KelpDAO Breach Exposes RPC Data and Finality Risks

KelpDAO was breached after attackers hijacked a small set of RPC and indexing data sources. The compromised feeds presented false account balances to the application while the underlying chain recorded and finalized transactions that moved real tokens.

Many decentralized finance applications read chain state through RPC nodes or indexing services rather than querying raw on-chain data. Victor Fei of Ormilabs explained that design lets an application operate on a view of the chain that can differ from the chain’s true state. In KelpDAO’s case, hijacked sources fed fabricated balances that enabled trades and withdrawals.

Several malicious transactions were included in the next block and finalized within seconds, leaving little time for operators to detect or stop activity. When a validly signed transaction is accepted by the chain, nodes treat it as legitimate regardless of an application’s internal data, which converted false accounting into real token outflows.

DeFi hacks rose to a one-year high in April and similar exploits continued into May, with roughly $930,000 lost month-to-date. In a separate incident, Bisq Protocol reported losses of about $858,000 tied to flawed protocol logic and a fake client attack. Industry observers say vulnerabilities are shifting from smart-contract code to the surrounding data infrastructure.

Vladyslav Syrotin, Head of Investigations at Global Ledger, urged faster automated defenses and shorter time-to-detection. He called for systems that trigger alerts and temporary blocks within one second of anomalous activity, and that enable victim reporting and data labeling within 10 minutes. Syrotin also noted that a slower response target-30-second alerts and labeling within four hours-could prevent about half of incidents and reduce losses.

Observers warn that automated trading bots acting on corrupted feeds can accelerate damage because they operate at machine speed. Suggested mitigations include short cooldowns or extra validation for large or unusual transfers, distributing data sources to avoid single points of failure, hardening indexing services, diversifying RPC providers and deploying real-time monitoring that can automatically pause activity when metrics deviate from expected patterns.

Teams working on DeFi protocols are discussing measures to strengthen the data layer, speed detection and introduce temporary delays or automated checks to limit similar incidents.