Overview
- Arbitrum’s Security Council, which acted Tuesday, froze 30,766 ETH tied to the breach as on-chain data showed the attacker shifting roughly 75,700 ETH through new wallets and privacy rails like THORChain and Umbra.
- The April 18 attack forged a cross‑chain message after poisoning RPC nodes that fed LayerZero’s single‑verifier setup, which let the bridge mint 116,500 rsETH worth about $290 million without real backing.
- The thief deposited rsETH on Aave as collateral to borrow large amounts of wrapped ether, and Aave’s risk team now models potential bad debt of about $123.7 million or $230.1 million while some markets faced acute liquidity strain.
- LayerZero says Kelp DAO chose a one‑of‑one verifier configuration that created a single point of failure, while Kelp counters that the setup matched LayerZero’s documented defaults and relied on its infrastructure.
- DeFi’s total value locked fell by roughly $13–$14 billion within two days of the breach, and investigators report Lazarus Group links, underscoring how state‑level actors are targeting off‑chain components like RPC nodes.