Ripple CTO: Many DeFi bridges vulnerable after $292M heist

Ripple Chief Technology Officer David Schwartz warned that many decentralized finance cross-chain bridges could share the same structural weaknesses that enabled a $292 million rsETH theft from KelpDAO. The warning followed Schwartz’s review of several bridge systems for Ripple’s planned RLUSD stablecoin and the large KelpDAO exploit in 2026.

Schwartz examined multiple bridge deployments focused on security and risk. He found that while designs often include advanced security tools, operators frequently leave critical protections disabled. On X, he wrote, “They generally in effect recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs.” He added that some teams appear to forgo key LayerZero features for ease of operation.

The KelpDAO breach involved a single transaction that moved about 116,500 rsETH, roughly 18% of the token’s circulating supply, and resulted in roughly $292 million in losses. On-chain analysis indicates the attacker poisoned RPC infrastructure to gain control of enough endpoints used by LayerZero Labs’ DVN message verification system, allowing fraudulent bridge messages to be accepted.

Blockchain analysts linked parts of the operation to the North Korea-affiliated Lazarus Group and an account known as TraderTraitor. After taking the rsETH, the attacker deposited tokens into Aave V3 and borrowed ETH and WETH. Records show about 74,000 ETH and WETH were borrowed, creating roughly $236 million in liabilities across three lending platforms. One wallet held about $120 million in ETH drawn from Aave. Traces of Tornado Cash activity were observed, including a wallet interaction hours before the exploit.

Some projects have tightened operations since the exploit. Flare paused FXRP bridging and suspended token redemptions while teams review exposure. An XRP Ledger validator posting as VET warned that wrapped XRP on Solana is an issued asset and carries counterparty and custody risks that differ from native XRP in self-custody, writing, “wXRP is an issued asset; it doesn’t come close to holding native XRP via self-custody from a risk POV.”

Ripple’s former CTO Joel Katz criticized KelpDAO’s security setup and contrasted it with RLUSD’s stated security-first bridging approach. Blockchain monitors and security firms confirmed the theft and traced subsequent asset movements. Several projects are reviewing optional LayerZero settings and bridge configurations in response to the KelpDAO exploit.