Key Takeaways
- Approximately $290–293 million was stolen from Kelp DAO following a compromise of RPC nodes connected to LayerZero’s verification system
- According to LayerZero, Kelp DAO disregarded security recommendations to implement multiple verifiers, operating instead with a vulnerable single-verifier design
- Initial forensic analysis points to North Korea’s Lazarus Group as the perpetrator
- The breach impacted no fewer than nine DeFi platforms, with Aave experiencing a massive $6 billion asset decline
- LayerZero has announced it will discontinue support for all projects utilizing single-verifier architectures
Over the weekend, Kelp DAO became the victim of one of 2026’s most devastating DeFi security breaches, with threat actors siphoning approximately $290–293 million from the liquid restaking platform. LayerZero, the provider of the bridge technology exploited in the incident, has attributed the vulnerability to Kelp’s security configuration choices.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
The breach focused on the mechanism governing cross-chain movement of Kelp’s rsETH token. Operating with a single-verifier architecture meant that only one authority needed to validate inter-blockchain transactions. According to LayerZero, they had explicitly cautioned Kelp about this risky approach and advocated for implementing multiple independent verification sources.
LayerZero: KelpDAO Loses ~$290M in Exploit, Attributed to DPRK’s Lazarus Group
LayerZero reported that on April 18, 2026, KelpDAO suffered an exploit resulting in losses of approximately $290M, preliminarily attributed to DPRK’s Lazarus Group (TraderTraitor). The attack poisoned… pic.twitter.com/mfhQRaC2p9
— Wu Blockchain (@WuBlockchain) April 20, 2026
The perpetrators successfully infiltrated two remote procedure call nodes—server infrastructure that enables software to interact with blockchain data. These legitimate nodes were replaced with compromised versions designed to transmit fraudulent data to LayerZero’s verification system while maintaining normal appearances to all other monitoring tools.
Since LayerZero’s verification process also consulted legitimate external nodes, the attackers deployed a distributed denial-of-service campaign to disable those backup systems. This tactic redirected network traffic exclusively through the corrupted nodes during a critical window between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday.
When the failover mechanism activated, the hijacked nodes provided confirmation of a legitimate transaction to the verifier. Kelp’s bridge infrastructure subsequently released 116,500 rsETH tokens to addresses controlled by the attackers. Following successful execution, the malicious code automatically deleted itself, eliminating forensic evidence from the compromised servers.
Ripple Effects Throughout the DeFi Landscape
The stolen rsETH tokens were immediately deployed as loan collateral across multiple lending platforms to extract genuine assets. Aave, the dominant decentralized lending service, sustained the most significant damage.
Aave found itself holding illiquid rsETH collateral while valuable assets such as ETH had already been borrowed and extracted from the protocol. Aave’s native token declined approximately 15% within a 24-hour period, while the platform experienced roughly $6 billion in asset outflows as panicked users withdrew funds.
The damage extended to at least nine separate DeFi platforms, including Fluid, Compound Finance, SparkLend, and Euler. Cybersecurity firm Cyvers characterized the incident as a “cross-protocol contagion event” transcending typical isolated breaches.
LayerZero has identified the attack with preliminary certainty as the work of North Korea’s Lazarus Group, specifically its TraderTraitor division. This same organization was implicated in the $285 million Drift Protocol breach on April 1, indicating that Lazarus has extracted over $575 million from DeFi platforms within just 18 days using two distinct attack vectors.
Industry Response and Protocol Changes
LayerZero reports discovering no evidence of vulnerability spread to applications employing multi-verifier configurations. The company has restored its verification service and declared it will refuse to process messages for any project operating with single-verifier setups.
Curve Finance creator Michael Egorov stated the breach demonstrates the inherent risks of relying on solitary transaction verification authorities. He further cautioned against deploying cross-chain infrastructure except when absolutely essential.
Ledger CTO Charles Guillemet predicted that 2026 will “most likely be the worst year in terms of hacks.” Cryptocurrency security losses had already accumulated to $482 million during Q1 2026.
Kelp has remained silent regarding LayerZero’s version of events and has offered no explanation for continuing to operate a single-verifier configuration despite receiving explicit security warnings.
