Kelp DAO's rsETH Bridge Exploit Results in $292 Million Loss Attributed to Lazarus Group

This exploit underscores vulnerabilities in DeFi infrastructure, potentially shaking investor confidence and leading to stricter regulations.

• On April 18, 2026, Kelp DAO's rsETH bridge was exploited, draining 116,500 rsETH valued at approximately $292 million.
• LayerZero Labs attributed the attack to North Korea's Lazarus Group, citing RPC node poisoning and DDoS attacks.
• Kelp DAO paused affected contracts within 46 minutes but disputes LayerZero's blame, pointing to infrastructure issues.

• Kelp DAO operates rsETH, a liquid restaking token that allows multi-asset restaking on Ethereum, increasing its liquidity across chains.
• LayerZero provides cross-chain interoperability through its Decentralized Verifier Network (DVN), where a 1-of-1 verifier setup creates a single point of failure.
• Lazarus Group, known for sophisticated crypto thefts, has a history of targeting bridges and infrastructure to fund North Korea's regime activities.

On April 18, 2026, Kelp DAO's rsETH cross-chain bridge fell victim to a sophisticated exploit that drained 116,500 rsETH, valued at approximately $292 million. The attackers compromised two LayerZero RPC nodes, feeding falsified data to the DVN verifier while simultaneously launching DDoS attacks on backup nodes. This forced Kelp DAO to rely on tainted nodes, which approved a forged cross-chain message that minted unbacked rsETH.

Kelp DAO detected the exploit and paused affected contracts within 46 minutes, effectively blocking further attempts to drain funds. However, the damage was already done, leading to a significant decline in total value locked (TVL) across DeFi platforms, with Aave freezing markets and assessing potential bad debt from the attacker's leveraged positions.

LayerZero issued a post-mortem on April 20, attributing the attack to Lazarus Group's TraderTraitor unit and criticizing Kelp's single-verifier setup. Kelp DAO responded the same day, asserting that the 1-of-1 DVN configuration was LayerZero's documented default, which they had been using since January 2024. They argued that the breach targeted LayerZero's infrastructure rather than their own setup.

This incident has triggered a chain reaction within the DeFi ecosystem. Aave saw over $1.5 billion in USDC withdrawn, and the total value locked in DeFi fell by $13 billion in just two days. The exploit has heightened scrutiny on single-verifier bridges, with LayerZero vowing to halt message signing for 1/1 DVN applications. Kelp DAO has blacklisted the attacker's wallets and is evaluating the resumption of services.

The exploit not only raises questions about the security of cross-chain bridges but also highlights the broader implications for investor confidence in DeFi. As the ecosystem continues to evolve, the need for robust security measures and diversified verification methods becomes increasingly critical.

• DeFi investors: Facing potential losses and increased scrutiny on investments.
• Kelp DAO users: Directly impacted by the exploit and potential loss of funds.
• Aave users: Affected by market freezes and liquidity issues.
• LayerZero clients: Facing heightened concerns over security and infrastructure reliability.
• Regulators: Likely to increase scrutiny on DeFi protocols and their security measures.

• Regulatory responses: Watch for potential regulations targeting DeFi protocols, especially those using single-verifier setups. This could reshape the landscape of decentralized finance.
• Security audits: Increased demand for comprehensive security audits in DeFi projects may emerge, influencing investment decisions and project viability.
• Market recovery: Monitor how quickly the DeFi market can recover from this incident, particularly in terms of total value locked and investor confidence.