Four years after Ronin, $2.1 billion has been stolen from cross-chain bridges — and the Kelp DAO heist shows the industry still hasn't solved the problem it keeps promising to solve.
Cross-chain bridges are the plumbing that makes multi-chain DeFi possible — and they are also, consistently, the single most-hacked category of infrastructure in crypto. Since the start of 2022, more than $2.1 billion has been stolen from bridge protocols. The $292 million Kelp DAO / LayerZero heist on April 18, 2026 is merely the latest entry on a list that will almost certainly keep growing.
| Vector | Example | Lesson |
|---|---|---|
| Compromised validator keys | Ronin ($624M, 2022) | Validator set too small / concentrated |
| Smart-contract signature verification bug | Wormhole ($326M, 2022) | Unaudited upgrade path |
| Improper message replay | Nomad ($190M, 2022) | Single misconfigured proof root |
| Off-chain verifier (RPC) compromise | Kelp / LayerZero ($292M, 2026) | Off-chain layer is attack surface |
| Private-key exfiltration | Orbit ($82M, 2024) | Operational key management |
To move value between sovereign networks that cannot natively see each other, bridges have to run some form of off-chain or quasi-off-chain verification — and that verification layer, whatever it looks like, ends up holding the keys to the kingdom. In the earliest generation (Ronin, Multichain, Harmony), that layer was a small validator set holding actual signing keys. The failure mode was straightforward: compromise enough validators and the bridge is yours.
According to the joint Kelp-LayerZero post-mortem, the restaking protocol was using a DVN configuration in which a single compromised RPC endpoint could push a message through. When North Korean attackers took over two RPC nodes and forced a failover, the bridge trusted the poisoned node and released 116,500 rsETH to an attacker-controlled wallet.
"It was not a bug in LayerZero. It was a bug in how a team chose to configure LayerZero. The distinction matters less to users who just lost their money."
— Taylor Monahan, MetaMask"Smart-contract quality has improved dramatically. The attackers stopped caring about Solidity years ago. They're targeting cloud infrastructure, RPC endpoints, domain registrars, and the laptops of engineers who hold signing keys."
— Tom Robinson, Chief Scientist, EllipticZK-based light clients — now deployed by Polyhedra, Succinct and Union — move verification on-chain in a way that eliminates the off-chain trust layer entirely. MPC-based guardian networks distribute signing authority across hardware-isolated nodes. And deliberate throughput throttles — soft caps that pause a bridge if more than a certain percentage of TVL moves within a short window — have started to appear in the wake of Kelp. That single design choice would likely have saved $100-200 million on April 18.
Aggregate bridge TVL has fallen 22% since April 1, per DefiLlama. Protocols that chose high-threshold, multi-party-secured configurations have seen the smallest outflows. There is finally a visible market signal for operational security — a fact that may, belatedly, change behavior across the ecosystem.
The attacks described in this article exploit gaps that pre-signature transaction monitoring is built to close. Web3Firewall evaluates 100+ risk signals before a transaction reaches the blockchain — enforcing policy controls at the only moment intervention is actually possible.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.