Cross-chain bridge failures at CrossCurve and KelpDAO expose verifier trust risks
CrossCurve disclosed a roughly $3 million cross-chain bridge exploit after attackers abused a validation weakness, prompting the protocol to pursue legal action while investigators worked to trace the stolen funds. Reporting on the incident said the attack targeted the bridge’s transaction verification logic rather than a simple wallet compromise, underscoring how weaknesses in cross-chain message validation can let adversaries authorize fraudulent transfers and drain locked assets.
A larger breach hit KelpDAO, where attackers stole about $290 million in rsETH by exploiting its LayerZero-based bridge path with effectively 1-of-1 DVN verification, allowing a forged packet to be accepted on Ethereum without a legitimate source-chain transaction. The theft was widely attributed to North Korea-linked Lazarus/TraderTraitor, and recovery efforts later included burning more than 117,000 rsETH held by the exploiter on Arbitrum, restoring backing through an Aave-controlled recovery wallet, increasing bridge requirements to four independent attestors and 64 block confirmations, and beginning a migration to Chainlink CCIP after investigators characterized the incident as an operational and verification failure rather than a confirmed public smart-contract bug.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
KelpDAO announces withdrawals reopening and bridge hardening
KelpDAO said rsETH remained fully backed and that withdrawals were expected to resume within 24 hours after the first tranche was returned to the smart contract. It also announced security changes including four independent attestors, 64 block confirmations, deprecation of some layer-2 routes, and migration to Chainlink CCIP.
KelpDAO and Aave burn exploiter-held rsETH on Arbitrum
KelpDAO and Aave completed a recovery step by burning 117,132 rsETH held by the exploiter on Arbitrum. Kelp said the approximately $278 million backing would be restored in tranches from the Aave Recovery Guardian multisig.
Public PoC details KelpDAO's 1-of-1 DVN verification failure
A GitHub proof-of-concept published technical evidence that KelpDAO's LayerZero route effectively relied on single-DVN 1-of-1 verification, allowing a forged packet to be accepted without a legitimate source-chain transaction. The write-up concluded the immediate cause was single-verifier failure and the broader cause was insecure bridge configuration.
North Korean TraderTraitor/Lazarus linked to KelpDAO heist
Reporting in April linked the KelpDAO theft to TraderTraitor, a Lazarus Group unit tied to North Korea. LayerZero said the attackers compromised external verification infrastructure, poisoned RPC data, disrupted backups, and used DDoS pressure to force reliance on falsified transaction data.
KelpDAO blocks a second forged withdrawal attempt
A second forged packet for 40,000 rsETH became claimable, but KelpDAO blacklisted the recipient before the attacker could complete the withdrawal. Cyvers said this prevented roughly another $100 million in losses.
KelpDAO bridge attack drains about 116,500 rsETH
Attackers fraudulently withdrew 116,500 rsETH from KelpDAO's Ethereum-side OFT adapter, an incident later valued at roughly $290 million to $294 million. The exploit abused KelpDAO's cross-chain bridge verification path on the Unichain-to-Ethereum route.
CrossCurve says it will pursue legal action after exploit
After the $3 million exploit, CrossCurve publicly threatened legal action in response to the attack. This marked the project's initial public response to the incident.
CrossCurve bridge exploited for about $3 million
CrossCurve suffered a cross-chain bridge exploit that resulted in losses of roughly $3 million. Reporting on Feb. 2 describes the incident as exposing a validation flaw in the bridge.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Kelp DAO, Aave Advances rsETH Recovery
cointelegraph.com
Open sourceGitHub - DK27ss/KelpDAO-294m-PoC: single `DVN` OFT `1-of-1` verification failure · GitHub
github.com
Open sourceNorth Korean hackers linked to $290M heist from cryptocurrency platform | NK PRO
nknews.org
Open source$3M CrossCurve Bridge Cyberattack Exposes Validation Flaw
thecyberexpress.com
Open sourceCrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit - Decrypt
decrypt.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Kelp DAO bridge exploit tied to Lazarus triggers DeFi losses, legal fight, and migration
Attackers linked with North Korea’s **Lazarus Group** exploited Kelp DAO’s LayerZero-powered `rsETH` bridge by compromising off-chain verification infrastructure and abusing a **1-of-1 DVN** setup, fraudulently releasing about **116,500 rsETH** worth roughly **$292 million**. The stolen tokens were posted as collateral on **Aave** to borrow real assets, creating an estimated **$124 million to $230 million** in bad debt, driving severe liquidity stress, and contributing to a broader DeFi selloff. Kelp DAO and LayerZero publicly disputed responsibility after LayerZero first blamed Kelp’s configuration, then later acknowledged its own mistake in allowing its DVN to operate as the sole verifier for a high-value route; a later forensic report said the intrusion began with social engineering of a LayerZero developer and was attributed with high confidence to DPRK-linked **TraderTraitor/UNC4899**. Arbitrum’s Security Council froze about **30,766 ETH**—roughly **$71 million**—linked to the exploit, but the recovery effort became entangled in U.S. litigation after terrorism-judgment creditors sought to seize the assets as alleged North Korean property. A federal judge later allowed an Arbitrum DAO vote to move the frozen ETH to **Aave LLC** while preserving the restraining notice, leaving ownership unresolved as DeFi United worked to recapitalize `rsETH`, Kelp burned attacker-held tokens on Arbitrum, and most of the remaining **$220 million** in unfrozen funds were reportedly laundered through **THORChain**, **Wasabi**, **Tornado Cash**, and **Umbra**. In the aftermath, Kelp migrated `rsETH` bridging to **Chainlink CCIP**, and the incident accelerated broader protocol moves away from minimal LayerZero verifier configurations.
Jun 9, 2026
Verus-Ethereum Bridge Exploit Drains $11.6 Million and Halts Network
An exploit against the **Verus-Ethereum bridge** drained about **$11.58 million** in crypto assets, according to reports from Blockaid, PeckShield, and GoPlus. PeckShield said the attacker stole **103.6 tBTC, 1,625 ETH, and 147,000 USDC**, then swapped the proceeds into roughly **5,402 ETH**; the attacker wallet was reportedly seeded with **1 ETH from Tornado Cash**. Security researchers also identified attacker and destination wallets as the theft unfolded. Verus said its network was **halted**, with most block-producing nodes taking themselves offline after the attack’s effects appeared, while developers investigated the root cause and recovery options. GoPlus said the exploit may stem from **cross-chain message validation or signature forgery**, a **withdrawal logic bypass**, or an **access control flaw** in the bridge, which was launched to move assets between the privacy-focused Verus blockchain and Ethereum.
May 25, 2026
THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of **$7.4 million** to more than **$10.7 million** after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about **$815,000** after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of **13.76 million** unbacked wrapped `ALPH` on Ethereum. New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm **V12** said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Jun 1, 2026