds; once funds enter multi-layer anonymity, tracking costs grow exponentially.

What the LayerZero–Kelp dispute exposed

Debate over responsibility continues. Kelp says its validation configuration followed the official default recommendation and had been confirmed by the relevant team; critics counter that low-threshold validation raised systemic risk. Public data shows many bridge apps used similar configurations at the time — the problem belongs to more than one project.

Deeper down, the incident exposes a long-standing reality: teams focus on contract security while neglecting off-chain validation infrastructure. Validator nodes, RPC services, signing systems, and monitoring are all part of the security boundary; once compromised, attackers can bypass on-chain protections entirely.

Delta & Capital's conclusion: the core competency of future cross-chain security is no longer contract auditing alone, but the security architecture of the entire validation stack and its infrastructure.

The $71M may be the only recoverable tranche

The ~$71M frozen remains in legal and regulatory process — the only funds with realistic recovery prospects. Meanwhile Kelp completed user compensation and protocol restoration, reopened rsETH functions, and began migrating to a new cross-chain messaging stack. For users, operations have largely normalized.

For the industry, the questions remain. Public tallies put cumulative losses from major bridge attacks at billions of dollars. Kelp proves the point again: once attackers breach the validation layer, the real battle is not patching but the subsequent tracking-and-freezing phase.

Closing thoughts

That $220M was ultimately laundered shows tracing can rebuild the full path yet still fail to stop the loss. The direction for bridge security is clear — prevent attacks, but also build faster freezing mechanisms, tighter risk-coordination networks, and stronger tracing capacity.

遭遇平台风控或资产受限?联系德尔泰获取专属合规自证方案

图 4:德尔泰(Delta & Capital)hard-core blockchain compliance, risk-control appeal, and on-chain forensics solutions