Kelp DAO Exploit Results in $292 Million Loss Attributed to North Korean Lazarus Group
Here's what it means for you.
If you're involved in DeFi, this exploit highlights the critical importance of security protocols in cross-chain transactions.
Why it matters
This incident underscores vulnerabilities in decentralized finance (DeFi) infrastructure, potentially shaking investor confidence and liquidity across the ecosystem.
What happened (in 30 seconds)
- On April 18, 2026, Kelp DAO's LayerZero-powered rsETH bridge was exploited, draining 116,500 rsETH tokens valued at approximately $292 million.
- Attackers compromised RPC nodes and exploited a single decentralized verifier network configuration to approve a forged cross-chain message.
- Kelp DAO paused bridge contracts after the exploit, but not before attackers borrowed over $236 million in WETH and ETH on Aave.
The context you actually need
- Kelp DAO operates a liquid restaking protocol that issues rsETH, a token backed by staked ETH, facilitating yields across chains via LayerZero's interoperability protocol.
- LayerZero employs decentralized verifier networks (DVNs) for cross-chain message validation, with multi-verifier consensus recommended over single-verifier setups.
- North Korean state actors, particularly the Lazarus Group, have escalated cryptocurrency thefts, amassing billions since 2022, including a recent $285 million exploit on Drift Protocol.
What's really happening
On April 18, 2026, between 10:20 a.m. and 11:40 a.m. PT, a sophisticated attack unfolded against Kelp DAO's rsETH bridge. Attackers targeted two RPC nodes that were integral to LayerZero's decentralized verifier network (DVN). By installing malicious binaries, they were able to falsify data selectively, creating a scenario where the DVN could be misled into approving a forged cross-chain message.
Compounding the issue, a Distributed Denial of Service (DDoS) attack on uncompromised nodes forced a failover to the compromised infrastructure. This led to Kelp DAO's 1-of-1 DVN configuration approving the forged message, which resulted in the minting of 116,500 unbacked rsETH tokens worth $292 million.
The attackers quickly moved to capitalize on their ill-gotten gains, depositing the minted tokens as collateral on Aave V3/V4. Within just 46 minutes, they borrowed over $236 million in WETH and ETH, showcasing the speed and efficiency of the exploit. Kelp DAO's multisig governance paused bridge contracts shortly after the exploit, blocking two subsequent attempts to withdraw an additional $200 million.
LayerZero published a post-mortem on April 20, attributing the attack
Frequently Asked Questions
- Why it matters?
- This incident underscores vulnerabilities in decentralized finance (DeFi) infrastructure, potentially shaking investor confidence and liquidity across the ecosystem.
- What happened (in 30 seconds)?
- On April 18, 2026, Kelp DAO's LayerZero-powered rsETH bridge was exploited, draining 116,500 rsETH tokens valued at approximately $292 million. Attackers compromised RPC nodes and exploited a single decentralized verifier network configuration to approve a forged cross-chain message. Kelp DAO paused bridge contracts after the exploit, but not before attackers borrowed over $236 million in WETH and ETH on Aave.
- What's really happening?
- On April 18, 2026, between 10:20 a.m. and 11:40 a.m. PT, a sophisticated attack unfolded against Kelp DAO's rsETH bridge. Attackers targeted two RPC nodes that were integral to LayerZero's decentralized verifier network (DVN). By installing malicious binaries, they were able to falsify data selectively, creating a scenario where the DVN could be misled into approving a forged cross-chain message. Compounding the issue, a Distributed Denial of Service (DDoS) attack on uncompromised nodes forced
Research, news, and analysis on blockchain startups, DeFi, and regulations.
"Crypto Briefing provides research, news, and analysis on blockchain startups, DeFi, and crypto regulations with investor-focused coverage."
— A47 Editor
KelpDAO exploit exposes $290M in unbacked assets, AAVE freezes rsETH markets
The KelpDAO exploit has exposed approximately $290 million in unbacked assets, leading to AAVE freezing its rsETH markets. This incident highlights significant vulnerabilities within decentralized finance (DeFi) platforms, raising alarms about their ...
Research, news, and analysis on blockchain startups, DeFi, and regulations.
"Crypto Briefing provides research, news, and analysis on blockchain startups, DeFi, and crypto regulations with investor-focused coverage."
— A47 Editor
Kelp DAO blames $292M rsETH exploit on LayerZero breach, Lazarus Group involved
Kelp DAO has reported a significant exploit resulting in a loss of approximately $292 million from its rsETH bridge, attributing the breach to vulnerabilities in LayerZero's infrastructure and involvement from the North Korean Lazarus Group.
Bitcoin news, technical analysis, and forecasts across crypto markets.
"NewsBTC covers Bitcoin news, technical analysis, and forecasts across crypto markets and major blockchain projects."
— A47 Editor
A $292M Hack Created $200M In Bad Debt On Aave: Here Is What That Means For Users
Aave is grappling with a significant crisis following a $292 million hack that exploited a vulnerability in Kelp's bridge, leading to the creation of approximately $200 million in bad debt on its platform. The exploit allowed attackers to use stolen ...
Covers blockchain, cryptocurrency news, project analysis, and market insights.
"CoinDesk is a well-established cryptocurrency and blockchain news provider, offering comprehensive insights, market data, and industry research."
— A47 Editor
Aave could face up to $230 million in losses after Kelp DAO bridge exploit triggers DeFi chaos
Aave is facing potential losses of up to $230 million following a significant exploit of the Kelp DAO bridge, which drained approximately $292 million from its reserves. The report outlines two scenarios for the impact on Aave, depending on how the s...
Covers blockchain, cryptocurrency news, project analysis, and market insights.
"Cointelegraph is a leading crypto-focused media outlet known for timely news, analysis, and educational content related to blockchain and digital assets."
— A47 Editor
LayerZero says Kelp setup enabled exploit, as Aave loss questions mount
LayerZero has reported that the recent $290 million exploit of KelpDAO was facilitated by a setup that did not adhere to multi-verifier recommendations, allowing attackers to compromise the system. This incident has raised significant concerns regard...