Kelp DAO suffers $292 million exploit linked to North Korea's Lazarus Group

This incident highlights vulnerabilities in cross-chain infrastructure, potentially shaking investor confidence in DeFi protocols.

• On April 18, 2026, Kelp DAO suffered a $292 million exploit, draining 116,500 rsETH tokens.
• Attackers compromised LayerZero RPC nodes, launching a DDoS attack that forced a failover to tainted verifiers.
• DeFi outflows exceeded $10 billion, with Aave facing significant potential losses and Arbitrum freezing $71 million in stolen funds.

• Kelp DAO operates a liquid restaking protocol that issues rsETH, a token backed by staked Ethereum, utilizing LayerZero's cross-chain capabilities.
• LayerZero employs Delegated Verifier Networks (DVNs) for message validation, but many protocols, including Kelp, often default to a single-verifier setup, which is more susceptible to attacks.
• The Lazarus Group, a North Korean cybercrime unit, has a history of targeting DeFi bridges and RPC infrastructure, using tactics like RPC poisoning and DDoS attacks.

On April 18, 2026, Kelp DAO's cross-chain bridge was exploited, resulting in a staggering loss of $292 million. The attackers compromised two LayerZero RPC nodes, injecting them with fraudulent data. This was coupled with a DDoS attack on clean nodes, effectively forcing a failover to compromised verifiers. This manipulation allowed the attackers to mint 116,500 unbacked rsETH tokens, which were then funneled into Aave, triggering a cascade of liquidations and over $10 billion in DeFi withdrawals.

Kelp DAO acted swiftly, pausing contracts within 46 minutes of the exploit, which prevented an additional loss of approximately $200 million. However, the damage was already done. LayerZero issued a postmortem report attributing the attack to the Lazarus Group's TraderTraitor unit, while Kelp DAO countered that they had adhered to LayerZero's documentation and guidance.

The aftermath saw Arbitrum's Security Council freezing $71 million in stolen funds, but the attackers managed to launder $80 million. This incident has sparked a heated debate about decentralization and security within the DeFi space, as Kelp and LayerZero engaged in public disputes over accountability. Security firms like TRM Labs and Chainalysis are expected to analyze the breach further, but the immediate impact on DeFi protocols has been significant.

Despite the chaos, Ethereum prices remained stable, indicating that the broader market may not have been as affected as initially feared. However, the DeFi security markets are reflecting heightened risk pricing, suggesting that investors are becoming more cautious. The exploit has raised questions about the robustness of cross-chain infrastructure and the need for improved security measures, particularly for protocols relying on single-verifier configurations.

• DeFi investors: Increased risk perception may lead to reduced investments and liquidity in DeFi protocols.
• Kelp DAO users: Those holding rsETH or using Kelp's services may face losses and reduced trust in the platform.
• LayerZero users: Protocols relying on LayerZero's infrastructure may reconsider their security setups and risk exposure.
• Aave liquidity providers: Potential losses could lead to reduced liquidity and higher borrowing costs.
• Regulators: Increased scrutiny on DeFi protocols may lead to tighter regulations in the future.

• Security audits: Watch for increased demand for comprehensive security audits across DeFi protocols, as investors seek assurance against similar exploits.
• Regulatory responses: Monitor any regulatory actions or guidelines that may emerge in response to this incident, particularly regarding cross-chain infrastructure.
• Market recovery: Observe how quickly DeFi protocols recover from this incident and whether investor confidence returns to pre-exploit levels.