Kelp DAO Exploited for $292 Million by Lazarus Group via LayerZero Compromise

This exploit underscores vulnerabilities in cross-chain mechanisms, potentially shaking investor confidence in decentralized finance.

• On April 18, 2026, Kelp DAO's rsETH bridge was exploited for $292 million due to a compromise of LayerZero RPC nodes.
• Attackers, linked to North Korea's Lazarus Group, executed a DDoS attack to facilitate a forged message that drained 116,500 rsETH.
• Kelp DAO paused contracts within 46 minutes, preventing further losses estimated at $200 million.

• Kelp DAO, based in Bengaluru, India, provides liquid restaking tokens (LRTs) like rsETH, which are backed by staked ETH and enable yield generation across DeFi.
• LayerZero's V2 OFT standard was used for cross-chain transfers, relying on Decentralized Verifier Networks (DVNs) for message validation, which were compromised.
• The Lazarus Group has a history of executing DeFi hacks to fund operations, including a recent $285 million exploit on Drift Protocol.

On April 18, 2026, a sophisticated attack on Kelp DAO's rsETH bridge revealed significant vulnerabilities in cross-chain protocols. The attackers, linked to North Korea's Lazarus Group, pre-funded their wallets using Tornado Cash just hours before the exploit. Between 10:20 a.m. and 11:40 a.m. PT, they compromised two LayerZero RPC nodes using selective malware and executed a DDoS attack on backup nodes to force a failover. This manipulation allowed them to validate a forged cross-chain message from Unichain, which resulted in the unauthorized release of 116,500 rsETH, valued at $292 million, from Ethereum reserves.

Kelp DAO's rapid response, pausing contracts at 18:21 UTC, prevented two additional drains that could have cost approximately $200 million. However, the damage was already done. The attackers quickly swapped the stolen rsETH for around 74,000 ETH on Aave, further complicating recovery efforts. LayerZero issued a post-mortem report attributing the exploit to the use of a single-verifier (1/1 DVN) configuration, which was debated as a default versus a recommendation. This configuration exposed the bridge to vulnerabilities that were exploited by the attackers.

The aftermath saw a significant decline in DeFi's total value locked (TVL), dropping by $13 billion within 48 hours. Aave, in particular, faced substantial losses, with estimates of bad debt ranging from $124 million to $230 million due to loans taken against the stolen rsETH. In response, the Arbitrum Security Council froze 30,766 ETH (approximately $71 million) linked to the exploiters, while Kelp DAO engaged in mitigation discussions with LayerZero and Aave, including blacklisting wallets associated with the attack.

This incident raises critical questions about the security of cross-chain protocols and the responsibilities of infrastructure providers like LayerZero. As the DeFi ecosystem continues to evolve, the implications of this exploit could lead to stricter security audits and a reevaluation of default configurations across various platforms.

• DeFi Investors: Those holding rsETH or involved in liquidity pools on Aave face immediate financial risks and potential losses.
• Developers and Protocols: Teams working on cross-chain solutions may need to reassess security measures and configurations to prevent similar exploits.
• Regulatory Bodies: Increased scrutiny on DeFi protocols could lead to more stringent regulations and compliance requirements.

• Security Audits: Watch for announcements regarding enhanced security audits across DeFi protocols, as projects may seek to restore investor confidence.
• LayerZero's Response: Monitor how LayerZero addresses the vulnerabilities and whether they implement changes to their DVN configurations.
• Market Recovery: Observe the recovery of DeFi TVL and investor sentiment in the wake of this exploit, as it may indicate broader market stability or ongoing concerns.